3

Forge: Hack The Box Walkthrough

 7 months ago
source link: https://hackso.me/forge-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

This post documents the complete walkthrough of Forge, a retired vulnerable VM created by NoobHacker9999, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Forge is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.11.111 --rate=2000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-09-14 02:39:05 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.11.111
Discovered open port 22/tcp on 10.10.11.111

This is a shit-show. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80 -A --reason 10.10.11.111 -oN nmap.txt
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb

I’d better map forge.htb to 10.10.11.111 in /etc/hosts. This is what the site looks like.

Directory/File Enumeration

Let’s see what wfuzz and SecLists give.

wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 20 --hc 404 http://forge.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://forge.htb/FUZZ
Total requests: 38267

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000141:   200        32 L     58 W       929 Ch      "upload"
000000112:   301        3 L      24 W       224 Ch      "uploads"
000000265:   301        9 L      28 W       307 Ch      "static"
000000391:   200        71 L     92 W       2050 Ch     "."
000004191:   403        9 L      28 W       274 Ch      "server-status"

Total time: 0
Processed Requests: 38267
Filtered Requests: 38262
Requests/sec.: 0

Subdomain Enumeration

Nothing much. Maybe we’ll have better luck with subdomains enumeration.

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20 --hc 302 -H "Host: FUZZ.forge.htb" http://10.10.11.111
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.111/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000024:   200        1 L      4 W        27 Ch       "admin"

Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0

I’d better include admin.forge.htb into /etc/hosts as well. This is what I see when I browse to http://admin.forge.htb.

Let’s keep this in view while we investigate forge.htb.

Upload

There’s a link in forge.htb for us to upload an image.

Turns out that “Upload from url” uses Python Requests to retrieve or download from the URL. Check this out.

Let’s see if we can retrieve admin.forge.htb using this.

OK. We need the protocol.

OK. What about http://Admin.Forge.Htb?

It works!

Using this method, let’s retrieve the HTML source of /announcements and /upload.

/announcements
<!DOCTYPE html>
<html>
<head>
    <title>Announcements</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
    <header>
            <nav>
                <h1 class=""><a href="/">Portal home</a></h1>
                <h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 class="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br>
    <ul>
        <li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
        <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
        <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=<url>.</li>
    </ul>
</body>
</html>

And /upload.

/upload
<!DOCTYPE html>
<html>
<head>
    <title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/upload.css">
    <script type="text/javascript" src="/static/js/main.js"></script>
    <header>
            <nav>
                <h1 class=""><a href="/">Portal home</a></h1>
                <h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 class="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <center>
        <br><br>
        <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">

            </div>
        </div>
    </center>
    <br>
    <br>
</body>
</html>

Upload, Improved

We are told from the announcement that that an internal FTP server is set up and credentials (user:heightofsecurity123!) are provided. We are also told that /upload now supports the FTP protocol and u parameter for scripting.

Armed with the credentials, we can supply the following URL to the “Upload from url” link:

http://Admin.Forge.Htb/upload?u=ftp://user:[email protected]/

0 refers to localhost in Linux.

Foothold

That looks like the home directory of user! Maybe we can read user’s SSH private key?

Awesome. Now we can log in to user’s account.

We already know that user.txt is in user’s home directory.

Privilege Escalation

During enumeration of user’s account, I notice user is able to sudo the following.

Let’s check out what’s in /opt/remote-manage.py.

remote_manage.py will be listening at a random port and if an exception is encountered, Python Debugger will be activated. Python Debugger offers REPL type of interface to the Python interpreter. We can escape to shell with it and because remote_manage.py is executed as root through sudo, we have a root shell.

Getting root.txt with a root shell is a breeze.

:dancer:


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK