# Cockpit

Cockpit is a Linux web administration console. It usually authenticates against local system accounts, so web app credentials are worth trying here after SQLi, LFI, config leaks, or password dashboard access.

## Discovery

```bash
nmap -sC -sV TARGET -p 9090
# 9090/tcp open  http  Cockpit web service
# http-title: Did not follow redirect to https://TARGET:9090/
```

Browse to:

```bash
https://TARGET:9090/
```

The login page may disclose the OS version after loading, e.g. Ubuntu 20.04.x.

## Credential Reuse

Try credentials recovered from the web app against Cockpit. Do not only test the web application's admin user; test named users too because Cockpit wants valid Linux accounts.

```
root:root
USER:WEB_APP_PASSWORD
```

If a user logs in successfully, check whether the terminal is enabled:

```
https://TARGET:9090/system/terminal
```

## Post Login

From the Cockpit terminal, treat it like a normal local shell:

```bash
id
hostname
cat /etc/os-release
sudo -l
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/cockpit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.