Forge — HTB

Hi Everyone,
Today, I’ll show you how i pwned “Forge” machine in details.

Introduction

Will Learn from this machine multiple Topics like:

1. SSRF,
2. FTP-web-browser connection,
3. SSH-keys,
4. Python-debugger(Pdb).

First Don’t forget to add IP of the machine to `/etc/hosts`
“$ sudo echo “10.10.11.111” >> /etc/hosts”

Recon phase:

1. First thing to do is to check for open ports using [nmap] and we found that 2 open ports 80,22. and 21 is filtered.

2. Let’s Check port “80/tcp” which is website

Ok!!! we have a Gallery with upload page. that we can upload from local or from URL.

hint: if we have upload page it Direct us to search for ‘SSRF, LFI, RFI’ Vulns most.

3. Started Directory brute-forcing and found only 3 results.
“/uploads” -> Lead me to 404 Not Found.
“/Static” -> Lead me to CSS/JS/Images files. and no thing important in them.
“/upload” -> Allow me to upload files.

4. After that I Started VHOSTS Enumeration using `ffuf` and got only one result. *Don’t forget to add to /etc/hosts file*

ffuf -u http://forge.htb/ -H “Host: FUZZ.forge.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -mc 200 -v

5. Now let’s access it from browser. and it allow only localhost as screen below

Footholding

• As we found before `http://forge.htb/upload` allow us to upload files or URLs.
• First i started to check for upload file and it give me link to access it.

• The problem is the file & ext of file replaced with random name, and interact with it as image only. so i can’t run my script successfully.

• After that, I tested Upload from URL and it works for default images.
• Now, Started to test for `SSRF` , first tested `http://127.0.0.1`, `http://localhost` and got blacklisted.

• so I need to try bypassing this blacklist. I tried one of the most bypassing payload ‘http://127.1/’ and it worked fine. xD

• Now I knew it’s a SSRF, we can access `localhost`
• If you remember we got a VHOST accept only localhost connection.
• So Let’s check VHOST which need only local host access `http://admin.forge.htb/`

and we back to blacklist again :(

• maybe the blacklisted is ‘admin’ or ‘forge’ or ‘htb’ we can try every word alone to check which one is blacklisted or even all the VHOST blacklisted.
• Or we can bypass full URL, “as we knew that URL interact with Upper& Lower case as same.” so we can make full Upper case URL.

Bypassing technique

• Now we need to see the content of this link, but we can’t open direct cause it will open as image.
• We have 2 ways to read body as text before rendering. first is to use “curl” tool with link, second is to use “burp suite”.
• I used burp suite to make it easy for me modify and sending many requests.

• Here’s the content of VHOST main page. as we see it has a nav which have 2 directories more “/announcements” and “/upload”
• If we checked first dir “/announcements”. by uploading new URL with full path. ‘http://ADMIN.FORGE.HTB/announcements’

• Okey from the content of page we have many sensitive data

1) There is an internal ftp server ‘21/tcp ftp filtered’
2) Credentials for this server ‘user:heightofsecurity123!’
3) Server support more protocols for upload ‘ftp, ftps, http, https’
4) there is an parameter ‘?u=’ in ‘/upload’ page for admin VHOST

• So i searched for how to access ftp server from URL and got good resource for this one.
• you can check it here :“https://www.timeatlas.com/ftp-web-browser/"
• Here’s a payload to access internal ftp server with Cred from localhost.
  “http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1”

• After accessing the ftp server we found only one file ‘user.txt’ which mean we are in ‘/home/user’ directory.
• So I tried to access “/.ssh” folder and got remote ssh key for this user.

# First step to check for ‘/.ssh’ folder.
“http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1/.ssh”
# Second step to read `id_rsa` key for user
“http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1/.ssh/id_rsa”

Privilege Escalation

[+] Now after we got ssh key let’s ssh connection for user and check for our permissions.

[+] Ok!!! we can run only one python script as root. Let’s read

[+] Let me Explain this script in short steps

1) first this script is opening a local connection in random port.
2) I can connect to this connection from local only.
3) To start connection it request password from me “secretadminpassword”
4) this script didn’t validate user input xD which mean we can carsh it with and input not in it’s options.

[+] Let’s give a try for that.

1) I opened 2 shells for user.
2) From first shell i ran script “sudo /usr/bin/python3 /opt/remote-manage.py”
3) From second shell i connected to it.
$ echo “secretadminpassword” | nc 127.0.0.1 PORT`
* Change port with random port you got from 1st shell *
4) From second shell will enter ‘test’ then interrupted connection with “ctrl+c”
5) Back to first shell will find it open “(Pdb)” which is a python debugger.
6) I can open shell from this point as we use python script
“(Pdb) import os; os.system(“/bin/sh”)”
-> For last payload ref -> https://gtfobins.github.io/gtfobins/pdb/

And Machine Rooted Successfully…. Congrats. xD xD

Thanks for your reading waiting for feedbacks