# Headless

## User Flag

### Enumeration

as always we scan the port and identify them.

this is my recon tools & command that i used&#x20;

```bash
sudo masscan '-p1-65535,U:1-65535' 10.129.36.41 '--rate=1000' -e tun0
[sudo] password for replican:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-18 05:39:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.36.41
Discovered open port 5000/tcp on 10.129.36.41
```

after we know the port we scan using nmap

```bash
sudo nmap -p '80, 5000' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.36.41 -v2
[sudo] password for replican:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-05-18 21:58 WIB
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 10.129.36.41 [4 ports]
Completed Ping Scan at 21:58, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.05s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 10.129.36.41 [2 ports]
Discovered open port 5000/tcp on 10.129.36.41
Completed SYN Stealth Scan at 21:58, 0.09s elapsed (2 total ports)
Initiating Service scan at 21:58
Scanning 1 service on 10.129.36.41
Completed Service scan at 21:58, 6.21s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.129.36.41
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:58
Completed Parallel DNS resolution of 2 hosts. at 21:58, 0.04s elapsed
NSE: Script scanning 10.129.36.41.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 1.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:59, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for 10.129.36.41
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-18 21:58:50 WIB for 10s

PORT     STATE  SERVICE REASON         VERSION
80/tcp   closed http    reset ttl 63
5000/tcp open   http    syn-ack ttl 63 Werkzeug httpd 2.2.2 (Python 3.11.2)
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Under Construction
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/18%OT=5000%CT=80%CU=34143%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:C234%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Uptime guess: 29.290 days (since Fri Apr 19 15:01:20 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   50.28 ms 10.10.14.1
2   50.36 ms 10.129.36.41

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.49 seconds
           Raw packets sent: 38 (2.458KB) | Rcvd: 22 (1.594KB)

```

after we know port 5000 open we scan using dirsearch

```bash
dirsearch -u http://10.129.36.41:5000
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723

Output: /home/replican/Desktop/Prod/HackTheBox/machine/Headless/reports/http_10.129.36.41_5000/__24-05-18_22-02-29.txt

Target: http://10.129.36.41:5000/

[22:02:29] Starting:
[22:04:16] 401 -  317B  - /dashboard
[22:05:50] 200 -    2KB - /support

Task Completed
```

after we know /dashboard cant access ( it said unaothorized ) we go to the /support

after a while i notice the site is using cookies also&#x20;

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2F9fxp084y4AXNpc9ICuZm%2Fimage.png?alt=media&#x26;token=d4a07683-d5a3-4e88-8378-149579d05df9" alt=""><figcaption></figcaption></figure>

### Exploitation

like usual ctf chall ( cookie, admin page, form without uploading any files) = xss

we directly put our payload xss but got blocked hmm

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FJ5z4wXy9KyBBPWgehI3R%2Fimage.png?alt=media&#x26;token=61fad347-d29e-402e-ad34-29160e220739" alt=""><figcaption></figcaption></figure>

but our user agent also got reflected. so we can inject our user agent using burpsuite and input our payload xss to steal the cookie ( we assume in the backend the admin auto check our form )

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FPfU5pkW4ktvV05gXlBiF%2Fimage.png?alt=media&#x26;token=047b7b77-b79d-459b-8b86-4029a7b7dd06" alt=""><figcaption></figcaption></figure>

as we see our payload work perfectly. now we opening server using http.server python to see the log requests

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2Fb2eXb6a19Vz3dPTcpsJs%2Fimage.png?alt=media&#x26;token=d0a00491-7a2c-4fbc-adcd-7fa47052a775" alt=""><figcaption><p>and we got the cookie of the admin</p></figcaption></figure>

after sometimes. we get a response of the cookie admin.

after that we go into the dashboard and use command injection vulnerability ( because there is word system ) we assume this is command

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FDkoLB6uD87G2WGTTi3p6%2Fimage.png?alt=media&#x26;token=53d26ef8-7e26-4434-91d4-3749e83f2ddc" alt=""><figcaption></figcaption></figure>

and yep its command injection when we do `;ls` the list of file appeared

directly to revshells

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FVSuqKe70qvEtO9QCh25R%2Fimage.png?alt=media&#x26;token=9c118c0c-7bb9-4ff0-81bc-0725df987d35" alt=""><figcaption></figcaption></figure>

and we get the flag user.

## Root Flag

### Enumeration

because this is a linux also this is was easy machine i still use c2 framework sliver like usual.

first we see the mail

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FtSbgrdPfLZ25KPaME2uq%2Fimage.png?alt=media&#x26;token=cdc311fe-f299-4734-918d-a66b38a05944" alt=""><figcaption></figcaption></figure>

as we see we need to find system check script and ( create the database init script )

after that we use this

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FxfnNykppRg7jwt5Zu1Mb%2Fimage.png?alt=media&#x26;token=de51ab0e-3874-47d7-99a3-c416f25f4d41" alt=""><figcaption></figcaption></figure>

we have acess to sudo binary syscheck that is the inside searching script initdb.sh. we can simply make /bin/bash is root script and call it initdb.sh. and we call syscheck with sudo.

### Exploitation

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FGfF2bznX2rwCWWZMSjUZ%2Fimage.png?alt=media&#x26;token=a66971c8-4da0-4744-a82c-4bc6e02474dd" alt=""><figcaption></figcaption></figure>

after we put our payload we run the syscheck and ( dont forget to create a listener )

<figure><img src="https://945112445-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbrxXzY5PMGua4UW86ukK%2Fuploads%2FOnmoibKPuuNYlL4suEQe%2Fimage.png?alt=media&#x26;token=34eba9ed-c9a8-4b5c-97e4-c41dbccdb2b0" alt=""><figcaption></figcaption></figure>

and we get the flag.