Cockpit Proving Grounds Write-Up
SUMMARY
This write-up covers the Cockpit machine from Offsec’s Proving Grounds, a Linux machine where a login bypass chained with credential reuse led to a privileged terminal.
Directory enumeration on port 80 with ffuf revealed a /login panel vulnerable to a simple SQL injection bypass. The admin panel exposed user credentials encoded in Base64. Decoding them yielded cleartext passwords. Port 9090 hosted an Ubuntu Cockpit admin interface, and authenticating as user james with the recovered credentials granted access to a browser-based terminal, which was used to send a reverse shell.
Privilege escalation abused a sudo rule allowing james to run tar as root. The tar command used a wildcard (*), enabling a classic tar wildcard injection attack: specially crafted filenames were used to inject a --checkpoint-action that appended a full sudo rule for james to the sudoers file, granting unrestricted root access.
PATH TO FOLLOW
- Reconnaissance & Directory Enumeration
- SQL Injection Login Bypass
- Base64 Credential Decoding
- Cockpit Admin Panel Access & Terminal Reverse Shell
- Sudo
tarWildcard Injection - Sudoers File Modification & Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.