Introduction to Alert:
This write-up comprehensively analyses the “Alert” machine from Hack The Box, classified as an easy-difficulty challenge. It details the step-by-step process of reconnaissance, exploitation, and privilege escalation necessary to capture the flag successfully.
Objective
The purpose of this walkthrough is to complete the “Alert” machine from Hack The Box by accomplishing the following key objectives:
User Flag: We found an XSS vulnerability through .md file uploads and the Contacts tab. After embedding an XSS script in a Markdown file and sharing the link, we extracted data from messages.php, revealing that the file parameter could read system files. This led to discovering /var/www/statistics.alert.htb/.htpasswd, which contained a hashed password. Identified as MD5 (APR1-MD5) using hashid, we cracked it with hashcat, retrieving the password ManchesterUnited. With these credentials, we accessed the system and obtained the user flag using cat user.txt.
Root Flag: We accessed statistics.alert.htb using discovered credentials and found port 8080 open. Using SSH port forwarding, we reached a monitoring site but didn’t know its directory. Checking ps aux, we located it in /opt/website-monitor and confirmed file contents. Testing with a simple PHP file worked, so we uploaded a PentestMonkey reverse shell. After setting up a listener and triggering it in the browser, nothing happened. To ensure success, we created a reliable PHP file and prepared to trigger it again.
Enumerating the Alert Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.44Nmap Output:
┌─[dark@parrot]─[~/Documents/htb/alert]
└──╼ $nmap -sC -sV -oA initial 10.10.11.44
# Nmap 7.94SVN scan initiated Tue Mar 18 11:51:48 2025 as: nmap -sC -sV -oA initial 10.10.11.44
Nmap scan report for 10.10.11.44
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
| 256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_ 256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://alert.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 18 11:52:23 2025 -- 1 IP address (1 host up) scanned in 35.73 secondsAnalysis:
- Port 22 (SSH): Secure remote access via OpenSSH 8.2p1, potential for credential-based attacks.
- Port 80 (HTTP): Apache 2.4.41 web server with a redirect to
alert.htb, requires further enumeration.
Web Enumeration:
Web Application Exploration:
When accessing the website interface, it redirected us to a Markdown Viewer.
What is Markdown Viewer?
A Markdown Viewer is a tool or application designed to display Markdown (.md) files with proper formatting. Markdown is a simple markup language used to create formatted text using plain text.
Supported File Types
Most Markdown Viewers allow users to upload:
- Markdown files (
.md) – The standard format containing Markdown syntax. - Text files (
.txt) – Some viewers support plain text files with Markdown-style formatting. - Other formats – Certain viewers may also recognize extensions like
.markdown,.mdown, or.mkd.
While exploring the application, we came across a statement that reads:
Our administrator is in charge of reviewing contact messages and reporting errors to us, so we strive to resolve all issues within 24 hours.This means that the administrator is responsible for checking messages sent through the contact form and identifying any errors or issues reported by users. Once an issue is identified, the team aims to fix it within 24 hours to ensure a smooth user experience.
Another interesting feature was the Contacts tab, which allowed users to send any text to the admin.
An attack vector quickly becomes apparent—the machine’s name hints at XSS, the ability to upload .md files provides a potential entry point, and the Contacts tab offers a way to deliver the payload.
Exploiting XSS Vulnerability on alert machine
Testing a basic XSS:
<script>alert("darknite was here")</script>However, this did not work.
Instead, we embedded an XSS script inside a .md file.
Extracting Sensitive Data
Once done, let’s upload the file to the application.
Suddenly, it worked like a charm!
Start up the Python server.
Let’s upload the xss.md file to the application.
The page appears blank, but a “Share Markdown” option is visible at the bottom.
It redirected to another page. From this, we discover that the messages.php endpoint and the file The parameter allows file reading.
We can submit the URL through the contact form.
The server receives a request with URL-encoded data. This script captures the response from the messages.php request, converts it to text, and forwards it to our Python server, where the extracted data is stored.
Embed the script in a .md file, upload it to the site, copy the shared link, and send it to the admin. We plan to recreate this process by getting the administrator to access a system file like /etc/hosts. After conducting several tests, we identified a working path traversal vulnerability.
It has returned the output in the Python script.
We identified all the subdomains, as shown above.
We accessed the subdomain but couldn’t find any credentials to log in.v
Next, we need to retrieve the contents of the /etc/apache2/sites-enabled/000-default.conf file.
At this stage, the response appears intriguing.
After discovering the path to the .htpasswd file, we read its contents to retrieve the password hash.
This allows us to use the script to attempt to read the contents of the .htpasswd file.
We discovered a hash associated with Albert.
Cracking Credentials on alert
Based on my experience, hashes starting with $apr1$ use the Apache APR1-MD5 hashing algorithm, commonly found in .htpasswd files. These can often be cracked using tools like John the Ripper or hashcat with the md5apr1 mode, but I might be wrong.
So, let’s analyze it using hashid, and it turns out to be an MD5 hash. With this information, we can attempt to crack it using tools like John the Ripper or hashcat.
We’ll use hashcat to crack it with the following command:
hashcat -m 1600 -a 0 <hash_filename> <wordlist>
After some time, we successfully cracked the password: ManchesterUnited.
Let’s use the credentials we found to access SSH.
We can retrieve the user flag by running the command:
cat user.txtEscalate to Root Privileges Access
Privilege Escalation:
No binaries are available for Albert’s access.
Accessing statistics.alert.htb using the discovered credentials was successful.
Let’s scan the machine for any open ports.
Identify port 8080 running on localhost, then configure port forwarding.
ssh -L 8080:localhost:8080 albert@alert.htb
Navigate to http://localhost:8080, where a monitoring site is displayed.
We are unsure of the directory for the monitoring website, so we will check using ps aux.
We have determined that it is stored in /opt/website-monitor.
The screenshot above displays the files stored in /opt/website-monitor.
We can see only a single file inside the config folder.
It is an empty page.
Testing with a basic PHP file containing “hello” confirms that it works.
We can upload a PHP reverse shell from Pentestmonkey.
Start our listener.
We need to trigger it in the browser.
Unfortunately, nothing happens. 😞
As a result, we will create a simple and reliable PHP file.
Let’s attempt to trigger it again.
We can read the root flag by typing the “cat root.txt” command