🔔Introduction

Forge from Hack the Box is a Medium level box by NoobHacker9999. It features an exploitable image gallery which is susceptible to a directory traversal attack and an admin vhost. We use this combination to pull restricted information from the admin sub-domain using the upload function giving us FTP credentials. We use these FTP credentials alongside the admin FTP upload functionality to pull the id_rsa from the local user.

Once on the box we find a python script with sudo -l that once crashed launches Python Debugger (Pdb) with elevated permissions. We use this to elevate bash to root.

🔎🦶Enumeration/Foothold

Before I begin each machine I kick off a full port rustscan💡 into the nmap defaults that ippsec uses on his channel:

Copy

Reviewing the results I can see Ports 22/80 open. I navigate over to Port 80 which redirects to forge.htb. I add it to my host💡 file and continue my enumeration.

Copy

Navigating to the page I see an image Gallery with the ability to upload an image.

Gallery on forge.htb with upload an image functionality.

Gallery on forge.htb with upload an image functionality.

Underneath the Upload an image area I can see two options: Upload local file and Upload from a url. I try to do a bunch of upload techniques (some of which can be found on PayloadsAlltheThings – Upload Insecure Files) with no success.

Upload from url and Upload local file functionality.

Upload from url and Upload local file functionality.

Next I kicked off a directory and sub-domain scan with ffuf and gobuster.

Copy

The directory scan comes back with nothing interesting but gobuster gets a hit. I edit my host file and navigated over to admin.forge.htb. I received the following error message: “Only localhost is allowed!”

This reminded me of another box I did in the past Love in which you used a Free File Scanner to navigate to a local website. I launched Burpsuite.

I went back to the Upload a local file from earlier and intercepted the request. I put in http://127.0.0.1/admin testing:

Copy

I received back:

I tried multiple variations and found you could bypass the filter by putting the address fully in CAPS.

Successfully creating a string to the Admin portal.

Successfully creating a string to the Admin portal.

Navigating over the page I can see an error:

Copy

This is due to the image take taking the URL and converting it into an image. I go to the URL via curl. I can see an Admin Portal home with an announcements and upload image area. I change my request in Burp to add /announcements.

After receiving the FTP creds I change my request in Burp to see the FTP directory:

Copy

🔝Escalation

I can see that the user.txt is in this directory. In the majority of HTB boxes the user flag is normally found in a users home directory. I check to see if .ssh is present. After confirming I grab the id_rsa to my box.

Copy

After getting the id_rsa on my local machine I change the permissions and log into the box:

Copy

Once on the box I run sudo -l to see if I can see anything with elevated rights. I can see that I can run remote-manage.py. Running the script executes a file ‘listening on Port 15747’:

Copy

I launch a secondary SSH session and log into the box. I use nc to connect to the session:

🎯Victim Machine (SSH Session 1)

Copy

🎯Victim Machine (SSH Session 2)

Copy
Reviewing the remote-manage script.

Reviewing the remote-manage script.

After running a few commands it breaks the script. Reviewing the script I can see that it is similar to BountyHunter and the train ticket python script. I can also see when the script crashes it launches the Python Debugger. As we are running this script in an elevated manner the Python Debugger is launching in the same fashion. We can use this elevated prompt to root:

Copy

🎯Victim Machine (within Python Debugger)

Copy
Escalating to root on forge.htb.

Escalating to root on forge.htb.

Copy
Copy

Rooted

Published On: January 22nd, 2022 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment