Official Horizontall Discussion

nagarajcruze · September 7, 2021, 10:47am

Creating a forum account is another big challenge for me… I found the CVEs and when I try to install the plugin via python I’m getting 400 saying an error occurred, is this a rabit hole or i’m going good? I’m not able to install the plugin to get rev shell, help me…

witCEC · September 7, 2021, 1:00pm

Box was okay. It’s definitely an easy box, enumeration and cve is all you need to do. Foothold: Automated tools won’t find anything. Try to enumerate manually. User: There are working payloads for that CVE. Just google it. Root: Same as User. Create a bridge. PM if you need a taco!

Inv0Ker · September 7, 2021, 2:25pm

@nagarajcruze you are going in a right way. Remember to check all the headers you are sending along with payload.

nagarajcruze · September 7, 2021, 6:06pm

Type your comment> @Inv0Ker said: > @nagarajcruze you are going in a right way. Remember to check all the headers you are sending along with payload. Yeah, got user flag… Thanks…

kavigihan · September 7, 2021, 6:37pm

Rooted!! Goot to be back on HTB. One of the best easy boxes, if you are a beginner like me really recommend this one. Little hint: get the foothold manually and root it with the automated script. DM if you get stuck.

Ud0g · September 8, 2021, 12:57am

R00ted right now. A box that teaches a lot. I’ve learned a couple of very useful new tricks. Although I consider that it is closer to the “medium” (without entering it), than to the easy difficulty. My 2 cents: - Foothold: Enumeration, Enumeration and Enumeration. Not all websites are based on fuzzing directories, a url is made up of more things. And remember, enumeration does not always come from the hand of tools. Sometimes it is better to do it manually with what is presented to you, stay focus. - Root: A tricky one. The enumeration is again essential. For those who have just started, like me, the key is still in the “report”, but this time in a different section. As other have said, use the tunnel. PM if you need help. Keep trying!

yth123 · September 8, 2021, 8:39am

■■■■…after 1 day of getting user im still getting no progress for root. i thought i could exploit a vuln that was quite popular earlier this year because the version matches but doesnt work

0xalivecow · September 8, 2021, 9:28am

Does root have anything to do with m***l?

Ud0g · September 8, 2021, 9:29am

Type your comment> @RandomPerson00 said: > Does root have anything to do with m***l? I myself spent 1 hour thinking the same

dlhai1986 · September 8, 2021, 10:34am

I stuck at spawn shell, I don’t know why it doesn’t response to python spawn listening on [any] 4567 … connect to [10.10.14.98] from horizontall.htb [10.10.11.105] 34642 python -c ‘import pty; pty.spawn(“/bin/bash”)’

MRWhiteCap · September 8, 2021, 11:57am

Rooted…

0xalivecow · September 8, 2021, 7:35pm

Can I please get a nudge for root?

MRWhiteCap · September 8, 2021, 10:04pm

Type your comment> @RandomPerson00 said: > Can I please get a nudge for root? DM

yth123 · September 9, 2021, 3:40am

got user with s****i because it is somehow readable but i wonder if becoming d*******r is neccesary for root?

MRWhiteCap · September 9, 2021, 10:23am

Type your comment> @yth123 said: > got user with s****i because it is somehow readable but i wonder if becoming d*******r is neccesary for root? nop, no need to be d*******r.

50m30n3 · September 9, 2021, 6:08pm

Managed to get RCE (can run shell commands) and what I believe are the creds for the pivot, but for the life of me can’t get an actual functioning shell off the exploit. Can open connections to my nc listener, but shells are unresponsive. Tried a couple different methods of exploitation with similar results. any thoughts on how to get a stable responsive shell or where I may be going wrong? update: figured out one way to do it lol. Got user, now on to root

walk · September 9, 2021, 10:49pm

is anyone getting json errors when running the .py for the first CVE? Can’t seem to figure it out as to why it gags every time. Edit: After reading the nudges, seems like some automated exploits won’t work with this box. Got user by living off the land.

XSSDoctor · September 9, 2021, 11:58pm

Type your comment> @dlhai1986 said: > I stuck at spawn shell, I don’t know why it doesn’t response to python spawn > listening on [any] 4567 … > connect to [10.10.14.98] from horizontall.htb [10.10.11.105] 34642 > python -c ‘import pty; pty.spawn(“/bin/bash”)’ > try this python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ control Z stty raw -echo fg export term=XTERM

dlhai1986 · September 10, 2021, 1:34am

Type your comment> @jad2121 said: > Type your comment> @dlhai1986 said: > > I stuck at spawn shell, I don’t know why it doesn’t response to python spawn > > listening on [any] 4567 … > > connect to [10.10.14.98] from horizontall.htb [10.10.11.105] 34642 > > python -c ‘import pty; pty.spawn(“/bin/bash”)’ > > > try this > > > python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ > control Z > stty raw -echo > fg > export term=XTERM Hi bro, rooted this box already, but I think this box doesn’t give shell to us as your command. This box has trick to forbidden us to spawn shell as normal way. Thanks

etnhnt007 · September 10, 2021, 5:57pm

Finally rooted. Enjoyed the box, learned a few new things.