Cockpit 🔸

Enumeration

9090 port shows the cockpit service page

And 80 shows a web page

Using feroxbuster with -x php we find login.php

And the web

It seems that there is a possible sqli

putting admin'-- - it works

enter and go to terminal

Get the flag

with sudo -l we see that we have permissions to run tar with wildcard

So we create in /tmp a checkpoint and a action to put suid bit to bash

Get the flag