HTB — Forge Walkthroughs

Giorgi Barbakadze

5 min readJan 26, 2022

Enumeration

Scan forge machine with nmap, using command :

nmap -sV -sC {ip}

-sV — shows port versions
-sC — run script scan

As we can see only 21, 22 and 80 ports are opened

21 — FTP
22 — SSH
80 — HTTP

port 80 contains http://forge.htb address. so add it into /etc/hosts file.

next when we open http://forge.htb, we should be able to see website

make directory scan with FFUF

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://forge.htb/FUZZ

-c — colored status codes
-w — wordlist path
-u — website address

after this, we will notice that only interesting folder is upload directory, where we can upload files from our machine and from website address.

at this point we can upload php reverse shell or image file which contain reverse shell in metatada, but that attack vector does not work. we should enumerate more…

lets make DNS scan with ffuf :

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H “HOST : FUZZ.forge.htb” -u http://forge.htb/ -fl 10

-c — colored status codes
-w — wordlist path
-H — make DNS payload
-u — target address
-fl — ignore lines in response code

result shows that there is admin subdomain. add it into /etc/hosts file and open that address

unfortunately this page is allowed for localhost only. We can use burp suite to bypass IP restrictions

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

but it does not work. for more information open this LINK

we will notice that we can upload files from website. lets upload admin.forge.htb into it.

here we go. we see that this address is blacklisted. so lets bypass this restriction.

use address like http://ADMIN.FORGE.HTB instead of http://admin.forge.htb

We bypassed restriction, but it is not what we except, because address does not contain anything.

at this point we should use CURL to see content of this address.

as we can see, we are able to see content of this address. dig into the code and see that /announcements folder is available, so send http://ADMIN.FORGE.HTB/announcements into upload directory

and again use curl to see content of this address.

congratulations, we got FTP credentials user:heightofsecurity123!

but FTP is filtered, which means that we can access it only from localhost. we have to access it via browser. as it is mentioned in the code, admin.forge.htb/upload address have FTP and FTPS support. so use that credentials to login that address via FTP.

send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB into upload directory

open with curl and we be able to see user.txt

to open user.txt, send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/user.txt into upload directory and open it via CURL.

congratulations, we got user.txt but what about privilege escalation ?

Privilege Escalation

Firstly we need to gain access on the server via SSH. we can do it with id_rsa key which is into .ssh folder of FTP.

send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/.ssh/ into upload directory and then open link via CURL. result should be like this

at this point we can steal id_rsa and then login with ssh with command :

ssh -i id_rsa user@forge.htb

We are in.

after command sudo -l (which tell us on which files we have sudo access ) we will notice that we have sudo access to /opt/remote-manage.py.

lets dig into the code.

our goal is to run the program with a pdb module. for it we have to make another ssh conenction, run /usr/bin/python3 /opt/remote-manage.py , and then connect via nc

run /usr/bin/python3 /opt/remote-manage.py