Hack The Box - Sightless writeup
2 min read
Nmap scan
...
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
| 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
...There are 3 open ports: FTP, SSH and HTTP.
Port 80
Upon accessing the main page, I began looking for clues and soon discovered a link to sqlpad.sightless.htb. My next step was to identify the specific version of SQLPad running on the server.
HTB Sightless main page
HTB Sightless SQLpad version
Once I had the version, a quick search for associated vulnerabilities led me to CVE-2022-0944 that I could use as a foothold.
User flag
After running the exploit, I successfully gained a shell, which appeared to be within a Docker container. To gather more information about the environment, I uploaded linpeas to the container and executed it to find other clues.
HTB Sightless docker container
HTB Sightless user michael
Among the information gathered, I found a hash for the user michael that seemed promising. I attempted to crack it to gain further access.
HTB Sightless john
After successfully cracking the hash, I used it to SSH into the machine as michael and was able to retrieve the user flag.
HTB Sightless user flag
Root flag
I ran linpeas again, and while reviewing the results, I discovered that Chrome was running under the user john with a remote debugging port enabled.
HTB Sightless chrome remote debugging
--remote-debugging-port=0 means that a random port is used, to pinpoint it, I began examining which internal ports were open on the system.
HTB Sightless internal ports
Port 8080 stood out as a potential target, so I set up an SSH tunnel to forward the port locally and accessed the page.
HTB Sightless froxlor page
I couldn't find any valid credentials, so I shifted my focus back to exploring potential exploits through the Chrome debugging port and I found this page. Following the instructions on the page, I located the correct port and observed an automated session running on the machine.
HTB Sightless chrome request
By capturing the POST request being sent, I uncovered a set of credentials which I used to login into Froxlor.
curl 'http://admin.sightless.htb:8080/index.php' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H 'Cache-Control: max-age=0' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: PHPSESSID=qnn51ri3jtc6rtl07l34tcfm7v' \
-H 'Origin: http://admin.sightless.htb:8080' \
-H 'Referer: http://admin.sightless.htb:8080/index.php' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/125.0.6422.60 Safari/537.36' \
--data-raw 'loginname=admin&password=<redacted>&dologin=' \
--insecureUpon logging in, I discovered clues left behind by other users, which guided me toward the root flag.
HTB Sightless root clues
HTB Sightless root flag
