Proving Grounds Practice | Linux Box: Cockpit
This article is an intermediate machine Cockpit writeup, hosted by OffSec Proving Grounds, as part of our OSCP journey. I will outline the concepts and my methodology as we progress from reconnaissance to gaining root privileges on the machine.
Port Scan
got port 22,80,9090
Port 80 enumeration
We used gobuster for directory search and found login.php at “http://192.168.208.10/login.php". This led us to the Blaze login page.
We attempted a SQL injection using the payload “admin’ or 1=1 — “, but were redirected to /blocked.html.
We have discovered that the use of the OR Boolean is not allowed. Therefore, we attempted the AND Boolean operation using the payload “admin’ AND 1=1 — -”. It worked! We successfully bypassed authentication and gained access to the dashboard.
To decode this we can use cyber-chef and got our password
Port 9090 Enumeration
Navigating to port 9090, we arrive at an Ubuntu login page and access it using James’s credentials. From the home page, we find a terminal interface that lets us execute commands, which is very promising
Here we found local.txt.
Privilege escalation
Let’s check “sudo -l”. We found that we can run “sudo” for “tar” with a wildcard (*) at the end.
After checking on gtfobins we have found we can use
“--checkpoint=1 --checkpoint-action=exec=/bin/sh" to get root access.
This is how I successfully rooted the Cockpit machine. Thank you for reading. Feel free to reach out if you encounter any difficulties.
