The Forge machine is a vulnerable machine with the Linux operating system, which is among the retired machines. We can obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of port scanning, 21/tcp ftp (filtered), 22/tcp ssh OpenSSH 8.2p1, 80/tcp http Apache httpd ports were detected.
Since there is no vulnerability in the ssh port, we provide it via enumeration browser on port 80.
We did not get any valuable information on the interface.
We ran a scan with gobuster to check for hidden files and directories.
We ran a scan with wfuuz to see if there are subdomains.
admin subdomain detected. Here we saw that we can only access it on localhost.
While navigating through the tabs, we came across the upload page.
It can also upload url and file while uploading. Here we can upload all file types, we tried files such as php, jpg png, it accepted.
We installed pentest monkey’s shell and we didn’t get any revershell. We have to try other things here.
Here, when I looked at whether the admin who prevented us from accessing the subdomain, I saw that it was blocklisted, and when I went to access his own domain, we saw that it was blocklisted.
We changed the url http://forge.htb to http://fOrge.htb.
We were able to log in. Here it gave us a link, when we went from firefox, it did not give us any information. When we went with Curl, we could not get some information.
As you can see here, we are doing the same for the admin subdomain as we returned the source codes.
Here the /announcements directory draws our attention, let’s try to go to this directory again
Here we have detected the ftp credential information.
I tried to make an ftp connection with this information, but we got an invalid request error when connecting on the ftp port
Here let’s use ssrf to redirect with the following link
Let’s see the link it creates with curl.
Here we have accessed the part that users access, let’s communicate on the id_rsa file to see if there might be an ssh key here.
Here we found the ssh key.
Let’s connect using this ssh key
At this time we have obtained the user flag, we do not have root access, we provide local enumeration.
Let’s see what we can run with root privileges using the sudo -l command.
We see the python file /opt/remote-manage.py python.
Here it opens port 61883 on localhost.
Here we open another ssh connection to listen to the local port.
We connected using the password adminsecretpassord and saw the welcome admin.
 View processes
 View free memory
 View listening sockets
We can enter these options. Let’s enter a large value other than these here and break it.
In our first ssh we were given a debugger screen.
On this screen, let’s import os in python and ask to be given bash with root privileges
This is how we got our root flag.