Cockpit 🔸

Enumeration

Port 9090 shows the cockpit service page.

Port 80 shows a web page.

Using feroxbuster with -x php, we find login.php.

And the web

It seems that there is a possible SQLi.

Putting admin'-- - works.

Enter and go to the terminal.

Get the flag.

With sudo -l, we see that we have permissions to run tar with a wildcard.

So we create in /tmp a checkpoint and an action to put the SUID bit on bash.

Get the flag.