Home / Writeups

Sightless

SQLPad exposure, CVE-2022-0944 exploitation, and a Froxlor pivot to root.

After connecting to the VPN and identifying the target at 10.10.11.32, I added the hostname to /etc/hosts and scanned the box with Nmap. That led to a web application exposing SQLPad.

Using the CVE-2022-0944 exploit path, I executed the provided Python proof of concept and captured a shell by listening on my local port 8888. Once inside, I inspected /var/lib/sqlpad and dumped /etc/shadow to recover the user credentials.

With the cracked password, I logged in as michael. From there, I enumerated local services, forwarded the internal dashboard ports with SSH, and discovered a Froxlor login page.

I then inspected the Chromium debugging interface, recovered the Froxlor admin credentials, and used the panel’s PHP-FPM functionality to create a file path that exposed root’s SSH private key. After fixing the permissions, I used the key to log in as root and retrieve the final flag.

Key sequence: openvpn → nmap -sSVC → SQLPad → CVE-2022-0944 → /etc/shadow → ssh michael → ssh -L → Froxlor → SSH key extraction

Back to writeups