🔎🦶Enumeration/Foothold

Horizontall is an easy box on Hack the Box by wail99 that features a hidden vhost with an exploitable strapi. Once on the box we exploit a vulnerable laravel using an SSH port forward. Before I begin each machine I kick off a full port rustscan and hen pipe it into xsltproc for review. I find having a PDF file gives a nice and clean viewing experience:

Copy

Reviewing the results I can see Ports 22/80 open. Navigating to Port 80 shows an HTML based website. I kick off a FeroxBuster which comes back with nothing. Next I kick off a gobuster vhost to look for subdomains. I get a hit:

Horizontall website showing using HT.

Horizontall website showing using HT.

Copy

I add the new domain into my hosts file and navigated to the site. I see Welcome. and nothing else. I kick off a ffuf scan.

Copy

Admin goes to a login page and users is forbidden. Reviews provides some usernames:

Strapi login page on Horizontall.

Strapi login page on Horizontall.

Heading over to the Admin section, I Google around and eventually find GitHub – Strapi which provides the version being used by going to /admin/StrapiVersion.

A short Google later and I find an ExploitDB – 50239. I pull it to my box and run the command:

⚠ Attack Machine (Tab 1)

Copy

After receiving the prompt and the note of a blind RCE I use a reverse shell one liner and nc session to get an interactive shell on the box:

⚠ Attack Machine (Tab 2)

Copy

Once on the box I upgrade my shell.

Copy

🔝Escalation

I create a working directory in tmp and wget LinPEAS onto the box. Running it shows two things that stand out:

I can see additional ports open (8000) on the box as well our working directory being under /opt. I create an .ssh directory and authorized_keys file. On my local machine I run ssh-keygen on my attack machine and copy the strapi.pub to the authorized_keys file.

⚠ Attack Machine

Copy
Copy

🎯Victim Machine

Copy

Once I have my authorized_key setup I port forward Port 8000 to my attack machine. Navigating through the browser I can see an outdated Larvel running. I find an RCE on GitHub – CVE-2021-3129_exploit and run it with another one-liner reverse shell for root.

Laravel page shows its vulnerable.

Laravel page shows its vulnerable.

Copy

As the session seemed to break shortly after I pulled the flag for points. Later I used the public key from above and copied it into the authorized_keys directory under root. I then logged into root and grabbed both flags:

Copy

Rooted

Published On: February 6th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , , /

Leave A Comment