Enumeration
Zenmap:
PS D:\thehackbox\Machines\CozyHosting> curl.exe http://cozyhosting.htb/actuator
{
"_links": {
"self": {
"href": "http://localhost:8080/actuator",
"templated": false
},
"sessions": {
"href": "http://localhost:8080/actuator/sessions",
"templated": false
},
"beans": {
"href": "http://localhost:8080/actuator/beans",
"templated": false
},
"health": {
"href": "http://localhost:8080/actuator/health",
"templated": false
},
"health-path": {
"href": "http://localhost:8080/actuator/health/{*path}",
"templated": true
},
"env": {
"href": "http://localhost:8080/actuator/env",
"templated": false
},
"env-toMatch": {
"href": "http://localhost:8080/actuator/env/{toMatch}",
"templated": true
},
"mappings": {
"href": "http://localhost:8080/actuator/mappings",
"templated": false
}
}
}
PS D:\thehackbox\Machines\CozyHosting> curl.exe http://cozyhosting.htb/actuator/sessions
{"E97FFA274303ECCCEEA6002C926267D1":"kanderson"}
PS D:\thehackbox\Machines\CozyHosting>Tôi đã có được session của kanderson. Sử đụng ffuf để scan web.
Gaining access app
Gaining access josh
Lấy file cloudhosting-0.0.1.jar decode và đọc mã.
package BOOT-INF.classes.htb.cloudhosting.compliance;
import jakarta.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.regex.Pattern;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class ComplianceService {
private final Pattern HOST_PATTERN = Pattern.compile("^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?(?:\\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?)*\\.?$");
@RequestMapping(method = {RequestMethod.POST}, path = {"/executessh"})
public void executeOverSsh(@RequestParam("username") String username, @RequestParam("host") String host, HttpServletResponse response) throws IOException {
StringBuilder rbuilder = new StringBuilder("/admin?error=");
try {
validateHost(host);
validateUserName(username);
Process process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c",
String.format("ssh -o ConnectTimeout=1 %s@%s", new Object[] { username, host }) });
(new BufferedReader(new InputStreamReader(process.getErrorStream()))).lines()
.forEach(line -> {
if (!line.startsWith("Pseudo-terminal"))
rbuilder.append(line);
});
} catch (IllegalArgumentException exception) {
rbuilder.append(exception.getMessage());
} catch (Exception exception) {
rbuilder.append("ssh: Cannot connect to the host");
} finally {
response.sendRedirect(rbuilder.toString());
}
}
private void validateUserName(String username) {
if (username.contains(" "))
throw new IllegalArgumentException("Username can't contain whitespaces!");
}
private void validateHost(String host) {
if (!this.HOST_PATTERN.matcher(host).matches())
throw new IllegalArgumentException("Invalid hostname!");
}
}
Trong file application.properties:
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=************Ở đây tôi thấy được username và password của postgresql. Kết nối psql:
Privilege escalation
