Read my Writeup to Forge machine on
User: By using Upload an Image page we can use SSRF attack from the URL http://admin.Forge.htb, From this URL we found an HTML which contains credentials to
FTP and another
/upload page which support also
ftp, Using http://admin.Forge.htb/upload?u=ftp://user:heightofsecurity123!@admin.Forge.htb:21/.ssh/id_rsa URL we get the
user private key.
Root: By running
sudo -l we found that we can run
/opt/remote-manage.py as root, By reading the script we can see that we can triggr the python script to run pdb, Using
pdb we can use
exec to run python commands aas root, using
exec("import os; os.system('cat /root.ssh/id_rsa')") we get the
root private key.