Machine - Horizontall

Machine - Horizontall

IP = 10.10.11.105

• nmap port scaning sudo nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.105 -oG allPorts
  • Result 22, 80
• nmap enumeration
  • nmap -sC -sV -p80,22 10.10.11.105 -oN ports
• Found in the code an api call to curl http://api-prod.horizontall.htb/reviews
• Lets enumerate using gobuster go install github.com/OJ/gobuster/v3@latest ~/go/bin/gobuster dir -w /usr/share/dict/directory-list-2.3-medium.txt -u http://horizontall.htb/ -t 12
• Go buster for the vhost, since we discovered api-prod… ~/go/bin/gobuster vhost -u horizontall.htb -w ~/Downloads/subdomains-top1million-110000.txt → Not much found here…
• The api-prod, vhost is made using strapi.io … let see if there is something in exploitdb.com
  • Looking at the issues, there is an endpoint to get the version! Yay!! http://api-prod.horizontall.htb/admin/strapiVersion >>"3.0.0-beta.17.4"
  • “3.0.0-beta.17.4” has an especific exploit for execute commands without being authorized!
    • Wow! just put the url and worked :) — now let’s do a reverse shell
  • Got the reverse shell, we are the user strapi
  • we have all the source code, I will make a tar and sent it over nc
  • tty shell upgrade `python -c ‘import pty; pty.spawn(“/bin/bash”)’
  • try to use developer credentials to login into mysql! mysql -u developer -p -D strapi
  • Yay!
  • In the database, I created my own admin user :)
  • Hint: there is more things working in the background of the server netstat -na
  • Let’s bring the port to our localhost with chisel
    • need to send chisel over the network
  • gobuster the service and found a weird url /profiles
    • that show me the debugger of laravel
    • we know now that is laravel 8.43.0
    • there is an exploit for this exact version!
    • [ ]