Hello everyone , in this post I will be sharing my walkthrough for HTB-Forge machine which was a medium linux box , starting off with the nmap scan we see that there are three ports ftp ,ssh and http, ftp is filtered meaning that we can’t connect to it so ignoring that and looking at web server there was a functionality to upload images from local directory or directly through url which lead to a vulnerability know as SSRF to subdomain admin.forge.htb which was found through fuzzing for subdomains but there was a blacklist that was checking for “localhost” and “forge” which was easily bypassed by making some characters capital also there were other ways as well , accessing that subdomain ,it revealed that we can connect to ftp through SSRF and grab user ‘s ssh key , after that running sudo -l it will show us the script we can as root and abuse it to get root user.
NMAP
PORT STATE SERVICE REASON VERSION
21/tcp filtered ftp no-response
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
on visiting http server , it’s going to redirect us to forge.htb so let's add this to /etc/hosts file
We can try to upload images through this page , but after that there’s nothing we can do , we can’t upload a php file as it replaces the a random name
I tried to visit uploads directory but it just gives an error
We can see static directory from where javascript ,css and images are loaded
I ran gobuster to fuzz for files and directories but didn't found anything so went with wfuzz to look for any subdomains
We found admin.forge.htb so let's add this to /etc/hosts file
so going to admin.com.forge.htb
It seems that we can’t access this as it’s only allowed from localhost , going back to forge.htb I missed looking into upload from url option
So what if we try to access admin.forge.htb through this which is known as a SSRF attack (Server Side Request Foregery) where we make a request from the web application to access internal resources
So it seems there’s a wordlist being used here , let’s try if we can access localhost
Foothold
It gives the same error again so we need to bypass this blacklist somehow , for localhost we can try this http://127.127.127.127 , http://127.0.1.1 or http://[::]:80/
And it uploads the file now we can just wget it and see the response
Perfect , we bypassed making a request to localhost but still have to do something about the admin subdomain so why not try accessing it like this
http://admin.Forge.htb or http://ADMIN.FORGE.HTB
Here we can see an upload folder again which I assume it's the same one but we have announcements so let's try to see what's in there
http://ADMIN.FORGE.HTB/announcements/
Here it gives us the ftp creds also it tells us that there’s a GET parameter on /upload which supports ftp,http or https , so we need to make the request again with the ftp creds to upload on admin.forge.htb domain
http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127
We can grab the user.txt if we want but we don't see much here . I went to snap folder but it was just a rabbit hole wasn't anything there , so we can try to access .ssh folder if it exists we can get the contents there so fingers crossed.
http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.127.127.127/.ssh/
Boom we can get the id_rsa key but we don't know the user yet so let's grab authorized_keys file too as it contains the username for whom the keys are generated for
This key is for user so let's try logging in
Privilege Escalation
We can do sudo -l to see if the user can run commands as sudo
Checking the python , what it’s about and it’s opening up a TCP port to listen on and we can connect to it using telnet which it's going to ask for a password and after that we can run commands like ps -aux , ss -ltp, df
If we specify a wrong option other than 1,2,3,4 and Pdb prompt is going to show up
So I googled what this Pdb is and it’s a python debugger
Being a debugger we can try to run some python commands through it
With this we rooted this box
