CTF-Writeups/HackTheBox/Forge.md

HackTheBox-Forge

NMAP

PORT   STATE    SERVICE REASON         VERSION
21/tcp filtered ftp     no-response        
22/tcp open     ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open     http    syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:                      
|_  Supported Methods: GET HEAD POST OPTIONS                     
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

on visting http server , it's going to redirect us to forge.htb so let's add this to /etc/hosts file

We can try to upload images through this page , but after that there's nothing we can do , we can't upload a php file as it replaces the a random name

I tried to visit uploads directory but it just gives an error

We can see static directory from where javascript ,css and images are loaded

I ran gobuster to fuzz for files and directories but didn't found anything so went with wfuzz to look for any subdomains

We found admin.forge.htb so let's add this to /etc/hosts file

so going to admin.com.forge.htb

It seems that we can't access this as it's only allowed from localhost , going back to forge.htb I missed looking into upload from url option

So what if we try to access admin.forge.htb through this which is known as a SSRF attack (Server Side Request Foregery) where we make a request from the web application to access internal resources

So it seems there's a wordlist being used here , let's try if we can acesss localhost

It gives the same error again so we need to bypass this backlist somehow , for localhost we can try this http://127.127.127.127 , http://127.0.1.1 or http://[::]:80/

And it uploads the file now we can just wget it and see the response

Perfect , we bypassed making a request to localhost but still have to do something about the admin subdomain so why not try accessing it like this

http://admin.Forge.htb or http://ADMIN.FORGE.HTB

Here we can see an upload folder again which I assume it's the same one but we have announcmennts so let's try to see what's in there

http://ADMIN.FORGE.HTB/announcements/

Here it gives us the ftp creds also it tells us that there's a GET parameter on /upload which supports ftp,http or https , so we need to make the request again with the ftp creds to upload on admin.forge.htb domain

http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127

We can grab the user.txt if we want but we don't see much here . I went to snap folder but it was just a rabitt hole wasn't anything there , so we can try to access .ssh folder if it exists we can get the contents there so fingers crossed.

http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127/.ssh/

Boom we can get the id_rsa key but we don't know the user yet so let's grab authorized_keys file too as it contains the username for whom the keys are generated for

This key is for user so let's try logging in

We can do sudo -l to see if the user can run commands as sudo

Checking the python , what it's about and it's opening up a TCP port to listen on and we can connect to it using telnet which it's going to ask for a password and after that we can run commands like ps -aux , ss -ltp, df

If we specify a wrong option other than 1,2,3,4 and Pdb prompt is going to show up

So I googled what this Pdb is and it's a python debugger

Being a debugger we can try to run some python commands through it

With this we rooted this box

References

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md
• https://docs.python.org/3/library/pdb.html