Cockpit

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started with autorecon as usual, which revealed three open ports on the target:

    • SSH (22)

    • HTTP (80)

    • HTTP (9090)

Service Analysis

HTTP (80) & HTTP (9090)

  • Browsing to port 80 revealed a simple page with minimal content, nothing much to work with initially.

HTTP (80)
  • Port 9090 presented a login form. I tried multiple approaches, including searching for CVEs based on the Ubuntu version shown on the page, but those efforts led nowhere.

HTTP (9090)
  • After about 18 minutes of unsuccessful attempts (I know because was timing myself for this box), Then, I rechecked my fuzzers on HTTP (80) and discovered a login page. Using a simple SQL injection attack there, I managed to bypass authentication by logging in with:

    • Username: admin

    • Password: '--

HTTP (80) Login Page

Gaining Initial Access

  • After the SQL injection, I logged in and discovered two user accounts along with their hashed passwords:

HTTP (80) User Hashes

User: james

  • Hash: Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=

  • Plaintext: canttouchhhthiss@455152

User: Cameron

  • Hash: dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy

  • Plaintext: thisscanttbetouchedd@455152

  • I thought, "Great, now I can just log in via SSH and run linpeas." But then I realized, SSH only accepted key-based authentication, not passwords, still no there just yet.

  • I remembered the secondary login page on HTTP (9090) and decided to try the users there. This time, the login worked, as james! Exploring the account settings, I discovered an option to upload SSH public keys. I generated a key pair, uploaded my public key, and finally gained SSH access.

Uploading SSH Public Key
Gained Initial Access

Privilege Escalation

  • Running sudo -l revealed that I could execute tar as sudo without a password.

  • Checking gtfobins showed that tar can be exploited using the flags --checkpoint=1 --checkpoint-action=exec=/bin/sh to spawn a shell. I executed the command and bingo got root:

sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh
Privilege Escalation

Lessons Learned

  • SQL Injection: A simple SQL injection on a login page on port 80 led to initial access.

  • SSH Key Upload: The ability to upload an SSH public key via the secondary login page was critical in bypassing key-only authentication on SSH.

  • Sudo Exploitation: Misconfigured sudo privileges for tar provided a straightforward path to root.

Last updated