Introduction to Sightless:

In this write-up, we will explore the “Sightless” machine from Hack the Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Sightless” machine from Hack The Box by achieving the following objectives:

User Flag:

Exploiting SQLPad Vulnerability

  • SQLPad is vulnerable to Server-Side Template Injection (SSTI), which we exploited to gain a shell on a container with root privileges. From this elevated access, we could dump the shadow file, exposing the password hashes stored within the container.
  • By cracking one of the hashes, we retrieved a user’s password, which allowed us to establish SSH access to the host machine. This chain of exploitation demonstrated the impact of the vulnerability, transitioning from container access to compromising the host system.

Root Flag:

Exploiting Froxlor Instance

  • We discovered a locally running Froxlor instance with remote debugging enabled. By exploiting the debugging feature, we captured the administrator’s password. Using these credentials, we accessed the Froxlor dashboard and changed the FTP password.
  • We located a KeePass database file on the FTP server during the investigation. By analyzing the database, we extracted an SSH private key belonging to the root user, allowing us to gain elevated access.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.32

Nmap Output: 

┌─[darknite@parrot]─[~/Documents/htb/sightless]
└──╼ $nmap -sC -sV 10.10.11.32 -oA initial 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 16:34 EST
Nmap scan report for 10.10.11.32
Host is up (0.021s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=1/8%Time=677EEF5A%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20S
SF:erver\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20t
SF:ry\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x2
SF:0being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.01 seconds

Analysis:

  • Port 21 (FTP): ProFTPD server responding with a custom message, hinting at creative command usage.
  • Port 22 (SSH): OpenSSH 8.9p1 on Ubuntu, allowing secure remote access with provided key fingerprints.
  • Port 80 (HTTP): Nginx 1.18.0 web server on Ubuntu, redirecting to http://sightless.htb/.

Web Enumeration on Sightless Machine:

Perform web enumeration to discover potentially exploitable directories and files.

We can’t observe much on the website interface here.

Among the available services, one redirects to sqlpad.sightless.htb. To access it, add the domain sqlpad.sightless.htb to your host file

What is SQLPAD?

SQLPad is an open-source web application for running SQL queries and visualizing data. It allows users to connect to databases, execute SQL commands, and view query results in a user-friendly interface. SQLPad supports multiple users, query sharing, and visualizations, and is commonly used for database management and data analysis, making it a versatile tool for developers, analysts, and administrators.SQLPad is an open-source web application for running SQL queries and visualizing data. It allows users to connect to databases, execute SQL commands, and view query results in a user-friendly interface. SQLPad supports multiple users, query sharing, and visualizations, and is commonly used for database management and data analysis, making it a versatile tool for developers, analysts, and administrators.

It seems we can inject some SQL commands into it.

The installed version of SQLPad, 6.10.0, is listed in the About section.

Exploitation on Sightless machine

Web Application Exploration:

During vulnerability analysis, it was found to be affected by CVE-2022-0944.

What is CVE-2022-0944?

Template injection in the “connection test” endpoint in SQLPad (before version 6.10.1) is a vulnerability where unsanitized user input is processed within server-side templates. This flaw allows attackers to inject malicious template syntax or code into the endpoint, which the server executes.

When exploited, this vulnerability can escalate to Remote Code Execution (RCE), granting attackers the ability to run arbitrary commands on the server. This issue, identified as CVE-2022-0944, highlights the importance of input validation and secure template rendering to prevent exploitation.

The payload {{ process.mainModule.require('child_process').exec('shell') }} exploits Server-Side Template Injection (SSTI) in Node.js. It uses process.mainModule.require to access the child_process module and execute the id command, redirecting its output to shell. This demonstrates Remote Code Execution (RCE), allowing attackers to execute arbitrary OS commands on the server.

However, it failed.

To set up a new connection, follow these steps:

  1. Navigate to “Connection”: Open the “Connection” menu to begin the setup process.
  2. Create a New Connection: Click “New Connection” to configure a fresh connection.
  3. Select MySQL: Choose MySQL from the list of database options.
  4. Input the Payload or Credentials: To configure the connection, enter the required payload or credentials in the designated fields.
  5. Test the Connection: Run a test to verify the configuration and confirm a successful connection.

It was discovered that the process is running as the root user, indicating it likely has root privileges.

It appears that we are in a Docker environment.

There are only three users with bash access.

The shadow file contains a hash for the user Michael. Copy the hash value linked to Michael’s account and proceed with decrypting it.

The password crack was successful, as shown in the screenshot above, with the password being “insaneclownposse.”

We can view the user flag by executing the command cat user.txt.

Escalate To Root Privileges Access on Sightless machine

Privileges Access

As usual, we checked for binaries using sudo -l, but nothing was listed.

As a result, let’s examine the available ports.

The Apache configuration reveals another subdomain that we can exploit if necessary.

We can forward port 8080, but we’ll change it to a different port in the next step.

It is a Froxlor application.

What is Froxlor?

Froxlor is an open-source server management panel tailored for web hosting environments. It provides a graphical interface to manage domains, email accounts, FTP accounts, and databases, making server administration more accessible.

It’s often used by hosting providers and individuals who want a lightweight and free alternative to commercial control panels like cPanel or Plesk. With features such as SSL certificate management, DNS configuration, and resource monitoring, Froxlor helps streamline the management of web hosting services.

Open Google Chrome and go to chrome://inspect/#devices. Click “Configure” and add each port as 127.0.0.1:<port_number>, repeating this process until a connection appears. When a connection is visible, click “Inspect” to open a new window.

The port number will continuously change over time.

Let’s add the port number used for port forwarding to the connection.

We need to keep retrying until we successfully obtain the domain, as shown below:

In the inspect function, it will appear as shown above.

After some time, we should obtain the credentials for admin access.

We successfully accessed the Froxlor dashboard by entering the credentials we discovered earlier.

After logging in, go to the “PHP” section, then select “PHP-FPM versions” and create a new version. In the PHP-FPM restart command field, enter the following command:

Save the configuration, then navigate to http://127.0.0.1:8080/admin_settings.php?start=phpfpm. Disable PHP-FPM and save the changes, then re-enable it and save again. This will trigger the execution of the copy command.

Check that the root.txt file has been copied to /tmp.

Next, repeat the process until we acquire the file:

Finally, view the contents of the root.txt file in /tmp to retrieve the required information.

We can view the root flag by running the command cat root.txt.

Another method of obtaining the root flag

FTP Access

Froxlor contains at least one unintended method that attackers can exploit to achieve direct RCE. This section will cover this.

Custom User Dashboard Enumeration

The payload works by sending a POST request to /admin_admins.php to create a new admin account and popping up an alert box indicating the application has been compromised. The URL currently points to demo.froxlor.org, which will need to be updated accordingly.

The main challenge is knowing when the XSS executes. It appears a cron job periodically deletes the new admin accounts to prevent persistent exploitation, creating a tight window for the credentials to remain valid. To proceed, I’ll modify the URL and username to my own values.

I’ll remove the alert line and update the username and password to values of my choice (e.g., abcd / Abcd@@1234).

To execute the exploit, I’ll enable Burp Proxy in Intercept mode and attempt to log in with incorrect credentials.

Shortly after sending, I can successfully log in with the new account.

Under Resources → Admins, the expected admin account appears alongside my newly created username.

In Resources → Customers, a single user is listed. Clicking the Edit icon opens a form with several configuration options for this user. Among these options is the ability to change the password, which I’ll update using a random, complex password.

However, the new password does not grant access via SSH, su, or FTP for any user.

LFTP access on Sightless machine

I’ll connect to the FTP server and log in lftp as described earlier. Running ls fails at this point because the connection is over TLS, and a trusted CA does not sign the certificate. To proceed, I’ll configure lftp to ignore the certificate validation.

There are two files: an HTML page and a KeePass database. I’ll download them to my machine.

Let’s use keepass2john (a tool from John the Ripper) to generate a hash for the database password.

The default folders are empty, but there is a directory named Backup in sightless.htb.

There is a password and an attachment. The attach command opens a menu to interact with the attachment, allowing me to download it.

We should run the command above to obtain a clean SSH key.

We can view the root flag by executing the command cat root.txt.

Tags: , , , , , , , , , , , , , ,
Categories: