Read my writeup to CozyHosting on:
TLDR
User: Discovered a jar file hosted on port 8000. Extracted portal (port 80) credentials and DB credentials from the JAR file. Attained a reverse shell using command injection on the username field via the /executessh API. Cracked the admin password from the database and subsequently utilized it to SSH login as the josh user.
Root: After running sudo -l, it was determined that we can execute /usr/bin/ssh * as root. This allowed for the spawning of an interactive root shell via the ProxyCommand option.
