Headless - HackTheBox
Headless its a easy hackthebox machine that is vulnerable to xss in a contact form. Using that vulnerability we can grab a cookie and gain admin access to the web app. Following that we detect a command injection which allows the foothold into the machine. Inside the machine we gain root by exploiting a script containing a path hijack vulnerability.