Bayu_Ajie knowledge is free you can learn anything

Write Up : Forge HTB

Write Up : Forge HTB

By bocahganteng


1. Scanning Phase

· Nmap Scanning


· Gobuster Scanning



a. Result Scan

- Nmap scanning the server was open port for 22,80 whiches is SSH and HTTP port, and filetering port 21 FTP port


- Gobuster scanning, actually im have been scanning for forge.htb directory but idont have some thing special,so I tried for scanning forge.htb sub domain.


2. Exploit Phase

Picture above is an infterface from website,and from there we can find uploading image. 

I have been tried to upload backdooring payload for the website but,it is unsuccess fully,so im back to the scanning result, and Im decide to go to admin.forge.htb

Nah,little desperate when cannot modifying header request or some think else, so I was remember the upload picture can be use url.



Trying to input admin.forge.htb url but,the result is contain a sensivte information, so we can accessing, and change the input use ADMIN.FORGE.HTB  and it success.


Next step accessing the url,respon from the web is file not found so we can curl the page to get something special


From curl we got one directory is announcements,and there wehave ftp server credential



Trying login ftp use credential we got at ftp ,but unfortunately we cant connected, another ways to access is use web url ,


Curl again and we got ssh id to log in at systems.why ssh ? cause port 22 stil open and there have chance to login.

And the login from ssh port using ssh id where we gain from ftp

User.txt done

We go to previledge escalation to finding ways sign as root

We can access root using that command

Script above using debugging (PDB Python) ,and script will open random port to made connection, and we can use this way


First open new terminal for ssh connection, so we have 2 connection to server, one to running script and another to cathing the port using netcat.

After catch the port, type free what u want to confirm the connection

Runnging bash -p “Turned on whenever the real and effective user ids do not match.Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid”



Root.txt pawn








Bayu_Ajie  knowledge is free you can learn anything