🤯Headless

User Flag

Enumeration

as always we scan the port and identify them.

this is my recon tools & command that i used 

sudo masscan '-p1-65535,U:1-65535' 10.129.36.41 '--rate=1000' -e tun0
[sudo] password for replican:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-18 05:39:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.36.41
Discovered open port 5000/tcp on 10.129.36.41

after we know the port we scan using nmap

sudo nmap -p '80, 5000' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.36.41 -v2
[sudo] password for replican:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-05-18 21:58 WIB
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 10.129.36.41 [4 ports]
Completed Ping Scan at 21:58, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.05s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 10.129.36.41 [2 ports]
Discovered open port 5000/tcp on 10.129.36.41
Completed SYN Stealth Scan at 21:58, 0.09s elapsed (2 total ports)
Initiating Service scan at 21:58
Scanning 1 service on 10.129.36.41
Completed Service scan at 21:58, 6.21s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.129.36.41
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:58
Completed Parallel DNS resolution of 2 hosts. at 21:58, 0.04s elapsed
NSE: Script scanning 10.129.36.41.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 1.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:58
Completed NSE at 21:59, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for 10.129.36.41
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-18 21:58:50 WIB for 10s

PORT     STATE  SERVICE REASON         VERSION
80/tcp   closed http    reset ttl 63
5000/tcp open   http    syn-ack ttl 63 Werkzeug httpd 2.2.2 (Python 3.11.2)
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Under Construction
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/18%OT=5000%CT=80%CU=34143%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:C234%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Uptime guess: 29.290 days (since Fri Apr 19 15:01:20 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   50.28 ms 10.10.14.1
2   50.36 ms 10.129.36.41

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.49 seconds
           Raw packets sent: 38 (2.458KB) | Rcvd: 22 (1.594KB)

after we know port 5000 open we scan using dirsearch

dirsearch -u http://10.129.36.41:5000
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723

Output: /home/replican/Desktop/Prod/HackTheBox/machine/Headless/reports/http_10.129.36.41_5000/__24-05-18_22-02-29.txt

Target: http://10.129.36.41:5000/

[22:02:29] Starting:
[22:04:16] 401 -  317B  - /dashboard
[22:05:50] 200 -    2KB - /support

Task Completed

after we know /dashboard cant access ( it said unaothorized ) we go to the /support

after a while i notice the site is using cookies also

Exploitation

like usual ctf chall ( cookie, admin page, form without uploading any files) = xss

we directly put our payload xss but got blocked hmm

but our user agent also got reflected. so we can inject our user agent using burpsuite and input our payload xss to steal the cookie ( we assume in the backend the admin auto check our form )

as we see our payload work perfectly. now we opening server using http.server python to see the log requests

after sometimes. we get a response of the cookie admin.

after that we go into the dashboard and use command injection vulnerability ( because there is word system ) we assume this is command

and yep its command injection when we do ;ls the list of file appeared

directly to revshells

and we get the flag user.

Root Flag

Enumeration

because this is a linux also this is was easy machine i still use c2 framework sliver like usual.

first we see the mail

as we see we need to find system check script and ( create the database init script )

after that we use this

we have acess to sudo binary syscheck that is the inside searching script initdb.sh. we can simply make /bin/bash is root script and call it initdb.sh. and we call syscheck with sudo.

Exploitation

after we put our payload we run the syscheck and ( dont forget to create a listener )

and we get the flag.

PreviousUsageNextSolarLab

Last updated