In this post, I would like to share a walkthrough of the Horizontall Machine from HackTheBox
This room has been considered difficulty rated as an Easy machine on HackThebox
What will you gain from Horizontall machine?
For the user flag, you will execute some strapi exploit such as password reset on api-prod.horizontall.htb and get a reverse shell by using plugin vulnerability
As for the root flag, you need to run some port forwarding and execute an exploit that related to laravel v8
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.91 scan initiated Mon Aug 30 06:36:31 2021 as: nmap -sC -sV -oA intial -Pn 10.10.11.105
Nmap scan report for 10.10.11.105
Host is up (0.28s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
5050/tcp open http (PHP 7.4.22)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Mon, 30 Aug 2021 10:51:31 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Cache-Control: no-cache, private
| date: Mon, 30 Aug 2021 10:51:31 GMT
| Content-type: text/html; charset=UTF-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Not Found</title>
| <!-- Fonts -->
| <link rel="preconnect" href="https://fonts.gstatic.com">
| <link href="https://fonts.googleapis.com/css2?family=Nunito&display=swap" rel="stylesheet">
| <style>
| normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-app
| GetRequest:
| HTTP/1.0 200 OK
| Date: Mon, 30 Aug 2021 10:51:19 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Content-Type: text/html; charset=UTF-8
| Cache-Control: private, must-revalidate
| Date: Mon, 30 Aug 2021 10:51:19 GMT
| pragma: no-cache
| expires: -1
| Set-Cookie: XSRF-TOKEN=eyJpdiI6IlduUXB4Uk5KOGhiRXZoQXBqM1djOWc9PSIsInZhbHVlIjoidkNKaVR1UjdLUUE0a3haelN2NkFmajBUcWZWb0kxcDc0WlJ4UU96WGdXZm1hc3RsY0ZFWmphcXZRRlJJTnJjMU9FblUzYTBOdUdNV1ZIZG8rNktYT3ZPM1pjLzEwbWZSNS9OdjJtdzYwWHduSUVEU2N3ektBM010WHRKR1FWZnEiLCJtYWMiOiIyYjg2ODVjMTBiOWI0OTZjZmFhNzI4NmFmM2M3ZTQ3MjU5ODQ1ZWZmYzFjOGRjODEyN2RmNzE3YmVlNDc4YTgwIn0%3D; expires=Mon, 30-Aug-2021 12:51:19 GMT; Max-Age=7200; path=/; samesite=lax
| Set-Cookie: laravel_session=eyJpdiI6InYyYXBkRXB0VC8ybnFNUmZBcEpKK0E9PSIsInZhbHVlIjoid2x0b0RSN1lHZUhHWXFyanRGRzhTbXBqT2lsaFlPejJiU01LbmZQVjJwLzc3SDM1VzVHVjcvSzA1Y09Ta29VR2p5NUpLc1NlRURTZVNJZUZkSzdCVkRwdnVnZ0p5VGlNM2JYWjhBNk
| HTTPOptions:
| HTTP/1.0 200 OK
| Date: Mon, 30 Aug 2021 10:51:20 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Allow: GET,HEAD
| Cache-Control: private, must-revalidate
| Date: Mon, 30 Aug 2021 10:51:20 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
|_ expires: -1
|_http-title: Laravel
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5050-TCP:V=7.91%I=7%D=8/30%Time=612CB4ED%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,348A,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Mon,\x2030\x20Aug\x20
SF:2021\x2010:51:19\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP
SF:/7\.4\.22\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nCache-Cont
SF:rol:\x20private,\x20must-revalidate\r\nDate:\x20Mon,\x2030\x20Aug\x2020
SF:21\x2010:51:19\x20GMT\r\npragma:\x20no-cache\r\nexpires:\x20-1\r\nSet-C
SF:ookie:\x20XSRF-TOKEN=eyJpdiI6IlduUXB4Uk5KOGhiRXZoQXBqM1djOWc9PSIsInZhbH
SF:VlIjoidkNKaVR1UjdLUUE0a3haelN2NkFmajBUcWZWb0kxcDc0WlJ4UU96WGdXZm1hc3RsY
SF:0ZFWmphcXZRRlJJTnJjMU9FblUzYTBOdUdNV1ZIZG8rNktYT3ZPM1pjLzEwbWZSNS9OdjJt
SF:dzYwWHduSUVEU2N3ektBM010WHRKR1FWZnEiLCJtYWMiOiIyYjg2ODVjMTBiOWI0OTZjZmF
SF:hNzI4NmFmM2M3ZTQ3MjU5ODQ1ZWZmYzFjOGRjODEyN2RmNzE3YmVlNDc4YTgwIn0%3D;\x2
SF:0expires=Mon,\x2030-Aug-2021\x2012:51:19\x20GMT;\x20Max-Age=7200;\x20pa
SF:th=/;\x20samesite=lax\r\nSet-Cookie:\x20laravel_session=eyJpdiI6InYyYXB
SF:kRXB0VC8ybnFNUmZBcEpKK0E9PSIsInZhbHVlIjoid2x0b0RSN1lHZUhHWXFyanRGRzhTbX
SF:BqT2lsaFlPejJiU01LbmZQVjJwLzc3SDM1VzVHVjcvSzA1Y09Ta29VR2p5NUpLc1NlRURTZ
SF:VNJZUZkSzdCVkRwdnVnZ0p5VGlNM2JYWjhBNk")%r(HTTPOptions,10B,"HTTP/1\.0\x2
SF:0200\x20OK\r\nDate:\x20Mon,\x2030\x20Aug\x202021\x2010:51:20\x20GMT\r\n
SF:Connection:\x20close\r\nX-Powered-By:\x20PHP/7\.4\.22\r\nAllow:\x20GET,
SF:HEAD\r\nCache-Control:\x20private,\x20must-revalidate\r\nDate:\x20Mon,\
SF:x2030\x20Aug\x202021\x2010:51:20\x20GMT\r\nContent-Type:\x20text/html;\
SF:x20charset=UTF-8\r\npragma:\x20no-cache\r\nexpires:\x20-1\r\n\r\n")%r(F
SF:ourOhFourRequest,1AAC,"HTTP/1\.0\x20404\x20Not\x20Found\r\nDate:\x20Mon
SF:,\x2030\x20Aug\x202021\x2010:51:31\x20GMT\r\nConnection:\x20close\r\nX-
SF:Powered-By:\x20PHP/7\.4\.22\r\nCache-Control:\x20no-cache,\x20private\r
SF:\ndate:\x20Mon,\x2030\x20Aug\x202021\x2010:51:31\x20GMT\r\nContent-type
SF::\x20text/html;\x20charset=UTF-8\r\n\r\n<!DOCTYPE\x20html>\n<html\x20la
SF:ng=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<me
SF:ta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20name
SF:=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20<title>Not\x20Found</title>\n\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<!--\x20Fonts\x20-->\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<link\x20rel=\"preconnect\"\x20href=\"https://fonts\.gstatic\.c
SF:om\">\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"https://fonts\.g
SF:oogleapis\.com/css2\?family=Nunito&display=swap\"\x20rel=\"stylesheet\"
SF:>\n\n\x20\x20\x20\x20\x20\x20\x20\x20<style>\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20/\*!\x20normalize\.css\x20v8\.0\.1\x20\|\x20MIT\
SF:x20License\x20\|\x20github\.com/necolas/normalize\.css\x20\*/html{line-
SF:height:1\.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-c
SF:olor:transparent}code{font-family:monospace,monospace;font-size:1em}\[h
SF:idden\]{display:none}html{font-family:system-ui,-app");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 30 06:37:59 2021 -- 1 IP address (1 host up) scanned in 89.05 secondsLet’s open the browser and straight into the website interface.
Unfortunately, we cannot find anything on the web interface, but we have been redirected to http://horizontall.htb
We are required to add the domain name into /etc/hosts file to obtain access to the website interface
After we add the domain on the /etc/hosts file, let’s try to access the website interface again.
Finally, we successfully accessed the website, but we didn’t find anything useful on the webpage.
Let’s try running gobuster to enumerate any directory that we can access
Sadly, we cannot find any directory useful from the gobuster result. I have started wondering whether the domain has a subdomain at this moment.
Let’s try to enumerate any subdomain on the machine
Based on the gobuster result above which we have managed to get one subdomain which is api-prod.horizontall.htb
As a result, we were able to sight a “Welcome” text which didn’t help that much.
We must execute another gobuster activity on the new subdomain.
### We need to add the subdomain on our /etc/hosts file ###
We managed to find a directory that is labeled as /admin on the gobuster result.
We can verify the version of strapi by going to /admin/strapiversion/
Gaining Privileges Access on Horizontall machine
A strapi login page appeared when we try to access the api-prod.horizontall.htb
To be frankly honest, I’m not aware of any credentials that can use over here. Let’s do some research on any exploit to obtain strapi credentials or any default username and password
From the google search, I haven’t found anything that can exploit the application.
Let’s continue with our research especially on password reset
We have found that the strapi vulnerability is labeled as CVE-2019-18818
Let’s execute some exploit code for the strapi application
Disclaimer: This code doesn’t write by me, but I found it on the internet. Source: Exploiting friends with CVE-2019-18818 – thatsn0tmysite (wordpress.com)
Let’s run the code by using the python3 command
We should be able to login the dashboard which used the same password that we reset earlier.
Voila! We managed to access the dashboard via the email “admin@horizontall.htb” and the password that we reset.
We can be roaming the dashboard while finding any available exploit on the internet
Maintaining Privileges Access
We managed to get an available exploit over here which we can use the code to obtain a reverse shell on the machine
We should be able to inspect the curl code via Burpsuite Community where we can modify any code missing from the curl code.
However, we should start our NC listener before we click the forward button on the Burpsuite Request
Boom! After that, the reverse shell has come back to us which we can use to get the user flag.
To get an upgraded version of the shell, we can type the command “bash -i“
We can retrieve the user flag by executing the command “cat user.txt”
Escalate to Root Privileges Access
On the other hand, we need to clarify which other ports are been open inside the machine. As a result, we managed to sight a bunch of ports open that have not been displayed on the Nmap output.
I have been wondering whether we can execute some port forwarding method on that port.
Let’s try using that port forwarding using port 8000
However, there are a lot of ways to use port forwarding, but I would prefer to use ssh port forwarding which i know will work well.
Sadly, we cannot create .ssh directory on the /home but. we might be able to create it somewhere else inside the machine
I did manage to find another strapi directory that resides inside /opt directory.
Success! We have been able to create a .ssh directory at /opt/strapi directory
On our attacker’s machine, we need to prepare our own version of id_rsa and id_rsa.pub
We should start our python HTTP server on our attacker’s machine
On the victim’s machine, we can retrieve those two files that we created by using wget function
Just a reminder to all including me that we need to move our id_rsa.pub into authorized_keys
Let’s try ssh port forwarding right now.
SSH Port Forwarding on Horizontall Machine
It works! we have finally successfully done the ssh port forwarding.
Let’s access the website using the http://localhost:8001
Oh wow! It’s a Laravel web interface and I notice the version has been shown there (Laravel v8 PHP V7.4.18)
Let’s do some research on Laravel v8 exploit where I did managed to find an exploit that we can use to obtain the root flag
I will read what should I do based on the ambionics/laravel-exploits
Firstly, I need to clone the GitHub page on my machine.
Next, we need. to access the directory of the GitHub page on our machine.
We are required to give permission to the exploit.py file
We need to start our nc listener on our terminal.
However, we need to run some PHP coding with additional phpggc
Next, we need to execute the command above to obtain a reverse shell.
We have successfully obtained a reverse shell, but it stuck there for a long time.
Therefore, we need to execute a basic command to test the python script if it’s working perfectly.
It works on the previous testing, and we can read the root flag by replacing the basic command with “cat /root/root.txt“
-THE END-
Happy Learning Guys!
Extra Information
We can go to /etc/shadow to unlock the write-up
One response
Nice writeup