Introduction
In this post, You will learn how to CTF headless from HTB and if you have any doubts comment down below 👇🏾
Let’s Begin
Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.
Let’s Hack Perfection HTB 😌
https://twitter.com/HacklikeHacker
Nmap Scan
I began by doing some basic nmap scans.
nmap <IP> -sC
I didn’t find any clues pointing to a webpage, and I wasn’t familiar with UPnP before.
So, I decided to investigate further, but I couldn’t figure out how it was directly related at the moment. Instead, I started thinking if this port could possibly lead to a webpage.
Great, yes. Let’s explore the page further. It looks like there’s only one option to check out. I’ll quickly run a dirsearch to see if there are any hidden directories.
Enumeration
I’ve left it running, but it doesn’t seem like there are any other options available. Let’s give “support” a try.
Alright, there’s a form here. Maybe we can try to manipulate it? But it looks like when we submit any information, it just disappears into the void.
There’s no response to indicate what happens to the information we send. We can assume it’s sent to the server, but it’s hard to tell for sure.
That’s intriguing. It seems like there might be something we can manipulate here to get what we want. I’ve decided to use Burp Suite to see if I can find a way to avoid triggering the hacking message with a payload.
No luck so far, so it might just be the wrong approach.
What caught my attention though was the cookie labeled ‘is_admin’, which is intriguing. It seems to remain unchanged, which hints that there might be more to it.
Dirsearch only came back with the dashboard, which is showing this error:
I’m wondering if adding the cookie might work.
Let’s take that value and give it a try.
Hmm, I do think it’s related to cookies. I decoded that cookie and found “user” in it, which suggests it might not be the right one.
Since XSS can be used to obtain cookies, let’s give that a try…
I’m going to experiment with this for a bit and see if I can make any progress before moving on.
After trying different approaches without success, I decided to look up how to steal cookies using XSS and came across this article:
Alright, let’s give this a try!
Although the specific payload didn’t work for me, there must be other ways to bypass the filter, right?After a lot of experimenting, I finally found something that worked. It involved messing around with an error request.
I also played around with where my payload was located. I noticed that the message box always gave me a ‘hacking detected’ message, while other elements did not. So, it’s just a matter of finding the right place and payload!
As for the exact payload, the link I provided should give you the right idea. Additional research will definitely help fine-tune it.
Let’s see if this works!
Hooray!
Let’s explore the page and see what we can find.
Hmm, it seems like there’s not much here.
Changing the date doesn’t seem to have any effect either. I intercepted in Burp and tried some injections for a reverse shell:
Hmm, no luck with the reverse shell. Maybe general commands will work?
It seems to work, assuming we’re “dvir”. Let’s try some other commands.
Ooh, maybe we can echo the netcat to report.sh? But first, I want to try making a file before I get too excited.
Oh, that’s intriguing. Let’s give it another try…
Well, I tried a few different things, and now I’m getting nothing back, so I’ve probably broken it! Let’s reset and try again.
After resetting, I explored to see what other commands worked, and I found that curl worked fine.
User
I wonder if I could curl my shell?
So, I’ve placed the shell into shell.sh. I’ll also pipe it straight into bash — this is because I couldn’t figure out how to get bash to run earlier, so this might work!
I had nothing, then I realized I hadn’t saved it as shell.sh, but test.sh.
So, success… but no response? Interesting. Then I realized I had named it shell.sh, but I was in the wrong folder. Oops!
Lesson learned: don’t underestimate good folder organization.
Yes!!!
Awesome, let’s explore further and see what else we have here. I quickly found the user.txt flag.
Root
Now, onto escalating privileges.
At this stage, I always run sudo -l.
Alright, that gives us something substantial to work with. I checked GTFObins, but didn’t find anything obvious.
Let’s take a closer look at the file:
This file seems noteworthy:
Looks like it might be as simple as modifying this file? Well, I couldn’t actually find an initdb.sh file anywhere, even with search commands.
Perhaps it doesn’t exist?
Well, let’s try creating one and seeing what happens. Maybe it’ll work?
We’re setting the user bit to ‘s’, which should allow a user to gain root. Now let’s make it executable:
I’m going to retrace my steps and figure out where I went wrong. Oh dear. It’s a very simple issue. Did you catch it? I forgot to actually run bash.
Conclusion
This box was tough but rewarding. We learned a lot about cybersecurity and problem-solving. Even when we made mistakes, we kept going and eventually succeeded. It showed us how important it is to pay attention, investigate thoroughly, and stay organized. Overall, it was a great experience!
