Hack The Box Cozy Hosting

00:00 Introduction 01:00 Start of nmap 03:10 Identify JSESSIONID with nginx, but nginx appears to be configured correctly 06:00 Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators 10:30 Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface 14:15 Finding RCE in the ExecSSH Page 23:20 Shell on CozyHosting, looking at running services 26:00 Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes 33:00 Josh can run SSH with sudo, using proxy command to get root 34:10 Explaining what ProxyCommand is