Write Up : Forge HTB
1. Scanning Phase
· Nmap Scanning
· Gobuster Scanning
a. Result Scan
- Nmap scanning the server was open port for 22,80 whiches is SSH and HTTP port, and filetering port 21 FTP port
- Gobuster scanning, actually im have been scanning for forge.htb directory but idont have some thing special,so I tried for scanning forge.htb sub domain.
2. Exploit Phase
Picture above is an infterface from website,and from there we can find uploading image.
I have been tried to upload backdooring payload for the website but,it is unsuccess fully,so im back to the scanning result, and Im decide to go to admin.forge.htb
Nah,little desperate when cannot modifying header request or some think else, so I was remember the upload picture can be use url.
Trying to input admin.forge.htb url but,the result is contain a sensivte information, so we can accessing, and change the input use ADMIN.FORGE.HTB and it success.
Next step accessing the url,respon from the web is file not found so we can curl the page to get something special
From curl we got one directory is announcements,and there wehave ftp server credential
Trying login ftp use credential we got at ftp ,but unfortunately we cant connected, another ways to access is use web url ,
Curl again and we got ssh id to log in at systems.why ssh ? cause port 22 stil open and there have chance to login.
And the login from ssh port using ssh id where we gain from ftp
We go to previledge escalation to finding ways sign as root
We can access root using that command
Script above using debugging (PDB Python) ,and script will open random port to made connection, and we can use this way
First open new terminal for ssh connection, so we have 2 connection to server, one to running script and another to cathing the port using netcat.
After catch the port, type free what u want to confirm the connection
Runnging bash -p “Turned on whenever the real and effective user ids do not match.Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid”