Enumeration

Nmap

Initial Nmap scan revealed SSH, HTTP ports were open.

00 - nmap

WEB Enumeration

Website was a static website but there were names in it, I noted them.

01 - web and users

When I click send button below the page, it gave error which revealed the version of Lavarel 8.4.0

02 - send

03 - version

Exploitation

CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

I found that this version is vulnerable to RCE if it is in debug mode.

At first I registered a user and logged in to website.

04- lavita

05 - registered

And I enabled the debug mode.

06 - enabled

Then while searching I found this hackerone post which explains this exploit in detail.

09 - h1

The hackerone post mentioned an exploit joshuavanderpoll/CVE-2021-3129 repo.

10 - exploit

I downloaded it and tested it. It worked really well.

11 - rce

After some try I got the reverse shell using netcat.

12 - executed nc

13 - shell

I had read permission as www-data so I read the user flag.

14 - user flag

Lateral Movement

Environment Variable (Wrong Try)

At first I checked website configs and found that some passwords are stored in environment variables.

15 - env

I accessed the mysql but it did not have any useful information.

Cronjob abuse (pspy64)

Later I ran pspy64 and found that user with id 1001 was running php file periodically.

16 - 1001

So I had write permission over that file. At first I created a php reverse shell.

17 - shell

Then I simply overwritten that file.

18 - uploaded shell

And got the user shell.

19 - user shell

Privilege Escalation

Composer Sudo Exploitation (sudo -l)

The user had NOPASSWD sudo permissions on composer binary for specific working dir.

20 - sudo l

GTFOBins shows how to exploit it but we have to make some changes to work with our working dir. So at first instead of creating temporary variable, I used our working dir in gtfobins steps. However, user had no write access to the working dir.

22 - test

But, www-data had write acces. So I switched to the previous shell and created that composer.json file.

23 - www data

Then I simply ran last step on GTFOBins and got the root shell.

24 - ezz

<
Previous Post
Image - Proving Grounds Practice
>
Next Post
Law - Proving Grounds Practice