Horizontall
https://app.hackthebox.com/machines/Horizontall
Last updated
https://app.hackthebox.com/machines/Horizontall
Last updated
Add horizontall.htb to /etc/hosts.
Starting out we see a custom webpage running on Nginx. After running through directory enumeration we are unable to pull any interesting results.
Checking the network requests manually we do see some .js
Browsing manually to one of the requests we see a large amount of code within the application script.
Using CyberChef we able to extract any information which may be of interest to us. In this case a sub domain URL.
Cyberchef: https://gchq.github.io/CyberChef/
Add api-prod.horizontall.htb to /etc/hosts.
After adding api-prod.horizontall.htb to our hosts file we are then able to browse to the root page as shown below.
Feroxbuster reveals an /Admin directory which redirects to a Strapi login page.
Using searchsploit we are able to determine an unauthenticated RCE exists for version 3.0.0-beta.17.4.
Checking the current version of Strapi with curl to determine if we are working with a vulnerable version.
The following exploit linked below allows a password reset for the admin account and a JWT to be generated which will be required for the next exploit.
Github: https://www.exploit-db.com/exploits/50239 (CVE-2019-18818)
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18818
With the generated JWT token we can now perform the authenticated RCE exploit and gain a shell on the target system. (Remember to set up a netcat listener on port 9001 first.)
Github: https://github.com/z9fr/CVE-2019-19609/blob/main/exploit.py (CVE-2019-19609)
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19609
For the next part we set up a SSH connection to allow easier exploitation of the target system.
SSH
For SSH access create a .ssh directory in the strapi user home location and generate an SSH key and an authorized_keys file.
Now in via SSH and after performing some basic enumeration we see some interesting results for internal services running.
Checking out what is running on the local ports with curl we see that under port 8000 Laravel v8 is running.
According to searchsploit Laravel v8 may be vulnerable to RCE.
In order to make the Laravel web page available to our attacking system we need to forward the internal port to our remote attacking host. With the SSH connection now setup we can reuse this as shown below:
SSH forward remote port to local port
From which we can access Laravel over localhost on the attacking system.
I did not have much luck with the searchsploit suggested PoC. However the PoC linked below worked much better.
Github: https://github.com/nth347/CVE-2021-3129_exploit
Usage:
A reverse shell can be obtained with the following as nc is installed on the target system.
Exploit #2 CVE-2021-4034
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-4034
Github: https://github.com/arthepsy/CVE-2021-4034 (CVE-2021-4034)
Download the exploit PoC to the target system, compile and execute.
