As always we start with nmap to discover open ports.
nmap -sC -sV -oA forge 10.10.11.111
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 19:51 EET
Nmap scan report for 10.10.11.111 (10.10.11.111)
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
| 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are 2 ports open:
22 => SSH
80 => HTTP
And nmap says there’s a redirection to http://forge.htb so lets add it to our /etc/hosts file.
Now lets enumerate port 80
Just a static page but there is upload an image page lets check it. But before we check it lets run directory buster and subdomain bruteforcer in the background.
Running gobuster and found these directories but nothing useful.
But i found admin.forge.htb subdomain which seems interesting, so lets add it to /etc/hosts and check it.
It’s only allowed from localhost, lets leave it for now and move to upload an image page.
There are two options to upload a file, one by a URL and the other one is from my pc.
We can try to upload a shell but we don’t know the programming language that is being used on the web server. The second option we can try SSRF on Upload from URL, so lets try SSRF first as we know admin.forge.htb is only allowed from localhost.
First, i tried reaching my python web server and it works, now lets try to reach internal resources.
When requesting http://forge.htb or http://127.0.0.1 it says it’s a blacklisted address.
I tried http://FORGE.htb with CAPS letters and it successfully bypassed the filter.
Now lets request http://admin.FORGE.htb. We can’t view the page because it’s appearing as an image, but if we downloaded this file with curl or wget we can view its content.
Lets download the file and open it.
There is /announcements and /upload, lets download /announcements the same way we downloaded the prevous one. http://admin.FORGE.htb/announcements then download the file with wget and open it.
There is FTP credentials user:heightofsecurity123!, and it says /upload in this subdomain supports ftp and http, and to upload a file do the following /upload?u=url
The first thing i tried is SSHing with these credentials but didn’t work, then i tried to connect to FTP using the SSRF we have http://admin.FORGE.htb/upload?u=ftp://user:email@example.com Then downloaded the file and viewed its content.
It’s the home directory of a user on the box, maybe there exists.ssh directory so we can grab his ssh private key.
I tried http://admin.FORGE.htb/upload?u=ftp://user:firstname.lastname@example.org/.ssh then downloaded the file and it exists and contains the private key.
Lets get the private key http://admin.FORGE.htb/upload?u=ftp://user:email@example.com/.ssh/id_rsa
Now lets SSH with the key, and we are user
Running sudo -l we can run /usr/bin/python3 /opt/remote-manage.py as root.
Lets check remote-manage.py file.
The script opens a random port and waits for a connection, when a connection is received and the user enters the password it compares it with a hardcoded password secretadminpassword. And if it matches then the user can do one of these 3 options. There are two interesting things, the first one is the hardcoded password secretadminpassword, and the second one is the pdb module which is a python debugger that we can abuse to get a root shell.
First lets run the python script and wait for incoming connections.
sudo /usr/bin/python3 /opt/remote-manage.py
Second we need to open another SSH session and connect to the port using telnet or netcat. After connecting, enter the password and then press Ctrl+c to break so the exception occurs and pdb is opened in the first SSH session.
Now type the following code in the pdb shell.
From GTFObins https://gtfobins.github.io/gtfobins/pdb/
And we are root!