InfoSec LAB

Cronos_Laravel

Created: 2 min read

Laravel

One of the very first things to check after gaining a foothold through a web server is checking the configuration file. Laravel was the framework cronos.htb was built-on.

www-data@cronos:/var/www$ ll
total 20K
4.0K drwxr-xr-x  2 www-data www-data 4.0K May 10  2022 admin
4.0K drwxr-xr-x  2 www-data www-data 4.0K May 10  2022 html
4.0K drwxr-xr-x  5 root     root     4.0K May 10  2022 .
4.0K drwxr-xr-x 13 www-data www-data 4.0K May 10  2022 laravel
4.0K drwxr-xr-x 14 root     root     4.0K May 10  2022 ..

There is a directory at /var/www/laravel This may be a sub-domain that I never discovered.

www-data@cronos:/var/www$ cat /etc/apache2/sites-enabled/laravel.conf
<virtualhost *:80>
ServerAdmin admin@your_domain.com
DocumentRoot /var/www/laravel/public/
ServerName cronos.htb
ServerAlias www.cronos.htb
<Directory /var/www/html/laravel/>
Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/chronos.htb-error_log
CustomLog /var/log/apache2/chronos.htb-access_log common
</VirtualHost>

Reading out the /etc/apache2/sites-enabled/laravel.conf file shows that it is set to www.cronos.htb I found it earlier.

www-data@cronos:/var/www/laravel$ cat CHANGELOG.md
# Release Notes
 
## v5.4.16 (2017-03-17)
 
### Added
- added `unix_socket` to `mysql` in `config/database.php` ()[#4179](https://github.com/laravel/laravel/pull/4179))
- added pusher example code to `bootstrap.js` ([31c2623](https://github.com/laravel/laravel/commit/31c262301899b6cd1a4ce2631ad0e313b444b131))
 
### Changed
- use `smtp.mailtrap.io` as default `mail_host` ([#4182](https://github.com/laravel/laravel/pull/4182))
- use `resource_path()` in `config/view.php` ([#4165](https://github.com/laravel/laravel/pull/4165))
- use `cross-env` binary ([#4167](https://github.com/laravel/laravel/pull/4167))
 
### Removed
- remove index from password reset `token` column ([#4180](https://github.com/laravel/laravel/pull/4180))

I got the version out. v5.4.16

www-data@cronos:/var/www/laravel$ cat .env
cat .env
APP_NAME=Laravel
APP_ENV=local
app_key=base64:+fUFGL45d1YZYlSTc0Sm71wPzJejQN/K6s9bHHihdYE=
APP_DEBUG=true
APP_LOG_LEVEL=debug
app_url=http://localhost
 
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=homestead
DB_USERNAME=homestead
DB_PASSWORD=secret
 
BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync
 
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
 
MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
 
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=

It has all the settings yet the web server doesn’t appear to be fully enabled. and it’s running as the www-data user.

So it’s no good for Privilege Escalation

Interactive Graph View

Backlinks