6 min readJan 22, 2022


Hello everyone , in this post I will be sharing my walkthrough for HTB-Forge machine which was a medium linux box , starting off with the nmap scan we see that there are three ports ftp ,ssh and http, ftp is filtered meaning that we can’t connect to it so ignoring that and looking at web server there was a functionality to upload images from local directory or directly through url which lead to a vulnerability know as SSRF to subdomain admin.forge.htb which was found through fuzzing for subdomains but there was a blacklist that was checking for “localhost” and “forge” which was easily bypassed by making some characters capital also there were other ways as well , accessing that subdomain ,it revealed that we can connect to ftp through SSRF and grab user ‘s ssh key , after that running sudo -l it will show us the script we can as root and abuse it to get root user.


21/tcp filtered ftp no-response
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel


on visiting http server , it’s going to redirect us to forge.htb so let's add this to /etc/hosts file

We can try to upload images through this page , but after that there’s nothing we can do , we can’t upload a php file as it replaces the a random name

I tried to visit uploads directory but it just gives an error

We can see static directory from where javascript ,css and images are loaded

I ran gobuster to fuzz for files and directories but didn't found anything so went with wfuzz to look for any subdomains

We found admin.forge.htb so let's add this to /etc/hosts file

so going to admin.com.forge.htb

It seems that we can’t access this as it’s only allowed from localhost , going back to forge.htb I missed looking into upload from url option

So what if we try to access admin.forge.htb through this which is known as a SSRF attack (Server Side Request Foregery) where we make a request from the web application to access internal resources

So it seems there’s a wordlist being used here , let’s try if we can access localhost


It gives the same error again so we need to bypass this blacklist somehow , for localhost we can try this , or http://[::]:80/

And it uploads the file now we can just wget it and see the response

Perfect , we bypassed making a request to localhost but still have to do something about the admin subdomain so why not try accessing it like this

http://admin.Forge.htb or http://ADMIN.FORGE.HTB

Here we can see an upload folder again which I assume it's the same one but we have announcements so let's try to see what's in there


Here it gives us the ftp creds also it tells us that there’s a GET parameter on /upload which supports ftp,http or https , so we need to make the request again with the ftp creds to upload on admin.forge.htb domain


We can grab the user.txt if we want but we don't see much here . I went to snap folder but it was just a rabbit hole wasn't anything there , so we can try to access .ssh folder if it exists we can get the contents there so fingers crossed.


Boom we can get the id_rsa key but we don't know the user yet so let's grab authorized_keys file too as it contains the username for whom the keys are generated for

This key is for user so let's try logging in

Privilege Escalation

We can do sudo -l to see if the user can run commands as sudo

Checking the python , what it’s about and it’s opening up a TCP port to listen on and we can connect to it using telnet which it's going to ask for a password and after that we can run commands like ps -aux , ss -ltp, df

If we specify a wrong option other than 1,2,3,4 and Pdb prompt is going to show up

So I googled what this Pdb is and it’s a python debugger

Being a debugger we can try to run some python commands through it

With this we rooted this box