The Forge machine is a vulnerable machine with the Linux operating system, which is among the retired machines. We can obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.


Full Port Scan

As a result of port scanning, 21/tcp ftp (filtered), 22/tcp ssh OpenSSH 8.2p1, 80/tcp http Apache httpd ports were detected.
Since there is no vulnerability in the ssh port, we provide it via enumeration browser on port 80.

We did not get any valuable information on the interface.
We ran a scan with gobuster to check for hidden files and directories.

We ran a scan with wfuuz to see if there are subdomains.

admin subdomain detected. Here we saw that we can only access it on localhost.

While navigating through the tabs, we came across the upload page.

It can also upload url and file while uploading. Here we can upload all file types, we tried files such as php, jpg png, it accepted.
We installed pentest monkey’s shell and we didn’t get any revershell. We have to try other things here.
Here, when I looked at whether the admin who prevented us from accessing the subdomain, I saw that it was blocklisted, and when I went to access his own domain, we saw that it was blocklisted.

We changed the url http://forge.htb to http://fOrge.htb.
We were able to log in. Here it gave us a link, when we went from firefox, it did not give us any information. When we went with Curl, we could not get some information.

As you can see here, we are doing the same for the admin subdomain as we returned the source codes.

Here the /announcements directory draws our attention, let’s try to go to this directory again

Here we have detected the ftp credential information.
I tried to make an ftp connection with this information, but we got an invalid request error when connecting on the ftp port

Here let’s use ssrf to redirect with the following link
Let’s see the link it creates with curl.

Here we have accessed the part that users access, let’s communicate on the id_rsa file to see if there might be an ssh key here.

Here we found the ssh key.
Let’s connect using this ssh key

At this time we have obtained the user flag, we do not have root access, we provide local enumeration.
Let’s see what we can run with root privileges using the sudo -l command.

We see the python file /opt/remote-manage.py python.

Here it opens port 61883 on localhost.

Here we open another ssh connection to listen to the local port.

We connected using the password adminsecretpassord and saw the welcome admin.
[1] View processes
[2] View free memory
[3] View listening sockets
[4] Quit
Options appear.
We can enter these options. Let’s enter a large value other than these here and break it.

In our first ssh we were given a debugger screen.
On this screen, let’s import os in python and ask to be given bash with root privileges

This is how we got our root flag.


  1. Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN

  2. sklep internetowy

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog
    to rank for some targeted keywords but I’m not seeing very
    good success. If you know of any please share. Kudos! You
    can read similar art here: Sklep internetowy

  3. Suivre Téléphone

    Le logiciel de surveillance de téléphone portable CellSpy est un outil très sûr et complet, c’est le meilleur choix pour une surveillance efficace des téléphones mobiles. L’application peut surveiller divers types de messages, tels que les SMS, les e-mails et les applications de chat de messagerie instantanée telles que Snapchat, Facebook, Viber et Skype. Vous pouvez afficher tout le contenu de l’appareil cible: localisation GPS, photos, vidéos et historique de navigation, saisie au clavier, etc.

  4. Backlink Portfolio

    Good day! Do you know if they make any plugins to assist
    with Search Engine Optimization? I’m trying to get my site to rank for
    some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Kudos! I saw similar blog here: Link Building

  5. tlovertonet

    My wife and i got really contented when Albert could carry out his analysis out of the precious recommendations he came across through your web pages. It is now and again perplexing to just continually be making a gift of facts that many people today might have been making money from. And now we already know we now have the blog owner to be grateful to for this. The most important illustrations you’ve made, the straightforward website navigation, the friendships you make it easier to foster – it is most overwhelming, and it is assisting our son and us recognize that this concept is interesting, which is incredibly fundamental. Many thanks for the whole thing!

  6. hire a hacker pro

    What i don’t understood is actually how you are not really much more well-liked than you might be right now. You’re very intelligent. You realize thus considerably relating to this subject, made me personally consider it from so many varied angles. Its like men and women aren’t fascinated unless it is one thing to do with Lady gaga! Your own stuffs nice. Always maintain it up!

  7. Sugar Defender

    After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir