In this post, I would like to share a walkthrough of the Horizontall Machine from HackTheBox

This room has been considered difficulty rated as an Easy machine on HackThebox

What will you gain from Horizontall machine?

For the user flag, you will execute some strapi exploit such as password reset on api-prod.horizontall.htb and get a reverse shell by using plugin vulnerability

As for the root flag, you need to run some port forwarding and execute an exploit that related to laravel v8

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

# Nmap 7.91 scan initiated Mon Aug 30 06:36:31 2021 as: nmap -sC -sV -oA intial -Pn
Nmap scan report for
Host is up (0.28s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp   open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
5050/tcp open  http    (PHP 7.4.22)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Mon, 30 Aug 2021 10:51:31 GMT
|     Connection: close
|     X-Powered-By: PHP/7.4.22
|     Cache-Control: no-cache, private
|     date: Mon, 30 Aug 2021 10:51:31 GMT
|     Content-type: text/html; charset=UTF-8
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Not Found</title>
|     <!-- Fonts -->
|     <link rel="preconnect" href="">
|     <link href="" rel="stylesheet">
|     <style>
|     normalize.css v8.0.1 | MIT License | */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Mon, 30 Aug 2021 10:51:19 GMT
|     Connection: close
|     X-Powered-By: PHP/7.4.22
|     Content-Type: text/html; charset=UTF-8
|     Cache-Control: private, must-revalidate
|     Date: Mon, 30 Aug 2021 10:51:19 GMT
|     pragma: no-cache
|     expires: -1
|     Set-Cookie: XSRF-TOKEN=eyJpdiI6IlduUXB4Uk5KOGhiRXZoQXBqM1djOWc9PSIsInZhbHVlIjoidkNKaVR1UjdLUUE0a3haelN2NkFmajBUcWZWb0kxcDc0WlJ4UU96WGdXZm1hc3RsY0ZFWmphcXZRRlJJTnJjMU9FblUzYTBOdUdNV1ZIZG8rNktYT3ZPM1pjLzEwbWZSNS9OdjJtdzYwWHduSUVEU2N3ektBM010WHRKR1FWZnEiLCJtYWMiOiIyYjg2ODVjMTBiOWI0OTZjZmFhNzI4NmFmM2M3ZTQ3MjU5ODQ1ZWZmYzFjOGRjODEyN2RmNzE3YmVlNDc4YTgwIn0%3D; expires=Mon, 30-Aug-2021 12:51:19 GMT; Max-Age=7200; path=/; samesite=lax
|     Set-Cookie: laravel_session=eyJpdiI6InYyYXBkRXB0VC8ybnFNUmZBcEpKK0E9PSIsInZhbHVlIjoid2x0b0RSN1lHZUhHWXFyanRGRzhTbXBqT2lsaFlPejJiU01LbmZQVjJwLzc3SDM1VzVHVjcvSzA1Y09Ta29VR2p5NUpLc1NlRURTZVNJZUZkSzdCVkRwdnVnZ0p5VGlNM2JYWjhBNk
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Mon, 30 Aug 2021 10:51:20 GMT
|     Connection: close
|     X-Powered-By: PHP/7.4.22
|     Allow: GET,HEAD
|     Cache-Control: private, must-revalidate
|     Date: Mon, 30 Aug 2021 10:51:20 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|_    expires: -1
|_http-title: Laravel
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Mon Aug 30 06:37:59 2021 -- 1 IP address (1 host up) scanned in 89.05 seconds

Let’s open the browser and straight into the website interface.

Unfortunately, we cannot find anything on the web interface, but we have been redirected to http://horizontall.htb

We are required to add the domain name into /etc/hosts file to obtain access to the website interface

After we add the domain on the /etc/hosts file, let’s try to access the website interface again.

Finally, we successfully accessed the website, but we didn’t find anything useful on the webpage.

Let’s try running gobuster to enumerate any directory that we can access

Sadly, we cannot find any directory useful from the gobuster result. I have started wondering whether the domain has a subdomain at this moment.

Let’s try to enumerate any subdomain on the machine

Based on the gobuster result above which we have managed to get one subdomain which is api-prod.horizontall.htb

As a result, we were able to sight a “Welcome” text which didn’t help that much.

We must execute another gobuster activity on the new subdomain.

### We need to add the subdomain on our /etc/hosts file ###

We managed to find a directory that is labeled as /admin on the gobuster result.

We can verify the version of strapi by going to /admin/strapiversion/

Gaining Privileges Access on Horizontall machine

A strapi login page appeared when we try to access the api-prod.horizontall.htb

To be frankly honest, I’m not aware of any credentials that can use over here. Let’s do some research on any exploit to obtain strapi credentials or any default username and password

From the google search, I haven’t found anything that can exploit the application.

Let’s continue with our research especially on password reset

From the output, we managed to verify that strapi login page has a vulnerability in password reset.

We have found that the strapi vulnerability is labeled as CVE-2019-18818

Let’s execute some exploit code for the strapi application

Disclaimer: This code doesn’t write by me, but I found it on the internet. Source: Exploiting friends with CVE-2019-18818 – thatsn0tmysite (

Let’s run the code by using the python3 command

We should be able to login the dashboard which used the same password that we reset earlier.

Voila! We managed to access the dashboard via the email “admin@horizontall.htb” and the password that we reset.

We can be roaming the dashboard while finding any available exploit on the internet

Maintaining Privileges Access

We managed to get an available exploit over here which we can use the code to obtain a reverse shell on the machine

We should be able to inspect the curl code via Burpsuite Community where we can modify any code missing from the curl code.

However, we should start our NC listener before we click the forward button on the Burpsuite Request

Boom! After that, the reverse shell has come back to us which we can use to get the user flag.

To get an upgraded version of the shell, we can type the command “bash -i

We can retrieve the user flag by executing the command “cat user.txt

Escalate to Root Privileges Access

On the other hand, we need to clarify which other ports are been open inside the machine. As a result, we managed to sight a bunch of ports open that have not been displayed on the Nmap output.

I have been wondering whether we can execute some port forwarding method on that port.

Let’s try using that port forwarding using port 8000

However, there are a lot of ways to use port forwarding, but I would prefer to use ssh port forwarding which i know will work well.

Sadly, we cannot create .ssh directory on the /home but. we might be able to create it somewhere else inside the machine

I did manage to find another strapi directory that resides inside /opt directory.

Success! We have been able to create a .ssh directory at /opt/strapi directory

On our attacker’s machine, we need to prepare our own version of id_rsa and

We should start our python HTTP server on our attacker’s machine

On the victim’s machine, we can retrieve those two files that we created by using wget function

Just a reminder to all including me that we need to move our into authorized_keys

Let’s try ssh port forwarding right now.

SSH Port Forwarding on Horizontall Machine

It works! we have finally successfully done the ssh port forwarding.

Let’s access the website using the http://localhost:8001

Oh wow! It’s a Laravel web interface and I notice the version has been shown there (Laravel v8 PHP V7.4.18)

Let’s do some research on Laravel v8 exploit where I did managed to find an exploit that we can use to obtain the root flag

I will read what should I do based on the ambionics/laravel-exploits

Firstly, I need to clone the GitHub page on my machine.

Next, we need. to access the directory of the GitHub page on our machine.

We are required to give permission to the file

We need to start our nc listener on our terminal.

However, we need to run some PHP coding with additional phpggc

Next, we need to execute the command above to obtain a reverse shell.

We have successfully obtained a reverse shell, but it stuck there for a long time.

Therefore, we need to execute a basic command to test the python script if it’s working perfectly.

It works on the previous testing, and we can read the root flag by replacing the basic command with “cat /root/root.txt


Happy Learning Guys!

Extra Information

We can go to /etc/shadow to unlock the write-up