Hack The Box - Sightless writeup

11 January 2025

...
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
|   256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
...

There are 3 open ports: FTP, SSH and HTTP.

Port 80

Upon accessing the main page, I began looking for clues and soon discovered a link to sqlpad.sightless.htb. My next step was to identify the specific version of SQLPad running on the server.

Once I had the version, a quick search for associated vulnerabilities led me to this CVE that I could use as a foothold.

User flag

After running the exploit, I successfully gained a shell, which appeared to be within a Docker container. To gather more information about the environment, I uploaded linpeas to the container and executed it to find other clues.

Among the information gathered, I found a hash for the user michael that seemed promising. I attempted to crack it to gain further access.

After successfully cracking the hash, I used it to SSH into the machine as michael and was able to retrieve the user flag.

Root flag

I ran linpeas again, and while reviewing the results, I discovered that Chrome was running under the user john with a remote debugging port enabled.

--remote-debugging-port=0 means that a random port is used, to pinpoint it, I began examining which internal ports were open on the system.

Port 8080 stood out as a potential target, so I set up an SSH tunnel to forward the port locally and accessed the page.

I couldn't find any valid credentials, so I shifted my focus back to exploring potential exploits through the Chrome debugging port and I found this page. Following the instructions on the page, I located the correct port and observed an automated session running on the machine.

By capturing the POST request being sent, I uncovered a set of credentials which I used to login into Froxlor.

curl 'http://admin.sightless.htb:8080/index.php' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'Cache-Control: max-age=0' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Cookie: PHPSESSID=qnn51ri3jtc6rtl07l34tcfm7v' \
  -H 'Origin: http://admin.sightless.htb:8080' \
  -H 'Referer: http://admin.sightless.htb:8080/index.php' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/125.0.6422.60 Safari/537.36' \
  --data-raw 'loginname=admin&password=<redacted>&dologin=' \
  --insecure

Upon logging in, I discovered clues left behind by other users, which guided me toward the root flag.