Horizontall
https://app.hackthebox.com/machines/Horizontall
Nmap
Add horizontall.htb to /etc/hosts.
Starting out we see a custom webpage running on Nginx. After running through directory enumeration we are unable to pull any interesting results.
Checking the network requests manually we do see some .js
Browsing manually to one of the requests we see a large amount of code within the application script.
Using CyberChef
we able to extract any information which may be of interest to us. In this case a sub domain URL.
Cyberchef: https://gchq.github.io/CyberChef/
Add api-prod.horizontall.htb to /etc/hosts.
After adding api-prod.horizontall.htb to our hosts file we are then able to browse to the root page as shown below.
Feroxbuster
reveals an /Admin directory which redirects to a Strapi login page.
Using searchsploit
we are able to determine an unauthenticated RCE
exists for version 3.0.0-beta.17.4.
Checking the current version of Strapi with curl
to determine if we are working with a vulnerable version.
The following exploit linked below allows a password reset for the admin account and a JWT to be generated which will be required for the next exploit.
Github: https://www.exploit-db.com/exploits/50239 (CVE-2019-18818)
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18818
With the generated JWT token we can now perform the authenticated RCE exploit and gain a shell on the target system. (Remember to set up a netcat listener on port 9001 first.)
Github: https://github.com/z9fr/CVE-2019-19609/blob/main/exploit.py (CVE-2019-19609)
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19609
For the next part we set up a SSH
connection to allow easier exploitation of the target system.
SSH
For SSH
access create a .ssh directory in the strapi user home location and generate an SSH
key and an authorized_keys file.
Now in via SSH and after performing some basic enumeration we see some interesting results for internal services running.
Checking out what is running on the local ports with curl
we see that under port 8000 Laravel v8 is running.
According to searchsploit
Laravel v8 may be vulnerable to RCE
.
In order to make the Laravel web page available to our attacking system we need to forward the internal port to our remote attacking host. With the SSH connection now setup we can reuse this as shown below:
SSH forward remote port to local port
From which we can access Laravel over localhost on the attacking system.
I did not have much luck with the searchsploit
suggested PoC. However the PoC linked below worked much better.
Github: https://github.com/nth347/CVE-2021-3129_exploit
Usage:
A reverse shell can be obtained with the following as nc
is installed on the target system.
Exploit #2 CVE-2021-4034
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-4034
Github: https://github.com/arthepsy/CVE-2021-4034 (CVE-2021-4034)
Download the exploit PoC to the target system, compile and execute.
Last updated