Analysis updated 2026-05-18
Learn how Spring Boot Actuator endpoint exposure leads to session hijacking.
Study a real command injection and reverse shell attack chain step by step.
Practice cracking leaked password hashes with hashcat and rockyou.txt.
Understand how misconfigured sudo rules enable privilege escalation to root.
| themursalin/cozyhosting_walkthrough | 0verflowme/alarm-clock | 0xhassaan/nn-from-scratch | |
|---|---|---|---|
| Stars | 0 | — | 0 |
| Language | — | CSS | Python |
| Last pushed | — | 2022-10-03 | — |
| Maintenance | — | Dormant | — |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 3/5 | 2/5 | 4/5 |
| Audience | developer | vibe coder | developer |
Figures from each repo's GitHub metadata at analysis time.
Best followed alongside a vulnerable lab environment matching the walkthrough's target.
CozyHosting_Walkthrough is an educational security assessment writeup documenting a step by step penetration test of a fictional hosting company's Spring Boot (Java) web application. It is classified as an educational walkthrough demonstrating real world attack techniques in a deliberately vulnerable environment, similar to the format used by hands on security training labs. The walkthrough covers a complete attack chain. First, port scanning identifies open services. The application is found to expose Spring Boot Actuator endpoints, operational debugging paths often left enabled by accident in production. The /actuator/sessions endpoint leaks active session identifiers and their associated usernames. Replacing the browser session cookie with a stolen ID takes over an authenticated user's session without a password, a session hijacking attack. From the admin dashboard, a form that runs SSH commands is found vulnerable to command injection: an attacker can append arbitrary shell commands to the username field. Space characters are filtered, but the walkthrough shows bypass techniques using shell features. A reverse shell is established this way, giving the attacker interactive access to the server. Inside the application, the JAR file (a packaged Java archive) contains a configuration file with PostgreSQL database credentials in plaintext. The database yields password hashes for two accounts. The admin hash is cracked using hashcat with the rockyou.txt wordlist. The cracked password also works for a local system user, enabling lateral movement. Finally, a misconfigured sudo rule lets that user run ssh as root, and the SSH ProxyCommand option is abused to spawn a root shell. The full README is longer than what was shown.
An educational writeup walking through a full penetration test of a deliberately vulnerable Spring Boot hosting application, from recon to root access.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.