HTB Headless

Penestration Test
,

Long time no see, my friends. I have been busy preparing for the postgraduate entrance exam, but unfortunately, I didn’t pass. That’s a pity. Today, I’m continuing to update my red team virtual attack in Hack The Box.

Preparation

I spent a lot of time preparing my Kali Linux system. When I prepare my new Kali again, I want to write something that will be useful.
I will document the steps I take to customize it for my needs, including installing essential tools, configuring the desktop environment, setting up my development environment, and any other tweaks or configurations I find useful.
I also plan to include any lessons learned or tips for a smoother setup process. Sharing my experience could be valuable to others in the cybersecurity community.

tmux

burpsuite PRO ( I found some bugs in bp CE which are not in bp pro)

dirbuster:
  gobuster
  dirsearch
  feroxbuster

directionary: seclists

Machine INFO

Operating System: Linux
Initial Access: XXS + Command Injection
Privilege Escalation: Path Hijacking
Difficulty: Easy - Medium (For me) // I have forgotten a lot of red team skills because I spent a lot of time on my exam.

Intial Access:

Portscan

nmap -T4 -sT --min-rate=1000 <target-IP> -A -oG nmapscan.txt

I found 2 ports open on the machine. One is port 22, which is typically used for SSH, and the other is port 5000, which is hosting a web application.
My first thought is to see if I can find any interesting information, such as passwords, on the web application and then use them to**_ log in through port 22._**

Web Enumeration

There is a website running on a Python server that displays a splash page with a countdown and a link to another page, “/support.”

gobuster dir -u <target-ip> -w <lists>


I only found the** /dashboard**

When I accessed “/dashboard,” it gave me an “unauthorized” message. Since there is no login page, I want to access the dashboard by using the admin cookie.

XSS

  1. How can i get the cookie?

When I accessed the “/support” page, I found something interesting: a cookie named “is_admin” with a value. If I can perform a Cross-Site Scripting (XSS) attack on a page that the machine opens, I may be able to get the admin cookie.

  1. How can i Inject xss?

I found a message field where I can send some malicious code. I tried inputting a script tag