HackTheBox - CozyHosting

00:00 - Introduction
01:00 - Start of nmap
03:10 - Identify JSESSIONID with nginx, but nginx appears to be configured correctly
06:00 - Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators!
10:30 - Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface
14:15 - Finding RCE in the ExecSSH Page
23:20 - Shell on CozyHosting, looking at running services
26:00 - Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes
33:00 - Josh can run SSH with sudo, using proxy command to get root
34:10 - Explaining what ProxyCommand is

Support the originator by clicking the read the rest link below.