HackTheBox - CozyHosting

00:00 - Introduction 01:00 - Start of nmap 03:10 - Identify JSESSIONID with nginx, but nginx appears to be configured correctly 06:00 - Googling the error message to identify the page uses SpringBoot, using a SpringBoot wordlist to find actuators! 10:30 - Using the Sessions Actuator and seeing a session for kanderson, logging in to get to the admin interface 14:15 - Finding RCE in the ExecSSH Page 23:20 - Shell on CozyHosting, looking at running services 26:00 - Examining the CozyHosting Jar to identify PostGres credentials then dumping the users table and cracking hashes 33:00 - Josh can run SSH with sudo, using proxy command to get root 34:10 - Explaining what ProxyCommand is