CozyHosting — Attack Chain (COMPLETE)

Full Path: Nmap → Web Enum (ffuf) → Spring Boot Identified → Actuator Exposed → Session Hijack (kanderson) → Admin Panel → Command Injection (/executessh) → Reverse Shell (app) → JAR Extraction → DB Creds → PostgreSQL Dump → bcrypt crack → Password Reuse → SSH (josh) → User Flag → sudo ssh → Root Flag

Branch Points

1. How to access admin panel?

• Chosen: Session hijack via /actuator/sessions — stole kanderson's JSESSIONID

2. Command injection on /executessh

• Chosen: username field with ; + backtick substitution + ${IFS} space bypass + base64 encoding + bash -c (not sh) + # to comment out trailing @hostname

3. app → josh (lateral movement)

• Chosen: Extract JAR → application.properties → PostgreSQL creds → dump user hashes → crack admin bcrypt → password reuse on josh via SSH

4. josh → root (privilege escalation)

• Chosen: sudo -l revealed (root) /usr/bin/ssh * → GTFOBins sudo ssh -o ProxyCommand → root shell