Hackthebox - CozyHosting

(Updated: )
, ,

CozyHosting

logo

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Nmap 7.93 scan initiated Fri Sep  8 10:02:01 2023 as: nmap -e tun0 -sC -sV -oA nmap/default -v 10.10.11.230
Nmap scan report for 10.10.11.230
Host is up (0.58s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
5555/tcp open  http            SimpleHTTPServer 0.6 (Python 3.10.12)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.12
|_http-title: Directory listing for /
| http-methods: 
|_  Supported Methods: GET HEAD
8002/tcp open  teradataordbms?
8008/tcp open  http?
8081/tcp open  http            SimpleHTTPServer 0.6 (Python 3.10.12)
|_http-server-header: SimpleHTTP/0.6 Python/3.10.12
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Directory listing for /
8083/tcp open  us-srv?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep  8 10:05:18 2023 -- 1 IP address (1 host up) scanned in 197.56 seconds

域名

从 nmap 可以得到 cozyhosting.htb,添加到 /etc/hosts

cloudhosting.jar

9da5f2d44eaf96ec95a2884536fa0bc5.png

从 cozyhosting.htb:5555 下载到 cloudhosting.jar 文件,jd-gui 打开后可以看到 FakeUser.class 中有一个用户凭据 kanderson:MRdEQuv6~6P9 ,登录一下试试。

b5a626fe0e7545441fe785be05255abc.png

成功登录。

从 jar 文件中还可以得到一个接口可以进行 ssh 连接

82d73837b344a0fdcd7ad2b29b3527e8.png

其中对用户名和密码的过滤并不够严谨,存在命令注入,遂弹 shell

5f4687c4c92ee0a0c740bda29f1cd9f2.png

数据库

a2914adeb2a99c24d53dc6f7edcc891c.png

jar 文件中包含的连接凭据

a1275a5661723392d1d3ce1b97d85b0a.png

成功登录。由 https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql#rce-to-program

5f55fc54ec02e8758d6c83a0d2c7b8be.png

psql -h localhost -p 5432 -U postgres cozyhosting

可以 rce,弹 shell

a5342179d0bbdeb46d12b619822c7b69.png

d6bad6f581aff2bda5be0c88760dbc69.png

/var/lib/postgresql/.psql_history 中 有一个管理员的 hash
admin:$2a$10$RV52o7XkoyYoDoU/c/0A0.Bvj0c1n.GVC.u.PQvgi40tAIY3ezaUO

linpeas.sh

514251381ddfbaa8b7e29d5ec64f2362.png

f12a601f0555daee9674378ddb0f7410.png

5146b864f8ea8971c673fc88711fa9e4.png

50751a69ddf9897f66c0983c6668b646.png

pspy

a1a7d7869f8850e01c42d666f5fa5405.png

postgresql 数据库

325fdc9060d403228b3d9475de8aca4e.png

kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm

hashcat 可跑出 admin:manchesterunited

07d8de3b58310b550c8f9e5487b55506.png

使用 manchesterunited 成功登录 josh 用户 ssh

提权

a04c7106411a27b1951db43e4c1eb280.png

https://gtfobins.github.io/gtfobins/ssh/#shell