Horizontall is an easy box on Hack the Box by wail99 that features a hidden vhost with an exploitable strapi. Once on the box we exploit a vulnerable laravel using an SSH port forward. Before I begin each machine I kick off a full port
rustscan and hen pipe it into
xsltproc for review. I find having a
PDF file gives a nice and clean viewing experience:
Reviewing the results I can see
Ports 22/80 open. Navigating to
Port 80 shows an
HTML based website. I kick off a FeroxBuster which comes back with nothing. Next I kick off a gobuster
vhost to look for subdomains. I get a hit:
Horizontall website showing using HT.
I add the new domain into my hosts file and navigated to the site. I see Welcome. and nothing else. I kick off a
Admin goes to a login page and users is forbidden. Reviews provides some usernames:
Strapi login page on Horizontall.
Heading over to the Admin section, I Google around and eventually find GitHub – Strapi which provides the version being used by going to
A short Google later and I find an ExploitDB – 50239. I pull it to my box and run the command:
⚠ Attack Machine (Tab 1)
After receiving the prompt and the note of a blind RCE I use a reverse shell one liner and
nc session to get an interactive shell on the box:
⚠ Attack Machine (Tab 2)
Once on the box I upgrade my shell.
I create a working directory in
wget LinPEAS onto the box. Running it shows two things that stand out:
I can see additional ports open (8000) on the box as well our working directory being under
/opt. I create an
.ssh directory and
authorized_keys file. On my local machine I run
ssh-keygen on my attack machine and copy the strapi.pub to the
⚠ Attack Machine
Once I have my
authorized_key setup I port forward
Port 8000 to my attack machine. Navigating through the browser I can see an outdated Larvel running. I find an RCE on GitHub – CVE-2021-3129_exploit and run it with another one-liner reverse shell for root.
Laravel page shows its vulnerable.
As the session seemed to break shortly after I pulled the flag for points. Later I used the public key from above and copied it into the authorized_keys directory under root. I then logged into root and grabbed both flags: