Horizontall — Hackthebox
Hi folks, today I am going to share easy rated Hackthebox machine, Horizontall created by wail99. This was some how medium level machine for me.
Initial Recon
There are two open ports 22 and 80.Lets check the web-server. Direct browsing doesn’t help. Let’t edit the /etc/hosts
On directory Brute-forcing , nothing come ups. Lets DNS Brute-forcing
DNS Brute-forcing
Using subdomains-top1million-110000.txt from SecLists as wordlist
Got new domain as api-prod.horizontall.htb
Directory Brute-forcing
Initially add this domain to /etc/hosts
Running gobuster
Browsing to /admin pop up with login page but we don’t have creds. It shows strapi is in use but we don’t know the version. On google, I got nice article on this version of strapi on this page.Getting the version of strapi
Using exploit-db.com to serach for the exploit and got one .
we get JSON Token and I found useful article on how to use it here.
Listening on port 4444
nc -nvlp 4444Executing following command , we get reverse shell
We get reverse shell as soon as we execute it. We can upgrade our shell with python
python3 -c 'import pty;pty.spawn("/bin/bash")'We can easily cat our 1st user.txt flag.
Root escalation
Running linpeas on remote server by uploading from local with python
I found something interesting on 127.0.0.1:8000. Let’s curl it
Found Laravel and this version is vulnerable , I got something exploit of it here.But we need Laravel locally.
Port forwarding using ssh
To gererate ssh keys , we use
ssh-keygen -oLets copy the content of id_rsa.pub to authorized_keys and upload it to remote server
cat id_rsa.pub >> authorized_keysCopying authorized_keys to /opt/strapi/.ssh (create .ssh at this location).We can upload it using python server. Changing permission with 700 for authorized_key
chmod 700 authorized_keysNow getting Laravel locally hosted
As laravel is locally hosted , let’t exploit it with exploit.py
As we can see , it respond as root. we can execute reverse shell script to get a reverse shell but I’ll go for direct root.txt
