Cockpit

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

I started with autorecon as usual, which revealed three open ports on the target:
- SSH (22)
- HTTP (80)
- HTTP (9090)

HTTP (80) & HTTP (9090)

Browsing to port 80 revealed a simple page with minimal content, nothing much to work with initially.

Port 9090 presented a login form. I tried multiple approaches, including searching for CVEs based on the Ubuntu version shown on the page, but those efforts led nowhere.

After about 18 minutes of unsuccessful attempts (I know because was timing myself for this box), Then, I rechecked my fuzzers on HTTP (80) and discovered a login page. Using a simple SQL injection attack there, I managed to bypass authentication by logging in with:
- Username: admin
- Password: '--

After the SQL injection, I logged in and discovered two user accounts along with their hashed passwords:

User: james

User: Cameron

Hash: dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy
Plaintext: thisscanttbetouchedd@455152
I thought, "Great, now I can just log in via SSH and run linpeas." But then I realized, SSH only accepted key-based authentication, not passwords, still no there just yet.
I remembered the secondary login page on HTTP (9090) and decided to try the users there. This time, the login worked, as james! Exploring the account settings, I discovered an option to upload SSH public keys. I generated a key pair, uploaded my public key, and finally gained SSH access.

Running sudo -l revealed that I could execute tar as sudo without a password.
Checking gtfobins showed that tar can be exploited using the flags --checkpoint=1 --checkpoint-action=exec=/bin/sh to spawn a shell. I executed the command and bingo got root:

sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh

SQL Injection: A simple SQL injection on a login page on port 80 led to initial access.
SSH Key Upload: The ability to upload an SSH public key via the secondary login page was critical in bypassing key-only authentication on SSH.
Sudo Exploitation: Misconfigured sudo privileges for tar provided a straightforward path to root.

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Intermediate

I started with autorecon as usual, which revealed three open ports on the target:
- SSH (22)
- HTTP (80)
- HTTP (9090)

HTTP (80) & HTTP (9090)

Browsing to port 80 revealed a simple page with minimal content, nothing much to work with initially.

Port 9090 presented a login form. I tried multiple approaches, including searching for CVEs based on the Ubuntu version shown on the page, but those efforts led nowhere.

After about 18 minutes of unsuccessful attempts (I know because was timing myself for this box), Then, I rechecked my fuzzers on HTTP (80) and discovered a login page. Using a simple SQL injection attack there, I managed to bypass authentication by logging in with:
- Username: admin
- Password: '--

After the SQL injection, I logged in and discovered two user accounts along with their hashed passwords:

User: james

User: Cameron

Hash: dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy
Plaintext: thisscanttbetouchedd@455152
I thought, "Great, now I can just log in via SSH and run linpeas." But then I realized, SSH only accepted key-based authentication, not passwords, still no there just yet.
I remembered the secondary login page on HTTP (9090) and decided to try the users there. This time, the login worked, as james! Exploring the account settings, I discovered an option to upload SSH public keys. I generated a key pair, uploaded my public key, and finally gained SSH access.

Running sudo -l revealed that I could execute tar as sudo without a password.
Checking gtfobins showed that tar can be exploited using the flags --checkpoint=1 --checkpoint-action=exec=/bin/sh to spawn a shell. I executed the command and bingo got root:

sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh

SQL Injection: A simple SQL injection on a login page on port 80 led to initial access.
SSH Key Upload: The ability to upload an SSH public key via the secondary login page was critical in bypassing key-only authentication on SSH.
Sudo Exploitation: Misconfigured sudo privileges for tar provided a straightforward path to root.