HackTheBox | Sightless

In this walkthrough, I demonstrate how I obtained complete ownership of Sightless on HackTheBox

Initial Foothold Hint

Thorough enumeration of the public-facing services should lead you to some published security research and CVE with a proof-of-concept available. In most cases, SSH is never the first way into a target.

Privilege Escalation Hint

You need to have a solid post-exploit enumeration strategy. Consider which user you're running as and which files you might have access to. Enumerate everything — processes, services, internal port bindings, interesting files. Think about how information you discover at each phase could be used to access services that weren't previously accessible.

My CTF Methodology
In this post, I examine the steps I take to approach a typical CTF in the form of a vulnerable target (also known as boot2root), and elaborate on steps at each phase.
ℹ️
For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.

Owned Sightless from Hack The Box!
I have just owned machine Sightless from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Wed Sep 11 09:30:05 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.69.116
Nmap scan report for 10.129.69.116
Host is up (0.017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.129.69.116]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 11 09:31:21 2024 -- 1 IP address (1 host up) scanned in 75.79 seconds

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.