I finished the HackTheBox box “Horizontall”, a Linux box where an unpatched version of “strapi” is running on a webserver. With help of this we can get limited privileges on the web server. For privilege escalation there is a vulnerability in a running Laravel application which can be exploited after port forwarding.
I will post the writeup for “Horizontall” on Sunday February 6 when the machine has expired.