HTB Tutorial - CozyHosting

 CozyHosting

Intro:

I went to start another HTB system and figured this would be a good one to write up. I know there are other writeups on this, and from what I've seen, I think I can put together something better to follow. So, lets dig in.

Recon:

I started with nmap, I have nmap aliased which is basically setting mynmap to "nmap -sS -sV -Pn -p1- --open -sC -oN nmap" which I have setup this way so I can create a folder for the htb challenge, enter the folder, and then nmap from there. saving my file for reference later. This does miss some udp stuff and things like that, so it's not the best scanning, but it's sufficient in most cases to give me an advantage


A few other starter things I like to do is start dirb and eyewitness to go grab a picture of the site.


Lets not forget to go ahead and get some whatweb detection goodness.



So far we've only found login and admin pages, think I'm gonna try to run FFUF to see what else we can find while we investigate the site. From this, I found the actuator directory.


Initial access:

Finding the actuator folder, I went on a hunt for what that is. Found that actuator is part of the springboot framework, and specifically came across this hackerone exploit document detailing a variety of issues including but not limited to, actuator/sessions showing active sessions. This session cookie I was able to use awesome cookie manager to change and open the admin panel. 



I had some issues keeping this session alive, so I changed the expiration date on these to make it last longer. Helped a lot.


Now just go back to /admin aaaand we're in.


Recon Stage 2:

We can see at the bottom it attempts to setup an ssh connection talking about adding a key to .ssh/authorized_keys file. This could either be through ssh, or ssh-copy-id, but either way. Trying default test:test, we get an error including what appears to be output from ssh command being ran. So that kind of confirms it for us.



Tried to add commands along with test to see what could happen.


Also tried to test different usernames to see what limits I had. Tried to urlencode a generated bash connection (props to revshells and the encoding features in zaproxy. I also started looking at how I could run commands without spaces in linux. Ended up finding this page which suggested either using IFS or using commands setup in brackets with a comma. Tried both.



Exploitation:

After a bit of trying, as it turned out, I needed to add an extra pipe at the end so it turn control back over into the original command this injection was going into.



Re-recon:

Now I've got access to a shell as the "app" user. Found a jar file under the directory it's in, so went ahead and downloaded that locally. You can do this any way you want, I used nc to transfer it.


I don't know if everyone does this, but when transferring I'd prefer to do a quick hash check to make sure it transferred correctly. Saves issues in the future.


Unzipping the jar file with 7z was an easy way to check this.


This further references spingboot, but manifest doesn't really have much.


So I searched for passwords and wound up with some hits. We now have some creds for postgresql connections.


I always enjoy just googling hacktricks for whatever I'm unsure of. In this case, I used this link for some easy tips on using psql command.


Dug around and found, within the cozyhosting database, some user hashes. Coppied those into a file and ran john with the rockyou password list and found one of the passwords.



Weaponization:

Commonly those passwords in databases are reused for internal users, so I went looking for users and found the josh user. Trying the password, yep, success!

Final Exploitation:

From the josh user, I found a sudo permission (using sudo -l, a common first step on escalation), for the ssh command. So since the user can sudo using ssh, I simple ran over to GTFOBins and found a quick and dirty form of command injection using ssh. 

SIDE NOTE!

This could have been easily bypassed by simply using hydra with statistically likely usernames and the rockyou password list. But the waste of time, you can solve this before hydra finishes. 

Final Word:

As always, tutorials are designed to aid in training your way of thinking, not giving you the answers, not solving problems for you. If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.
Location: Red Oak, TX 75154, USA

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more