Forge from Hack the Box is a Medium level box by NoobHacker9999. It features an exploitable image gallery which is susceptible to a directory traversal attack and an admin
vhost. We use this combination to pull restricted information from the admin sub-domain using the upload function giving us FTP credentials. We use these FTP credentials alongside the admin FTP upload functionality to pull the
id_rsa from the local user.
Once on the box we find a python script with
sudo -l that once crashed launches Python Debugger (Pdb) with elevated permissions. We use this to elevate
bash to root.
Before I begin each machine I kick off a full port
rustscan💡 into the
nmap defaults that ippsec uses on his channel:
Reviewing the results I can see Ports 22/80 open. I navigate over to
Port 80 which redirects to forge.htb. I add it to my host💡 file and continue my enumeration.
Navigating to the page I see an image Gallery with the ability to upload an image.
Gallery on forge.htb with upload an image functionality.
Underneath the Upload an image area I can see two options: Upload local file and Upload from a url. I try to do a bunch of upload techniques (some of which can be found on PayloadsAlltheThings – Upload Insecure Files) with no success.
Upload from url and Upload local file functionality.
Next I kicked off a directory and sub-domain scan with
The directory scan comes back with nothing interesting but
gobuster gets a hit. I edit my host file and navigated over to admin.forge.htb. I received the following error message: “Only localhost is allowed!”
This reminded me of another box I did in the past Love in which you used a Free File Scanner to navigate to a local website. I launched Burpsuite.
I went back to the Upload a local file from earlier and intercepted the request. I put in http://127.0.0.1/admin testing:
I tried multiple variations and found you could bypass the filter by putting the address fully in CAPS.
Successfully creating a string to the Admin portal.
Navigating over the page I can see an error:
This is due to the image take taking the
URL and converting it into an image. I go to the
URL via curl. I can see an Admin Portal home with an announcements and upload image area. I change my request in Burp to add
After receiving the
FTP creds I change my request in
Burp to see the
I can see that the
user.txt is in this directory. In the majority of HTB boxes the user flag is normally found in a users home directory. I check to see if
.ssh is present. After confirming I grab the
id_rsa to my box.
After getting the
id_rsa on my local machine I change the permissions and log into the box:
Once on the box I run
sudo -l to see if I can see anything with elevated rights. I can see that I can run
remote-manage.py. Running the script executes a file ‘listening on Port 15747’:
I launch a secondary
SSH session and log into the box. I use
nc to connect to the session:
🎯Victim Machine (SSH Session 1)
🎯Victim Machine (SSH Session 2)
Reviewing the remote-manage script.
After running a few commands it breaks the script. Reviewing the script I can see that it is similar to BountyHunter and the train ticket python script. I can also see when the script crashes it launches the Python Debugger. As we are running this script in an elevated manner the Python Debugger is launching in the same fashion. We can use this elevated prompt to root:
🎯Victim Machine (within Python Debugger)
Escalating to root on forge.htb.