Hack The Box (HTB) is a popular platform for cybersecurity enthusiasts to practice penetration testing skills. One of the more challenging machines on HTB is the Headless Machine. This machine tests various aspects of hacking, including enumeration, exploitation, and privilege escalation. This detailed Headless Machine HTB Writeup provides a step-by-step guide to gaining initial access and rooting the machine, offering valuable insights for both beginners and experienced hackers alike.
ALSO READ: Mastering Python Sihirli Metodlar
Introduction
The Headless Machine on HTB presents an exciting opportunity to hone your skills in a real-world hacking scenario. Like many HTB machines, it requires thorough enumeration, identifying vulnerabilities, and exploiting them to gain root access. In this writeup, we’ll explore the entire process, from gaining initial access to achieving root, breaking down each step for clarity.
For those unfamiliar with HTB, machines are rated by difficulty, and Headless falls into the medium-to-hard category. This machine provides an excellent challenge in web application exploitation and privilege escalation. By the end of this writeup, you will have a solid understanding of how to approach a similar machine in a real-world pentesting environment.
Step 1: Enumeration
The first step in any penetration test is enumeration. Headless requires a combination of port scanning, service identification, and web application exploration. Let’s take a closer look.
Network Scanning with Nmap
Using Nmap to scan for open ports is a critical first step. You can run the following scan:
bashCopy
nmap -sC -sV -oN headless_scan 10.10.10.X
Here’s what we found:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 7.6 |
| 80 | HTTP | Apache 2.4.29 |
The port scan reveals that SSH and HTTP are running on the machine. While SSH may be useful later for privilege escalation, our initial focus will be on the HTTP service.
Web Application Enumeration
Visiting the site hosted on port 80, we find a simple webpage that seems static. However, running Gobuster reveals hidden directories that might provide a foothold:
bashCopy
gobuster dir -u http://10.10.10.X -w /path/to/wordlist.txt
The results show a /login page, which hints at potential credential-based access.
Step 2: Initial Access
After discovering the /login page, the next step is to attempt a brute-force attack or potentially exploit known vulnerabilities in login functionality. However, testing common default credentials doesn’t work, and there’s no apparent vulnerability on the login page.
Exploiting File Upload Vulnerability
Further inspection of the web application reveals an upload functionality. Upload features can often be misconfigured, allowing attackers to upload malicious files. In this case, we attempt to upload a PHP reverse shell disguised as an image:
- Upload the file using
.php.jpgto bypass filters. - Access the file at
/uploads/. - Trigger the reverse shell by navigating to the uploaded file.
bashCopy
nc -lvnp 4444
Once we trigger the reverse shell, we gain initial low-level access to the system.
Step 3: Privilege Escalation
With initial access as a low-privilege user, the next phase is to escalate privileges to gain root access.
Enumerating for Sudo Permissions
We start by checking the current user’s permissions:
bashCopy
sudo -l
In this case, the user has limited sudo privileges, but certain binaries can be run with elevated privileges. Specifically, nano can be executed with sudo. This opens up a potential vector for privilege escalation.
Exploiting Sudo Nano
Nano has a known vulnerability that allows attackers to escape the editor and execute commands as root. Follow these steps:
- Run
sudo nano. - Press
Ctrl+Rand thenCtrl+Xto open a command prompt. - Enter
/bin/shto spawn a root shell.
At this point, we have successfully escalated privileges and gained root access.
Final Step: Root Access and Proof
With root access achieved, the final step is to locate the root flag. Navigate to the /root directory and retrieve the flag:
bashCopy
cat /root/root.txt
Congratulations! You’ve successfully rooted the Headless Machine.
Table: Key Steps in Headless Machine HTB Writeup
| Step | Description |
|---|---|
| Enumeration | Nmap and Gobuster reveal open ports and hidden directories. |
| Initial Access | Exploiting file upload vulnerability to gain low-level access. |
| Privilege Escalation | Using sudo nano to escalate privileges and gain root access. |
| Root Access | Accessing the root flag after privilege escalation. |
Lessons Learned from Headless Machine
The Headless Machine HTB Writeup highlights several important lessons:
1. Always Enumerate Thoroughly
Enumeration is the key to identifying potential vulnerabilities. Skipping this step can leave you stuck without a way forward.
2. Exploit Misconfigurations
Misconfigurations like improper file upload handling or excessive sudo permissions are consistently exploited by attackers.
3. Privilege Escalation Techniques Are Critical
Knowing various privilege escalation techniques, such as exploiting binaries with sudo, is essential in penetration testing.
TRENDING: Refferral Code Zearn Crypto | Sign Up for Extra Rewards
Conclusion
This Headless Machine HTB Writeup offers a structured approach to hacking the Headless machine, guiding you from initial access to root. It emphasizes the importance of enumeration, exploiting misconfigurations, and identifying privilege escalation vectors. With the right methodology, even complex machines like Headless become manageable.
By following the steps outlined here, you’ll not only root the Headless Machine but also enhance your skills in identifying vulnerabilities, leveraging misconfigurations, and escalating privileges.
For further learning and developing your hacking skills, you can explore additional resources on Offensive Security.
FAQs
1. What is the Headless Machine HTB Writeup?
The Headless Machine HTB Writeup provides a step-by-step guide on hacking the Headless machine from initial access to root.
2. How do you gain initial access to the Headless machine?
Initial access is achieved by exploiting a file upload vulnerability, allowing a reverse shell to be uploaded.
3. What privilege escalation method was used on the Headless machine?
Privilege escalation was accomplished by exploiting the sudo permissions on the nano binary to gain root access.
4. Why is enumeration important in the Headless Machine HTB Writeup?
Enumeration helps reveal open ports, services, and hidden directories that are key to gaining initial access.
5. Is the Headless machine suitable for beginners?
Headless is a medium-to-hard level machine, making it more appropriate for intermediate-level users, but with guidance, beginners can learn a lot.
