This is my writeup for the Horizontall machine on the Hackthebox plateform.

Let’s start with an nmap scan to enumerate the different ports that are open.

• Port 22 (SSH)
• Port 80 (HTTP)

nmap -sC -sV -oA nmap/horizontall 10.10.11.105

Website

We notice that when we go to the website, we are redirected to http://horizontall.htb/. To see it better, we can use BurpSuite. We must add this domain name to our hosts file (/etc/hosts).

This allows us to access the website. This site is completely static, it does not have any interesting functionality.

If we look for other subdomains using the ffuf tool, we find one: http://api-prod.horizontall.htb/.

We add the new subdomain name to the hosts file and we can go to it. We reach a page with a “Welcome” message.

After fuzzing the directories, there are several folders including a /admin.

We reach a Strapi connection page. Strapi is an Opensource Node.js CMS (https://strapi.io/).

A quick search with the searchsploit tool on Strapi tells us that there is an Unauthenticated RCE on version 3.0.0-beta.17.4 (https://www.exploit-db.com/exploits/50239).

Download the exploit and execute it. This feat is made up of 2 parts. The first will create an admin account on the strapi and the second will use this access to inject code on the server.

Since this is a blind RCE, we don’t get any output back even though we don’t need it. Let’s gain access to the server with a reverse-shell !

Privesc

If we list the ports open internally on the server, we see that port 8000 is the one. We can forward it and see what this site looks like.

To forward this port, I use the chisel tool which allows me to create a tunnel between the server and me.

On this port runs Laravel. It is a framework in PHP. We can note its version : Laravel v8 (PHP v7.4.18). This version has an exploit because of its debug mode.

We can exploit this Laravel vulnerability with its resources to obtain a root shell ! (don’t forget phpggc).