HackTheBox — Forge

5 min readJan 26, 2022

As always we start with nmap to discover open ports.

Nmap Scan

nmap -sC -sV -oA forge 10.10.11.111

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 19:51 EET
Nmap scan report for 10.10.11.111 (10.10.11.111)
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open     http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are 2 ports open:

22 => SSH

80 => HTTP

And nmap says there’s a redirection to http://forge.htb so lets add it to our /etc/hosts file.

Now lets enumerate port 80

HTTP Enumeration

Just a static page but there is upload an image page lets check it. But before we check it lets run directory buster and subdomain bruteforcer in the background.

Running gobuster and found these directories but nothing useful.

But i found admin.forge.htb subdomain which seems interesting, so lets add it to /etc/hosts and check it.

It’s only allowed from localhost, lets leave it for now and move to upload an image page.

There are two options to upload a file, one by a URL and the other one is from my pc.

We can try to upload a shell but we don’t know the programming language that is being used on the web server. The second option we can try SSRF on Upload from URL, so lets try SSRF first as we know admin.forge.htb is only allowed from localhost.

First, i tried reaching my python web server and it works, now lets try to reach internal resources.

When requesting http://forge.htb or http://127.0.0.1 it says it’s a blacklisted address.

I tried http://FORGE.htb with CAPS letters and it successfully bypassed the filter.

Initial Foothold

Now lets request http://admin.FORGE.htb. We can’t view the page because it’s appearing as an image, but if we downloaded this file with curl or wget we can view its content.

Lets download the file and open it.

There is /announcements and /upload, lets download /announcements the same way we downloaded the prevous one. http://admin.FORGE.htb/announcements then download the file with wget and open it.

There is FTP credentials user:heightofsecurity123!, and it says /upload in this subdomain supports ftp and http, and to upload a file do the following /upload?u=url

The first thing i tried is SSHing with these credentials but didn’t work, then i tried to connect to FTP using the SSRF we have http://admin.FORGE.htb/upload?u=ftp://user:heightofsecurity123!@127.1 Then downloaded the file and viewed its content.

It’s the home directory of a user on the box, maybe there exists.ssh directory so we can grab his ssh private key.

I tried http://admin.FORGE.htb/upload?u=ftp://user:heightofsecurity123!@127.1/.ssh then downloaded the file and it exists and contains the private key.

Lets get the private key http://admin.FORGE.htb/upload?u=ftp://user:heightofsecurity123!@127.1/.ssh/id_rsa

Now lets SSH with the key, and we are user

Getting root

Running sudo -l we can run /usr/bin/python3 /opt/remote-manage.py as root.

Lets check remote-manage.py file.

The script opens a random port and waits for a connection, when a connection is received and the user enters the password it compares it with a hardcoded password secretadminpassword. And if it matches then the user can do one of these 3 options. There are two interesting things, the first one is the hardcoded password secretadminpassword, and the second one is the pdb module which is a python debugger that we can abuse to get a root shell.

First lets run the python script and wait for incoming connections. sudo /usr/bin/python3 /opt/remote-manage.py

Second we need to open another SSH session and connect to the port using telnet or netcat. After connecting, enter the password and then press Ctrl+c to break so the exception occurs and pdb is opened in the first SSH session.