Session Hijacking

March 12, 2024

CozyHosting – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec GTFObins, HackTheBox, HTB, JAR Decompilation, john, Linux Box, Password Cracking, postgres, RCE, Session Hijacking, SpringActuators, SpringBoot, SSH, sudo -l 0

Machine Name: CozyHosting
IP: 10.10.11.230
Difficulty: Easy

Summary

CozyHosting, an easy machine, initially involves understanding its SpringBoot application, discovered through a generic error page uncovered during directory enumeration. Further exploration revealed sensitive SpringActuator endpoints, leading to the acquisition of a session token belonging to user KAnderson. Leveraging this token facilitated the theft of the user’s session, providing access to the admin’s dashboard featuring an exploitable SSH configuration. Exploiting the SSH configuration vulnerability allowed for remote code execution (RCE) and subsequent acquisition of a shell. The next step involved decompiling a JAR file, uncovering plain-text database credentials that enabled access to the Postgres database. Within the database, user hashes were uncovered and subsequently cracked to unveil the user password, granting entry as Josh. Finally, privilege escalation was achieved through an SSH sudo misconfiguration, facilitating the acquisition of an interactive shell as root via SSH.

March 9, 2024

AppSanity – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec ASPX, chisel, DLL Hijacking, dnSpy, ffuf, HackTheBox, HTB, JWT, metasploit, meterpreter, Session Hijacking, SSRF, Windows 0

Machine Name: AppSanity
IP: 10.10.11.238
Difficulty: Hard

Summary

AppSanity is a hard difficulty machine that starts with subdomain enumeration and manipulation of the registration process. Utilizing JWT for session hijacking, the journey led to SSRF and finally gaining a user shell through bypassing file-type restrictions. For privilege escalation, analysis of the ExaminationManagement.dll revealed a registry key, providing user credentials. Reverse port forwarding via Chisel unveiled the service on port 100, enabling exploitation of DLL hijacking to escalate privileges and eventually access administrator shell and root flag.