[Hack The Box][Machine][Easy] - š§ Horizontall
This is my writeup for the Horizontall machine on the Hackthebox plateform.
Letās start with anĀ nmap scanĀ to enumerate the different ports that are open.
- Port 22 (SSH)
- Port 80 (HTTP)
WEBSITE
We notice that when we go to the website, we areĀ redirectedĀ toĀ http://horizontall.htb/.Ā To see it better, we can useĀ BurpSuite. We must add this domain name to ourĀ hosts file (/etc/hosts).
This allows us to access the website. This site is completelyĀ static, it does not have any interesting functionality.
If we look for otherĀ subdomainsĀ using theĀ ffuf tool, we find one:Ā http://api-prod.horizontall.htb/.
We add the new subdomain name to theĀ hosts fileĀ and we can go to it. We reach a page with a āWelcomeā message.
AfterĀ fuzzingĀ the directories, there are several folders including aĀ /admin.
We reach aĀ StrapiĀ connection page. Strapi is anĀ Opensource Node.js CMSĀ (https://strapi.io/).
A quick search with theĀ searchsploit tool on StrapiĀ tells us that there is anĀ Unauthenticated RCE on version 3.0.0-beta.17.4Ā (https://www.exploit-db.com/exploits/50239).
Download the exploit and execute it. This feat is made up ofĀ 2 parts. The first willĀ create an admin account on the strapiĀ and the second will use this access toĀ inject code on the server.
Since this is aĀ blind RCE, we donāt get any output back even though we donāt need it. Letās gain access to the server with aĀ reverse-shellĀ !
PRIVESC
If we list the ports open internally on the server, we see thatĀ port 8000Ā is the one. We canĀ forwardĀ it and see what this site looks like.
To forward this port, I use theĀ chiselĀ tool which allows me to create aĀ tunnelĀ between the server and me.
On this port runsĀ Laravel. It is aĀ framework in PHP. We can note its versionĀ :Ā Laravel v8 (PHP v7.4.18). This version has anĀ exploitĀ because of itsĀ debug mode.
We can exploit thisĀ Laravel vulnerabilityĀ with its resources to obtain a root shellĀ ! (donāt forgetĀ phpggc).
