# HackTheBox-Forge
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
21/tcp filtered ftp no-response
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
on visting http server , it's going to redirect us to `forge.htb` so let's add this to `/etc/hosts` file
We can try to upload images through this page , but after that there's nothing we can do , we can't upload a php file as it replaces the a random name
I tried to visit `uploads` directory but it just gives an error
We can see `static` directory from where javascript ,css and images are loaded
I ran `gobuster` to fuzz for files and directories but didn't found anything so went with `wfuzz` to look for any subdomains
We found `admin.forge.htb` so let's add this to /etc/hosts file
so going to `admin.com.forge.htb`
It seems that we can't access this as it's only allowed from localhost , going back to `forge.htb` I missed looking into `upload from url` option
So what if we try to access `admin.forge.htb` through this which is known as a SSRF attack (Server Side Request Foregery) where we make a request from the web application to access internal resources
So it seems there's a wordlist being used here , let's try if we can acesss localhost
It gives the same error again so we need to bypass this backlist somehow , for localhost we can try this `http://127.127.127.127` , `http://127.0.1.1` or `http://[::]:80/`
And it uploads the file now we can just wget it and see the response
Perfect , we bypassed making a request to localhost but still have to do something about the admin subdomain so why not try accessing it like this
`http://admin.Forge.htb` or `http://ADMIN.FORGE.HTB`
Here we can see an `upload` folder again which I assume it's the same one but we have `announcmennts` so let's try to see what's in there
`http://ADMIN.FORGE.HTB/announcements/`
Here it gives us the ftp creds also it tells us that there's a GET parameter on `/upload` which supports ftp,http or https , so we need to make the request again with the ftp creds to `upload` on `admin.forge.htb` domain
`http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127`
We can grab the `user.txt` if we want but we don't see much here . I went to `snap` folder but it was just a rabitt hole wasn't anything there , so we can try to access `.ssh` folder if it exists we can get the contents there so fingers crossed.
`http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127/.ssh/`
Boom we can get the `id_rsa` key but we don't know the user yet so let's grab` authorized_keys` file too as it contains the username for whom the keys are generated for
This key is for `user` so let's try logging in
We can do `sudo -l` to see if the user can run commands as sudo
Checking the python , what it's about and it's opening up a TCP port to listen on and we can connect to it using `telnet` which it's going to ask for a password and after that we can run commands like ps -aux , ss -ltp, df
If we specify a wrong option other than 1,2,3,4 and `Pdb` prompt is going to show up
So I googled what this Pdb is and it's a python debugger
Being a debugger we can try to run some python commands through it
With this we rooted this box
## References
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md
- https://docs.python.org/3/library/pdb.html