As always we start with nmap to discover open ports.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 19:51 EET Nmap scan report for 10.10.11.111 (10.10.11.111) Host is up (0.27s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA) | 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA) |_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://forge.htb Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are 2 ports open: 22 => SSH 80 => HTTP And nmap says there's a redirection to http://forge.htb so lets add it to our /etc/hosts file.
Now lets enumerate port 80
![[Pasted image 20210925150009.png]] Just a static page but there is upload an image page lets check it. But before we check it lets run directory buster and subdomain bruteforcer in the background.
Running gobuster and found these directories but nothing useful. ![[Pasted image 20210925153801.png]]
But i found admin.forge.htb subdomain which seems interesting, so lets add it to /etc/hosts and check it. ![[Pasted image 20210925154408.png]]
It's only allowed from localhost, lets leave it for now and move to upload an image page. ![[Pasted image 20210925154533.png]]
There are two options to upload a file, one by a URL and the other one is from my pc. ![[Pasted image 20210925150345.png]]
We can try to upload a shell but we don't know the programming language that is being used on the web server. The second option we can try SSRF on Upload from URL, so lets try SSRF first as we know admin.forge.htb is only allowed from localhost.
First, i tried reaching my python web server and it works, now lets try to reach internal resources. ![[Pasted image 20210925151339.png]]
When requesting http://forge.htb or http://127.0.0.1 it says it's a blacklisted address. ![[Pasted image 20210925151702.png]]
I tried http://FORGE.htb with CAPS letters and it successfully bypassed the filter. ![[Pasted image 20210925155510.png]]
Now lets request http://admin.FORGE.htb. We can't view the page because it's appearing as an image, but if we downloaded this file with curl or wget we can view its content. ![[Pasted image 20210925155627.png]]
Lets download the file and open it. ![[Pasted image 20210925155831.png]]
There is /announcements and /upload, lets download /announcements the same way we downloaded the prevous one. http://admin.FORGE.htb/announcements then download the file with wget and open it. ![[Pasted image 20210925164412.png]] There is FTP credentials user:heightofsecurity123!, and it says /upload in this subdomain supports ftp and http, and to upload a file do the following /upload?u=url
The first thing i tried is SSHing with these credentials but didn't work, then i tried to connect to FTP using the SSRF we have http://admin.FORGE.htb/upload?u=ftp://user:firstname.lastname@example.org Then downloaded the file and viewed its content. ![[Pasted image 20210925171925.png]] It's the home directory of a user on the box, maybe there exists .ssh directory so we can grab his ssh private key.
I tried http://admin.FORGE.htb/upload?u=ftp://user:email@example.com/.ssh then downloaded the file and it exists and contains the private key. ![[Pasted image 20210925172829.png]]
Lets get the private key http://admin.FORGE.htb/upload?u=ftp://user:firstname.lastname@example.org/.ssh/id_rsa ![[Pasted image 20210925173125.png]]
Now lets SSH with the key, and we are user ![[Pasted image 20210925173434.png]]
Running sudo -l we can run /usr/bin/python3 /opt/remote-manage.py as root. ![[Pasted image 20210925173932.png]]
Lets check remote-manage.py file. ![[Pasted image 20210925174007.png]] The script opens a random port and waits for a connection, when a connection is received and the user enters the password it compares it with a hardcoded password secretadminpassword. And if it matches then the user can do one of these 3 options. There are two interesting things, the first one is the hardcoded password secretadminpassword, and the second one is the pdb module which is a python debugger that we can abuse to get a root shell.
First lets run the python script and wait for incoming connections.
sudo /usr/bin/python3 /opt/remote-manage.py
Second we need to open another SSH session and connect to the port using telnet or netcat. After connecting, enter the password and then press Ctrl+c to break so the exception occurs and pdb is opened in the first SSH session. ![[Pasted image 20210925182729.png]]
Now type the following code in the pdb shell.
import os os.system('/bin/bash')
From GTFObins https://gtfobins.github.io/gtfobins/pdb/
![[Pasted image 20210925183309.png]] And we are root!