LaVita
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Hard
I started with autorecon as usual, which exposed two open ports on the target:
HTTP (80)
SSH (22)
Browsing to HTTP (80) revealed a simple page with a demo link offering options for login, registration, and even a forgot password feature. I registered, logged in, and was faced with a switch to toggle debug mode along with a file upload function. I played around with the file upload for a while, but that path turned out to be a rabbit hole.
After some online research, I found that this specific Laravel version is vulnerable to CVE-2021–3129. Sounds simple, right? Not quite, the exploit required me to be in debug mode (which was easily enabled after logging in) and to identify the log file location. None of the default paths worked.
Eventually, I found another PoC that brute-forced the log location. The first run didn’t work perfectly because of the weird proccess of the PoC.I had to get to the second chain before my command could be executed. And if I wanted to run another command, I had to restart the process from the beginning.
Using the second PoC, after a lot of trial and error navigating its maze, I finally got a reverse shell as the wwwroot user.
Privilege escalation on LaVita wasn’t straightforward either, it felt like several pieces had to click together.
Uploading linpeas.sh revealed a database password, but that turned out to be a dead end since nothing useful was in the database.
Then I noticed another user: Skunk. But how could I access this account? This was the first time I used Pspy64 for privilege escalation on one of these boxes. Running the tool, I discovered that PHP is executed on the artisan file located in /var/www/html/lavita, a directory I have write access to. Exploiting this, I managed to get a reverse shell as Skunk.
Now that I have Skunk, I checked the sudo privileges with sudo -l and found that I could run composer on the /var/www/html/lavita directory. I checked gtfobins and identified a method to escalate to root using composer.
There was a small hiccup, though, user Skunk didn’t have write access to that directory. Fortunately, since I already had a shell as wwwroot, I used it to edit the necessary file. I then executed the command:
And that was it, I got root, finally!
Exploitation Complexity: Even with a known vulnerability like CVE-2021–3129, it can be challenging to find a working PoC.
Multi-User Approach: When initial exploitation only gets you limited access (as wwwroot), exploring other user accounts (like Skunk) can open additional escalation paths.
Creative Escalation: Tools like Pspy64 and leveraging permitted commands such as composer can offer an effective route to root.
