HTB - Forge

Linux - Medium

IP = 10.10.11.111

Enumeration

Same as always I run nmap first.

Nmap: nmap -sSVC -p- -v -T4 -oA nmap/forge forge.htb

PORT	SERVICE & VERSION
21/tcp	ftp
22/tcp	OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
80/tcp	Apache httpd 2.4.41

nmap

ftp is interesting but I need to find the credentials first.

Gobuster (dir): gobuster dir -u http://forge.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -z -o gobuster/forge-dir

gobuster_dir

There’s the upload route.

Gobuster (vhost): gobuster vhost -u http://forge.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -z -o subdomain/sub.txt

gobuster_vhost

Found admin.forge.htb subdomain but can’t directly access it.

web1

Look like this web have SSRF vulnerability, So I try to inject with 127.0.0.1, localhost or admin.forge.htb but it’s all getting filtered.

found_vul

I bypass the filter with Uppercase character and It just works.

meme

admin

Now I got the admin.forge.htb page and It has another interesting route.

user:heightofsecurity123! announcement

The announcements page give the information of ftp credential and how to upload the file with ftp through URL, So I can construct the payload to retrieve some essential file like .ssh/id_rsa the ssh private key.

try_ssh

I try ssh with the ftp credential but It not work and It only uses the Private key for authentication.

Exploitation

With the information on the announcements page, I can retrieve the file with the parameter u The payload will be: http://admin.Forge.htb/upload?u=ftp://user:heightofsecurity123!@Forge.htb/.ssh/id_rsa

Now I can login with userand got the user part as well. user

Privilege Escalation

1st things TODO after got user try sudo -l.

sudo -l

The remote-manage.py file can lead to the root part.

remote-manage.py

remote-manage.py2

After reading the source code of remote-manage.py look like It’ll create a socket server waiting for connection on a random port. And It checking the secret password that obvious is in the program. The actually interesting part is pdb.

meme2

pdb is The module pdb defines an interactive source code debugger for Python programs Then I just run the remote-manage.py with sudo permission and use nc to connect back to the socket server.

error

And then I’m trying to cause an error to trigger the pdb with string input.

The exception handler triggers the pdb and then just import os module and boom! got the root shell.

This machine should be easy in my opinion lul.

Ref:

https://docs.python.org/3/library/pdb.html

Forge

HTB - Forge #

Linux - Medium #

Enumeration #

Exploitation #

Privilege Escalation #

Ref: #