Sightless

December 10, 2024

---

Created by	Page	Difficulty	OS
EmSec	Hack The Box	Easy	Linux

---

• I start with a scan of the open ports

    nmap -p- --open -vvv --min-rate 5000 -Pn -sS 10.10.11.32 -oG scan
  

  

• I continue with a scan of the versions and technologies that are running on the open ports that we have found

    nmap -p21,22,80 -sCV 10.10.11.32 -oN ports
  

  

• I found the domain sightless.htb and add it to the file in the /etc/hosts file

• I look at what technologies they are using on the website.

    whatweb https://sightless.htb
  

  

• I make a list of directories and files that end with specific extensions but I can’t find anything remarkable.

  

• I check the code of the main page and find a subdomain, add it to /etc/hosts and enter the web to see its content.

  

  

  

• I find a version of SQL Pad that when searching for vulnerabilities I find one that allows code execution. CVE-2022-0944, Template injection

• I modify the payload that shows the CVE to run a revershell and I get a shell

  

• When I check which user I am, I see that I am root and when I see which network I am on, I realize that I am inside a container.

  

• When looking in the container files I see that I can read /etc/shadow file, which contains the encrypted user passwords.

  

• I copy one of these hashes and when I pass it through john I get the password of the user michael. Now I can connect via ssh to the system and read the first flag.

  

  

• To escalate privileges I start by looking at the ports that are in use. I find 8080 which from outside the machine I am not able to see. I use chisel to send that port to my machine

  

• I see a panel to log in but after several attempts I am not able to get anything

  

• I look at the processes running on the machine and find a few that catch my eye. After searching for information I find that they may be related to the other ports that are in use.

• I pass those ports to my machine with chisel and add them in chrome to be able to inspect the debugging processes.

  

  

• By doing this I am able to inspect the debugging of these processes

  

• The process connects and disconnects from the panel continuously. When inspecting the calls we can see the credentials in plain text

  

• Using the credentials found we can log in and start investigating the site

  

• After a while I find inside the PHP section a field in which I can inject code and it executes as root. I copy the flag to a directory that I can access and change the permissions. With this I am able to read the second flag