Home / Writeups

HTB Alert

From initial HTTP discovery to credential extraction and shell access.

Hello. I’m Shrijesh Pokharel. Here is my Alert - HackTheBox writeup.

Start with a basic Nmap scan. The target exposes ports 80 and 22, so the first pass is web enumeration. Add the hostname to /etc/hosts and explore the site with a browser, curl, and directory discovery tooling such as Gobuster.

The directory scan suggests an upload or script-generation workflow. I wrote a custom script.md payload that matched the file-type restrictions, then opened a listener on port 8888 and uploaded the script through the site. Submitting the generated URL through the contact page triggered a response that contained encoded data.

After decoding that response, I recovered a username and password hash and used the credentials to log in over SSH. That provided the user.txt flag.

For privilege escalation, I searched /opt/website-monitor/config for sensitive files and then used a reverse-shell payload in the application path that referenced config/file.php. Once connected, I moved through the filesystem to /root and retrieved the root flag.

Key sequence: nmap -sV → /etc/hosts → gobuster → script.md upload → decode hash → SSH → config/file.php → root.txt

Back to writeups