HTB Horizontall
HTB Horizontall Walkthrough
Enumeration
As usual we, lets start with a nmap scan of the ip.

we can see that port 22 and 80 are open. Lets go check out the web page.
Trying to go to the IP address, it redirects us to horizontall.htb Lets add that to our etc/hosts file and go back to the site.

The website is very basic with really nothing to it. Even after running a gobuster scan very few things come back that we can go look at.

Lets take a look at the javascript and see if we can find anything in them

looking at the html we can see two javascript files. Lets open them up and start scanning.

Searching through the javascript, near the bottom of app, we found a url to a subdomain on horizontall.htb Lets add it to our hosts file and see where it takes us.

You can see going to this site we get just a welcome page. Lets run gobuster again and see what we can find.

The directory that stands out here is admin, lets go there and see what it is.

Upon inspection we can see that is is a login page for strapi. If we can get a version maybe we can find a exploit for it. Lets start fuzzing the api and see if we can get a version.

After some time fuzzing I came across these, and in the init directory we got a version number

Getting User
Lets do some googling and see if we can find any exploits for this version of strapi
After to much digging i found that our version should be vulnerable to CVE-2019-18818. I found a site that has a pre built exploit for this (https://thatsn0tmysite.wordpress.com/2019/11/15/x05/). Lets copy the code and see what we can do.

Running the exploit, it looks like the admin password was changed to what we wanted. Lets try logging in and seeing if it worked.

The exploit we found worked and we are now logged in! While I was looking for this exploit, I ended up finding another one that might work only if we were authenticated. CVE-2019-19609 I was able to find a curl command here(https://bittherapy.net/post/strapi-framework-remote-code-execution/) that we can edit, and see if we can get a shell back to us.

Success! we finally have a user shell. Lets enumerate this machine and see if we can get root.
Getting Root
After doing a ton of enumeration on this machine i cam across some ports that were open on the localhost, but it was not showing any process attached to them.

Lets put chisel onto this machine and forward the port and see if maybe it has a web page.

Looks like Laravel v8 is running on port 8000 on the localhost. Lets do some more googling and see if there are any exploits for this.
CVE-2021-3129 was found that allows remote code execution. There is a github repo that has a exploit with everything all bundled together that allow for easy execution (https://github.com/zhzyker/CVE-2021-3129) Lets clone this and put it onto the machine.

The exploit runs different payloads to see which ones will work. It looks like we have a few that work, so lets edit one of the payloads to send a shell back to us.

We get a successful connection back as root, which allows us to get the root flag
Filed under: HTB,Non-Metasploit - @ August 30, 2021 2:58 am