KalioNix

CozyHosting

4 min read

Proof of Concept

10.129.229.88

Nmap

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Initial Access

80 포트 웹서비스 접속 시 http://cozyhosting.htb으로 리다이렉트 됨

80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/CozyHosting]
└─$ cat /etc/hosts
<SNIP>
10.129.229.88	cozyhosting.htb

웹 디렉토리 탐색 결과 에러 페이지 발견

┌──(kali㉿kali)-[~/CozyHosting]
└─$ feroxbuster -u http://cozyhosting.htb -t 100
 
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://cozyhosting.htb/
 🚩  In-Scope Url          │ cozyhosting.htb
 🚀  Threads               │ 100
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        1l        2w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       97l      196w     4431c http://cozyhosting.htb/login
200      GET       43l      241w    19406c http://cozyhosting.htb/assets/img/pricing-business.png
200      GET       29l      131w    11970c http://cozyhosting.htb/assets/img/pricing-free.png
200      GET       34l      172w    14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/favicon.png
200      GET       29l      174w    14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200      GET      295l      641w     6890c http://cozyhosting.htb/assets/js/main.js
200      GET     2397l     4846w    42231c http://cozyhosting.htb/assets/css/style.css
200      GET        1l      218w    26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
204      GET        0l        0w        0c http://cozyhosting.htb/logout
200      GET       79l      519w    40905c http://cozyhosting.htb/assets/img/values-2.png
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/logo.png
200      GET        1l      313w    14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200      GET       81l      517w    40968c http://cozyhosting.htb/assets/img/hero-img.png
200      GET       83l      453w    36234c http://cozyhosting.htb/assets/img/values-3.png
500      GET        1l        1w       73c http://cozyhosting.htb/error
<SNIP>

http://cozyhosting.htb/error 페이지 접속 시 “Whitelabel Error Page”라는 문구를 볼 수 있으며, 해당 문구는 Spring Boot에서 발생하는 오류 문구임을 확인

<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Sun Feb 08 15:33:37 UTC 2026</div><div>There was an unexpected error (type=None, status=999).</div></body></html>

Spring Boot endpoint 워드리스트 다운로드

┌──(kali㉿kali)-[/usr/share/seclists/Discovery/Web-Content]
└─$ sudo wget https://git.selfmade.ninja/zer0sec/SecLists/-/raw/master/Discovery/Web-Content/spring-boot.txt
[sudo] password for kali:
--2026-02-08 10:51:24--  https://git.selfmade.ninja/zer0sec/SecLists/-/raw/master/Discovery/Web-Content/spring-boot.txt
Resolving git.selfmade.ninja (git.selfmade.ninja)... 95.111.201.95
Connecting to git.selfmade.ninja (git.selfmade.ninja)|95.111.201.95|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1890 (1.8K) [text/plain]
Saving to: ‘spring-boot.txt’
 
spring-boot.txt                                100%[===================================================================================================>]   1.85K  --.-KB/s    in 0s
 
2026-02-08 10:51:25 (6.55 MB/s) - ‘spring-boot.txt’ saved [1890/1890]

Spring Boot 엔드포인트 열거

┌──(kali㉿kali)-[~/CozyHosting]
└─$ feroxbuster -u http://cozyhosting.htb -t 100 -w /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt -q -s 200
 
200      GET        1l        1w       15c http://cozyhosting.htb/actuator/health
200      GET        1l        1w       48c http://cozyhosting.htb/actuator/sessions
200      GET        1l        1w      634c http://cozyhosting.htb/actuator
200      GET        1l       13w      487c http://cozyhosting.htb/actuator/env/lang
200      GET        1l      120w     4957c http://cozyhosting.htb/actuator/env
200      GET        1l       13w      487c http://cozyhosting.htb/actuator/env/home
200      GET        1l       13w      487c http://cozyhosting.htb/actuator/env/path
200      GET        1l      108w     9938c http://cozyhosting.htb/actuator/mappings
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/favicon.png
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/logo.png
200      GET      295l      641w     6890c http://cozyhosting.htb/assets/js/main.js
200      GET       34l      172w    14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200      GET       29l      131w    11970c http://cozyhosting.htb/assets/img/pricing-free.png
200      GET       29l      174w    14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200      GET       73l      470w    37464c http://cozyhosting.htb/assets/img/values-1.png
200      GET       97l      196w     4431c http://cozyhosting.htb/login
200      GET       43l      241w    19406c http://cozyhosting.htb/assets/img/pricing-business.png
200      GET        1l      542w   127224c http://cozyhosting.htb/actuator/beans
200      GET        1l      218w    26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200      GET       79l      519w    40905c http://cozyhosting.htb/assets/img/values-2.png
200      GET        1l      313w    14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200      GET       83l      453w    36234c http://cozyhosting.htb/assets/img/values-3.png
200      GET     2397l     4846w    42231c http://cozyhosting.htb/assets/css/style.css
200      GET        1l      625w    55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200      GET        7l     1222w    80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200      GET       81l      517w    40968c http://cozyhosting.htb/assets/img/hero-img.png
200      GET       14l     1684w   143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
200      GET     2018l    10020w    95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200      GET        7l     2189w   194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200      GET      285l      745w    12706c http://cozyhosting.htb/
Scanning: http://cozyhosting.htb/