Yeah, I deleted all my cache, closed the browser and then tried again. This worked for me thankfully
Hi everyone,
Iāve been stuck for a few days now, and I donāt know if the issue is on my side or on the machine side. I was able to get an admin cookie, but I canāt access the /d*******d page anymore. Now I have a 500 Internal server error every timeā¦ I deleted my history, cookies and site data, reseted the machine but nothing works. I see people own user and system flags in the āActivityā tab, so Iām wondering if this is a normal behavior or if itās only happening to me for some reason.
Iād appreciate any hint or help 
Thanks and happy hacking
1 Like
Same here 
Update: I tried download a new VPN and reconnect to the machine. It is now working!
Did you include the port number as well? http://headless.htb:{PORT}/dashboard
Hello, Iāve obtained the user flag, but I donāt know how to root it. I tried Linpeas but I donāt think it has anything of much use
edit:
hint
If you do sudo -l, you will find a program you can run without a password. Now see what script that program is running! You should be able to edit that script. ;D
Iām on as user, however, when I check the directory in /usr/bin/ the initdb.sh file is not present. I canāt seem to run ./syscheck either. Somethinā wrong? or am I missing the whole thing? Spasiba! Thanks!
I have the same problem
1 Like
same issue here.
Iāve rooted the machine but I donāt understand why executing the initdb.sh file possible.
When you look at the /usr/bin/syscheck file. The following is displayed:
./initdb.sh 2>/dev/null. But this would mean that initdb.sh will only be executed if itās present the /usr/bin folder right? (Because of the ā./ā prefix.)
How come the command sudo /usr/bin/syscheck will execute the initdb.sh file present in the /home/dvir folder even though this path is not mentioned in the syscheck file?
Could someone please give me an advice how to properly use that Firefox remote debug service? Iāve set up a tunnel and the target port is reachable from my attack machine, but through Firefox UI a connection always fails. Iāve also added some lines in the user.js file, to explicitly enable debugging, but it didnāt help.
Hello, I solved the task by creating my own file. It looks like the syscheck runs file in the same directory, where you launched the command.
So I created my own folder in /tmp (so I will have my file and will not obstruct any other player). In this folder I created my own initdb.sh file with simple reverseshell command and thatās it.
Short conclusion - you can win the game even if the file isnāt present. To my mind, itās even your job to create a file yourslef, so you can specify your host for reverseshell.
Great, that you got the user. You can solve the task without editing the /usr/bin/syscheck script.
Please read thoroughly through it and check what it does.
Next hint:
Check itās logic in the second half of the script.
Next hint:
what actions are performed with initdb.sh inside the script?
Next hint:
can we control the contents of the initdb.sh? How can we abuse it?)
Just answer(better try yourself with hints):
The /usr/bin/syscheck check if a process with initdb.sh. If such process doesnāt run(usually thatās the case) - the script executes ./initdb.sh from the directory, where you launched sudo /usr/bin/syscheck. You can put revershell in the file, make the file executable and launch sudo /usr/bin/syscheck
In this machine it writes something like āthe incident will be reported to adminā and you can see a preview of the message.
So the htb-machine simulates, situation, tha the admin saw the incident report with xss and it triggered.
Is this clear now?
Hey, itās because ./initdb.sh means to execute the the script from your CURRENT directory. When you run syscheck, you are running it from your current directory, wherever that may be. Even though the script is being executed from /usr/bin/syscheck, when it encounters ā./initdb.shā it assumes that that file is found in the directory where the script was executed. So the script is running in the context of your current directory and if relative paths are being used then the script will check for āinitdb.shā in your current directory since that is what is implied by "./"
If instead the script said /usr/bin/initdb.sh 2>/dev/null then yes, it would be forced to run from /usr/bin. This is why itās recommended to use absolute paths instead of relative paths.
Omega stuck on getting a foothold. I managed to find the XSS vuln and got the admin cookie But now I have no idea what to do at the /dashboard page Iāve tried different kinds of injections, but nothing is landing. Any hints?
Never mind, I figured it out and got root. Yay!
Feel free to DM for any hints.
Hi, i am stuck at getting root. i understood that i have to creat my own initdb.sh file in /usr/bin with my paylaod in it. But when i try to create the file i get a permission denied error. Any idea?
Hi, Iām a beginner and this is my first car, I donāt even know what to start. I read your tips and realized that I need to do XSS and get admin cookies. but they need to be sent to my prepared site that would accept them? Tell me, am I thinking correctly?