CozyHosting is a web hosting company with a website running on Java Spring Boot. I’ll find a Spring Boot Actuator path that leaks the session id of a logged in user, and use that to get access to the site. Once there, I’ll find command injection in a admin feature to get a foothold. I’ll pull database creds from the Java Jar file and use them to get the admin’s hash on the website from Postgres, which is also the user’s password on the box. From there, I’ll abuse sudo ssh with the ProxyCommand option to get root.

0xdf hacks stuff

The post describes the process of compromising a web hosting company's website running on Java Spring Boot. It covers reconnaissance, web application analysis, command injection, database exploration, and privilege escalation through SSH ProxyCommand.

HTB: CozyHosting