Initial enumeration
As always, the first action when a box is started is to enumerate the ports opened in the box. This time, as in many other Linux, there are only the SSH and HTTP services opened to interact with.
Web application discovery & RCE
We start with the enumeration of the web application. The site looked like this:
After expend some time enumerating the web application, we haven’t found nothing, so this web site didn’t seem to be the way to break into the server.
When nothing seem to be vulnerable in the web site, there is always a good idea to check for other web applications being served by the web server. For instance, the following command uses ‘Wfuzz‘ to find out different web sites referenced by the ‘Host’ parameter in the HTTP request.
Awesome, the subdomain ‘api-prod’ was found ! After adding it to the ‘/etc/hosts’ we could reach another web site.
Alright, another page appeared. It was a ‘foo’ default page but there would be surely more content since the subdomain name is ‘api-prod‘. A quick directory scanner revealed the ‘admin’ folder, among others.
In the ‘admin’ page we discover the name of the web application, it was a CMS named ‘strapi’.
Searching in google for ‘strapi exploit’ we find this one. The exploit first abuses of a authentication bypass to perform the strapi admin password, then it uses the obtained administrator privileges to execute code through the plugin installation feature. It worked like a charm, the exploit is capable of executing code but it’s not for printing the output. Anyway, we could verify the success using a blind command like ‘ping’:
Obtaining the user’s flag
At this time, the following step was to obtain a reverse shell. The following command, from pentestmonkeys did the job.
After a little enumeration, we found that we were able to read the ‘user.txt’ flag, so, even if we were not the user ‘developer’, we already obtained the user’s flag.
Privilege escalation to root
We spent some time enumerating for miss configurations or insecure privileges in the system with no luck. Therefore, with further enumeration we found a ‘Laravel’ web application installed and listening on port 8000.
In order to easily enumerate this service, a dynamic port forward was created using SSH protocol. After that, we can browse to the web server using the web browser and any extension like ‘FoxyProxy‘.
ssh -i id_rsa -D 1080 strapi@horizontall.htb
The version is disclosed in the Laravel’s default page so we look for potential vulnerabilities that may affect to this version.
There’s a vulnerability that looks good, it’s related with the debug mode apparently. The full details about the exploit are here.
In short lines, it abuses of a vulnerability in the functionality ‘Make variable optional’ from the debug mode of the affected versions of Laravel. In conjunction with some PHP filters, this vulnerability allows the writing of arbitrary contents to local files. Finally, what the exploit does is to write serialized PHP code and then execute it with the ‘phar’ filter of PHP.
The aforementioned exploit worked perfectly through the proxy socks as we can see in the following image, where we obtained code execution with ‘root’ permissions.
All that was left to do was to obtain a shell to fully own the server, read the root flag and finalize the challenge.
