Recon
$ nmap -T5 -p- -vvv 10.10.11.230
[...]
22/tcp open ssh syn-ack
80/tcp open http syn-ack
[...]
$ nmap -sC -sV -oA nmap/cozyhosting -p22,80 -vv 10.10.11.230
[...]
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEpNwlByWMKMm7ZgDWRW+WZ9uHc/0Ehct692T5VBBGaWhA71L+yFgM/SqhtUoy0bO8otHbpy3bPBFtmjqQPsbC8=
| 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVzF8iMVIHgp9xMX9qxvbaoXVg1xkGLo61jXuUAYq5q
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[...]Seems like this machine is:
- IP: 10.10.11.230
- Ubuntu, a Linux box
- top domain seems to be: http://cozyhosting.htb, which needs to be added to
/etc/hosts
Let’s do a quick gobuster and see what we can find
$ gobuster dir -u http://cozyhosting.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 350 2>/dev/null
[...]
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 12706]
/admin (Status: 401) [Size: 97]
/login (Status: 200) [Size: 4431]
/logout (Status: 204) [Size: 0]
/error (Status: 500) [Size: 73]
/http%3A%2F%2Fwww (Status: 400) [Size: 435]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 435]
/%C0 (Status: 400) [Size: 435]
/http%3A%2F%2Fblogs (Status: 400) [Size: 435]
/http%3A%2F%2Fblog (Status: 400) [Size: 435]
/**http%3A%2F%2Fwww (Status: 400) [Size: 435]
/27079%5Fclassicpeople2%2Ejpg (Status: 200) [Size: 0]
/children%2527s_tent (Status: 200) [Size: 0]
/tiki%2Epng (Status: 200) [Size: 0]
/Wanted%2e%2e%2e (Status: 200) [Size: 0]
/How_to%2e%2e%2e (Status: 200) [Size: 0]
/External%5CX-News (Status: 400) [Size: 435]
/squishdot_rss10%2Etxt (Status: 200) [Size: 0]
/b33p%2Ehtml (Status: 200) [Size: 0]
/help%2523drupal (Status: 200) [Size: 0]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 435]
/http%3A%2F%2Fradar (Status: 400) [Size: 435]
/%D4 (Status: 400) [Size: 435]
/%C4 (Status: 400) [Size: 435]
/%D9 (Status: 400) [Size: 435]
/%CC (Status: 400) [Size: 435]
/%D7 (Status: 400) [Size: 435]
/%C1 (Status: 400) [Size: 435]
[...]
Looks like this machine is vulnerable to some sort of Whitelabel Error Page error. Which, by a quick google search, I can see that it is a Spring Boot error Theory proven correct by using this as reference. Let’s go back to gobuster
$ gobuster dir -u http://cozyhosting.htb -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt
[...]
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/actuator (Status: 200) [Size: 634]
/actuator/env/home (Status: 200) [Size: 487]
/actuator/env (Status: 200) [Size: 4957]
/actuator/env/lang (Status: 200) [Size: 487]
/actuator/env/path (Status: 200) [Size: 487]
/actuator/health (Status: 200) [Size: 15]
/actuator/mappings (Status: 200) [Size: 9938]
/actuator/beans (Status: 200) [Size: 127224]
/actuator/sessions (Status: 200) [Size: 145]
Visiting http://cozyhosting.htb/actuator/sessions reveal an username and a cookie session.
To be continue I’m tired >:(