Headless

Headless

Description

Headless

Walk through

Enumeration

Port Enumeration

Basic PORT enumeration with NMAP

nmap -Pn -n -p- --min-rate 5000 --open $TARGET

Note: in my case $TARGET is 192.168.1.69

The reported ports are

PORT     STATE 
22/tcp   open
5000/tcp open

Service Enumeration

Now lets enumerate the services running on each port with

nmap -sCV -p $PORTS --min-rate 5000 $TARGET

Output

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  upnp?
| fingerprint-strings:
...SNIP...
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
...SNIP...

5000

The port 5000 hosted a web page, here is the index displayed

FUZZING

After knowing that there is a web server lets try to FUZZ other directories I use the directory-list-lowercase-2.3-medium.txt from SECLIST and WFUZZ

Last command:

wfuzz --hc 404 -w ~/Wordlists/directory-list-lowercase-2.3-medium.txt http://10.10.11.8:5000/FUZZ

The output give a support and dashboard path

support

dashboard

Cookie

Also we can see a cookie, by the name we can suppose this cookie manage the role of the client. After look the message of the /dashboard lets try to manipulate this element

Exploitation

Cookie

After play a wile with the behavior of /support the request loos interesting to do something

After try with the classic HTML Injection we can see a warning screen

I tried a lot of bypasses bunt nothing works The warning screen reflect the headers of the client request, so lets try with that First over message an error is caused Then lets add a simple Script Injection to do a fetch to our simple server This request would have embedded the cookie of the client, in this case the client is the server, this theoretically should sen to us the admin cookie

BINGO We can see a different cookie, so lets modify us cookie with this one

Now we have access

Testing the function of the dashboard a report is generated This page no have a real functionality besides inform the state of the server With the basics

Command Injection

Before do any try, open a nc listener ready to get a rev shell

ncat -lvnp 1234

Testing some commands to send a shell a nice one appear

Now get the shell

User flag

In the home directory of the user is the user.txt flag

Post-Explotation

Privilege Escalation

To do a Privilege escalation use

sudo -l

There are a binary no password needed to execute like super user A few queries on google found an article talking about privilege escalation with syscheck mg src="https://medium.com/@adiamond186/usr-bin-syscheck-is-looking-for-the-initdb-sh-609cd006d913)

syschecks execute initdb.sh file if you modifies this file the content is executed like sudo user Create the initdb.sh file wth "/bin/bash" in the content and add execution permissions

touch initdb.sh && echo "/bin/bash" > initdb.sh && chmod +x initdb.sh

Next, when executes the command:

sudo syscheck

Your initdb.sh file is executed To test if your file is executed successful use id command

Root flag

On the root home directory is the root flag

References

https://medium.com/@adiamond186/usr-bin-syscheck-is-looking-for-the-initdb-sh-609cd006d913