Laravel CVE / PHP Deserialization - "Larablog" HTB Business CTF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on everybody welcome back to another youtube video we're looking at hack the box business etf this is the last video that i'll showcase in the web category as this is the last challenge we have uh left for us to solve so far now before we dive in i have to say that this is one of my favorite challenges that was part of the ctf uh primarily because it pushed me into two different aspects and things that i hadn't seen before and that was very very cool and very very fun so without further ado let's get into lara blog which is kind of denoted as three star so hard i suppose difficult um in in the last like series of web challenges and uh we can get started the challenge info says i really like nginx i also really liked laravel that's why i published a blog post about my secure boilerplate engine x config on my laravel deployments and it has a downloadable excuse me deployable part we can start it with the docker container i've already spun it up and i have it open in another tab here now this presents itself to us with a deploy laravel application using nginx it says here's the secure boilerplate nginx config i use for my laravel deployments like the one i deployed for this blog now i was immediately like when i first looked at this i was like all right this is going to be hard you know let me table this for later i don't i don't want to look through this right now um because i was thinking if it's a secure boilerplate engine x config i was like oh man is that the default is that like just what it ships with which is hopefully naturally pretty secure and this keeps telling us oh it's secure but if it's if it's part of the capture the flag uh it might very well be lying to you and not actually secure so eventually when i wanted to revisit this i went and just literally looked through it and carved through this entire syntax here um and just for i guess sanity check we can grab all of this and let's put it in a directory and work with it i suppose let's move into hack the box business etf we are on web we're in lara blog and let's make directory for youtube as we sort of have been previously been doing let's go ahead and create an nginx.com file where we could slap this all in perfect i don't know if i have any good syntax highlighting for an nginx configuration file truth be told i guess like could we do json oh no no absolutely not uh would yaml work all that well yeah sort not really either bash is probably just gonna look even worse actually that's you know what that's not awful the colors are important guys uh so we have a default user nothing really telling in that regard the worker connections not all that telling http a lot of this looks kind of boilerplate again kind of as it stated character set you'd keep alive blah blah blah nothing that we could particularly be vulnerable on the web application itself if you wanted to right you could get started with some go buster you could get started with neato and that's certainly an option on this uh i would naturally start with that for the sake of showcasing i won't dive into that but you might just approach this as you would any regular web challenge check out robots.txt etc in fact do we do we have a robots.txt i think i had found this and it was like oh there's a real massive text but it has nothing worthwhile or interesting so with that said uh let's bring that back i was looking through this structure here and i thought maybe there's something weird or vulnerable in how we handle locations and actually you know mapping out the web application i know off the top of my head when i was looking through this first i didn't know what tri files or things might do or the fast cgi things some of this maybe could be potentially vulnerable somehow and i thought i guess i'll have to google around and do some research and i was just something has to be misconfigured here because it didn't seem like there was anything else to latch onto there was nothing else shown in this challenge so i started to google and research and again i'll drag you down that rabbit hole but i was looking for like nginx misconfigurations looks like there's something all over from detectify portswigger even one from nginx itself that one i thought was very very worthwhile because if that is engine x then maybe they'll tell us something really telling they discussed chmod having a root inside of location block i didn't see that present you could kind of walk through this and this is generally what i did just like walking through and trying to understand each of these and checking to see was that going to be present in the nginx.configuration file that we were looking at none of these at least as i remember looking through them were all that worthwhile the fast cgi one was particularly interesting but it seemed to be in the good category with document root and fast cgi name it didn't have that kind of bad accidental uh absolute path there you could use taxing rewrites maybe that's option missing http prefix proxy and everything etc etc etc um nothing was really all that worthwhile has this kind of considered going on here yeah yep yep yep scrolling through all of this i'm pretty sure we get to the end pretty quickly and yeah that wasn't that wasn't the best for me but it was something to still look into uh i thought could i do like hacking nginx misconfigurations um and then thankfully eventually i i thought i had found a hat tricks article because i was trying to think okay does hack tricks is normally pretty good maybe hatrix has something on nginx and of course it does checking this out you can see a lot of this actually even comes from the detectify article so we could probably explore it through that this might actually showcase the issue missing root location that's similar to what we've just seen off by slash this is actually what we're going to dive into with the off by slash misconfiguration it's possible traverse one step up the path due to a missing slash orange made this technique well known in one of his black hat talks that dude's a genius he puts out so much stuff um and this is kind of the issue if you have a slash api or slash directory or folder name and don't have a trailing slash then you leave this vulnerable and and actually something you could climb up and it's sort of like a local file inclusion style sort of thing but it's it's really not it's when you include the dot dot slash the dot dot slash even in as like part of what you would have been using for that alias it's going to take this alias that you would originally define and replace it with what you had it configured to so that dot dot slash that follows would then come just after the replacement letting you climb up to that parent directory and jump over into where you would have had the v1 directory so that's that structure and status we can see that even in our display here the assets location which is where it seemed to be hosting like css or images or crap like that uh that is missing that trailing slash and then it would bring you into public but you can get out of and and past public because you're climbing up with one up traversal parent directory i'll show you that in just a moment before we dive into it i do wanted to discuss that hat tricks discussion um this is here alias lfi misconfiguration vulnerability boils down to that so you can climb up and you absolutely should have a slash in here if you are trying to do this for real uh they discover this as well with acunetix or offer some examples um i had a feeling that something else was showcased here uh and which it will like literally tell you yeah yeah yeah gixxy or maybe i'm saying that wrong geeksy is a tool to analyze nginx configuration the main goal is to prevent security misconfiguration automate flaw detection so if you haven't seen this i use this and i was like oh that's super cool can i add this to my toolkit will this just smartly figure out what the problem is if i ever maybe have an nginx thing in the future you could go ahead and install this with pip super duper simple super duper easy and then you can just pass in an nginx.com file uh i'll show you that i have gigsy installed but if you wanted to pip install it you absolutely could i apparently have it installed for python 3. uh whatever uh now we could go ahead and run gixxy on this nginx.conf and it tells us ooh we found it the alias traversal is a conf misconfigured alias you could climb up a directory right it found that immediately so i think that's a handy tool to keep in your back uh back pocket with that said checking out the source of this webpage you can see the assets would normally be serving up again those images or css files so we would have found that with go buster we would have found that as we were exploring with things like nikdo uh all of those things could have been something that we would have tracked down but being able to leverage and use that assets directory to climb up that is really where the secret sauce comes in like if i were to go to slash assets on its own it would weirdly end up returning the index.php from this page which laravel does its thing but we could climb up and now potentially see more accessing the directory on its own means that okay we uh can't read that directory slash dub dub dub above public but we might be able to access other files that would be present in there could we access that index.php through public it's we had to add that public prefix back in but we could so that verifies and validates for us that we are in fact one directory above because i see laravel all in here that makes me think are we looking at the source to the laravel installation we could try to go buster this in fact i'll be using ferox buster because i think that's pretty slick now uh ferox buster ferox buster it needs a url we'll slap that in uh it needs to know a word list which i have saved uh how is that supposed to be supplied is the tagtech word list or tech w opt set lists discovery web content let's use raft small words and because we're on linux we'll use every case yeah so now it's trying to find stuff it sees test storage config database apps and these are the actual print like locations that would be included within laravel itself if you don't believe me we could probably do some smart research because laravel's got to be open source right we can just go check out laravel on github literally checking it out laravel laravel all of those same directories config database storage tests this is all present some of it might not be right but we could try to check out artisan or we could check out composer the package in fact let's do that let's check out can we can we see package.json that's a fine example that might also clue us into what version of laravel we're using yeah okay this is displayed here laravel mix version 2.0 could we actually check out artisan yep that loads for us we could even check out the readme if it exists nope that one doesn't how about the change log is that present there it is okay so i think we're on maybe 5.5.28 we could actually do a better check of uh laravel version yeah level version check how to know the lyrical version where is it defined if you were to run this on the command line uh php artisan tactec version if you were literally working with laravel installation that could show it to you but if we're doing it kind of from the site or checking out the files they check it in the composer.json file that's one option there we go laravel framework yep 5.5.40 that's one option i think there was another actually recommended in source illuminate all this and you would have access to this you would you would literally be able to see this because of this nginx misconfiguration that file specifically doesn't exist uh i think there are some other spaces that might be held yeah it's in vendor laravel source illumination and application.php this has a period which is a mistake and should be a forward slash so we could try to check that out source foundation application.php still not found there we go you need the capital a because it's again case sensitive in linux constant version equals 5.5.40 now that we know what laravel version we're up against uh but there aren't a whole lot of other source code files they're just laravel itself i feel like our attack surface has now just been narrowed down to attacking laravel um with that in mind are there any version is there like vulnerabilities in laravel 5.5.40 let's check out exploits looks like there is something exploit tv looks like there are some articles about this lara cast cve details sneak has some stuff hack tricks includes it of course back to our good friend hack tricks oh so this is a uh metasploit module yep now this is something that i had tinkered with and went down the road for um and i will save us from crashing into that wall because this makes a post request uh to index.php as we're accessing the normal web page but then we if if it includes a method not allowed it sort of fails yeah this technique would not work because it really is necessary to be able to post to laravel the way that it ends up actually taking advantage of this is using a new cookie i believe this module exploits a vulnerability in the php laravel framework for these versions remote command execution is possible by a correctly formatted http xsrf token header due to an insecure unserialized call of the decrypt method in the encrypter authentication is not required however exploitation requires knowledge of the laravel app key similar vulnerabilities appear to exist within laravel cookie tokens based on the code fix in some cases the app key is leaked which allows for discovery and exploitation which kind of is interesting because we should be able to track down that app key now if we can see everything included in the source of this laravel install they act this they access this in the dot env file and if again we were checking out our github i thought this was peculiar because if you were to look in there get ignore right obviously the env file is something that they would want to hide and not push to the public repository so checking out the get ignorer in some of this might be a handy thing to keep in mind to see oh what what secrets or what things should not be accessible in a normal repository but are obviously going to be seen if we have this vulnerability in a live running and production application with that said we'll go to assets.env and now we have the configuration and sensitive settings for this application including the application key or the secret key it's represented in base64 so we could take advantage of that but that's what this module would end up doing looking at the exploit in metasploit again it wasn't a perfect check that they had if they were trying to send a post request and we could look into that just by simply trying to go to index.php we could try and post this i guess we could do that either in firefox with burp or with curl it displays a whole lot of crappy annoying um uh laravel error messages like a with so doing it with curl is a little bit messy unless you were to like redirect it and do a text file and add better syntax highlighting maybe we could just do this in burp and that might be a little bit nicer for us let's add in that target let's try to make sure intercept is on we could go here and there we go now we could work with this if i change the request method to post i just right click and hit that now if we were to forward this we could see this theoretically does nothing for us fantastic how about another get request could i see that displayed let's send it to repeater ctrl shift r to get us there now i've been in repeater and if i send this the response i just had originally a get request but if i were to change this to a post method and send that our response gives us a 405 method not allowed so that post method would not work and we might have to do a little bit more digging we might have to do a little bit more learning and research to figure out what we're up against uh we could again keep googling uh we we kind of feel like there are some bread crumbs that we could latch on to now given okay we know there's some vulnerability in uh laravel in this version on how it deserializes and decrypts cookies uh do we have a cookie that's a good question to ask again i'll go to our cookie manager and we can see we have a blog session which is indicated here and this thing all present from this application so maybe that is the right road to go down we could keep exploring some of these exploits and some of these articles that we see this is actually referenced in a hack-the-box machine i think it was kronos does this script work or does this do exactly the same post we can check out the source code they encrypt and decrypt do all of this and yes their exploit sends a post with that x xlrf so that wouldn't work for us this rapid seven one just showcases the metasploit module not all that helpful hack tricks explains everything that we've already discovered the dot env is used here and we could encrypt or decrypt specific cookies which is handy uh but really we want to be able to craft a actual exploit chain with the deserialization rce is showcased here they have this leveraged in again the repository that we had just seen but that uses the post method so that still isn't perfect for us we could start to craft this on our own if we really really wanted to but i think we could do just a little bit more googling because you'll find a quick and easy one that we could latch onto and harness and channel our inner script kitty um is there an rce vulnerability let's see here here's the strong one truesec this is where i wanted to drive us to in our research trusec put out this fantastic blog i really like the guys over at trusec we've been doing a lot of work together on some of the recent news in the real world liverville is weirdly helpful when app debug is enabled we could see in our dot env that app debug seemingly was was turned off uh can i actually access that let's get to assets dot env it's displayed here yeah app debug oh oh app debug is true okay nice never be used outside of a local dev environment oh well it is if we can retrieve this app key then we could do some damage right understanding it we could see the cookies that we have displayed and obviously previously checked out in our own instance you could decode this if you were to look at this obviously base64 decoded and it kind of tells you what you might be looking at with encryption schemes initialization vector and value that are then going to be used with the message authentication code etc etc here you see an example written in php that we could kind of work with and then the mac and then the decrypt function now this is handy because we're already given all this anyone who has access to the app key can both impersonate other users and if enabled make the application to serialize arbitrary data that's what we know in our vulnerable version of laravel now the insecurity serialization happens with serialize and unserialized they showcase an example walking through kind of classic serialization attack in php they have this kind of cookie cutter example with the username but also eventually being able to do different things like make that user an admin you can of course leverage this for code execution theoretically they do this and weaponize it with different gadgets and gadgets can be extremely helpful when we're working with things leveraging through different chains and pieces of php code they walk through this in a little bit more depth but then eventually get to hey if you want to find gadget chains you could end up using a utility that already some smart folks have put out called phpgc i don't think i've showcased this in a video before and i again admittedly have not been too extremely familiar with it but it's awesome because it's very very similar to why so serial in java for deserialization attacks which again i've showcased that one i actually have in java i think we've used a wyso serial.net sort of thing in asp etc php gtc has been great and we could experiment with it so let's actually grab that utility and start to tinker and play it showcases you could just go ahead and make sure you have php installed and then if you run this with tac l you can see the potential gadget chains you might use it has support for a lot of laravel and if we're looking at rce6 5.5 point anything that's what we're going to be up against the others are 39.39 but we want four zero and i think they actually use this in their example so we could experiment with this let's uh go ahead and git clone that directory i have php installed if you don't you can sudo apt install php 7.4 attack cli or whatever version you'd like with that said let's move into that directory and run that and now we have that utility so as it suggested we could use tack l kind of get to see all of these different things that it could do my font size is just a little bit messy for this but of course laravel is in here so using the syntax that they had used previously could we use that laravel r c e6 and then generate a simple hello world payload that's it it just cranks it out for us following down the chains that laravel would have to be able to eventually execute code that i think gets passed to an eval statement and they walked through this thing to explain the whole process yep getting into the nitty-gritty of how that layer of l source code is built up this patch eventually runs load and emit dispatch to queue eventually calls user func and eventually brings us to eval there we go and we do some damage right so if we wanted to take advantage of this the final step before we can send the payload is to format it in the proper way for laravel to actually decrypt and deserialize it we'll generate the payload use the stolen app key to encrypt it and hash it and then the values can then go into base64 encoded json object let's write a simple script that does this so this is where we can kind of again as i alluded to be pretty cheap be pretty script kitty but i think we've made a decent amount of sense out of this attack chain and uh we've already kind of brought us this far so let's use this php script where they are defining the cipher that's used for laravel key work encryption and decryption the chain that we might be using supplying our base64 app key creating a payload that's going to be generated with php gcc and crafting the cookie for us you could get a reverse shell payload if you really wanted to and we could maybe see if this worked for us the way that i'll do this is actually again probably connecting to my own public server and then seeing if i can just get a simple ping to come across uh and i typed in the wrong password there and let's start our script let's call this exploit.php and once this loads we can close the tags here maybe make this a little bit beautiful and let's change this to not make a reverse shell uh at the moment but let's just try and ping john hammond.org as a simple proof of concept like to just to sanity check and verify that we could really work with this so our current directory slash php gcc uh slash php ggc i keep saying that wrong that will be able to execute the command for us to get the payload and let's i i think we're good all we need is that app key in base64. so let's grab that slap it in here and now we could simply start a listener so tcpdump icmp i just want to look for ping packets there we go i again have repeatedly typed the password wrong and let's run this php exploit so we have this whole chunk of a cookie for us i'll copy that and now let's focus over here to see if we can see any packets come through as i go back to this application modify the cookie for our blog session save it and refresh the page it didn't work all that build up for naught let's get started and clear things out to begin let's remove these cookies refresh the page so now we should have new cookies and i think it'll actually go ahead and try to use uh the secondaries cookie if we were to decrypt some of those we might be able to see that okay and back what that didn't look real that didn't that didn't look that just looked like a rogue if i run this code now does that work no does that machine have ping can i save this and run it maybe it's we're not getting an error but do we have ping maybe we don't have ping let's try a netcat to i guess quad 9. some quick troubleshooting right 9999 uh let me make sure that that is actually accessible uh on my firewall so let me try to just do it for my host machine yep okay so let's use this now get back to run that exploit i'm going to bring this to x-clip so it's saved in my clipboard and again let's remove these cookies why did it take me elsewhere that's annoying remove remove remove start fresh uh and let's use it in the second one that we know is called for the blog session if i save this and then refresh the page we get the connection so we just didn't have ping we can see that we get it from this ip address which is we know is our target so the question is could we get a reverse shell now uh if i were to just use a simple netcat tacky i think it's worth trying do we have bash could we use that original old school uh netcat tacky to get a reverse shell let's try that again i'll run the exploit get it in the current clipboard bring us to up here so we can see when it happens let's delete all of our cookies to start from a clean slate and let's modify that created one with the saved php ggc callback and that didn't work for us okay uh let's try to then use a regular reverse shell then i'll go to rev shells and looks like i've already got john hammond.org staged here let's use quad 9 as we were using and let's change this to the make fifo ncat there it is grab that syntax and try again cool rebuild [Music] ah refresh modify these cookies here probably don't need to do that every time but i think it's still a worthwhile thing to do let's save that refresh the page and cross our fingers yes all right got the call back obviously we are dub dub dub data um or dub dub dub apparently as our user um we can check out what's in all of these directories and see if we can track down a flag uh let's go to the up directory parent directory yep so now we're in the root and i see this flag gx gx or qxgxv let's get that boy displayed on the screen and that is that challenge off by slash pwnage i really really like that challenge uh because i had not been familiar with those enginex configurations before i'd not been kind of used to that laravel exploit and i've not even used php ggc in the past so if that anything that shows how much of a scrub and a noob that i am a straight-up script kitty literally just ripping that script to use uh but i feel like it makes sense and i feel like this is a tool to add into our tool kit so i think there was still some really good learning lessons in there i hope that you've thought the same and uh that finishes up the web category for hack the box business etf and a really great finish for that larablog challenge i'm a little jealous that that is such a fantastic task to work through thanks so much for tuning in everybody i hope you enjoyed this video uh again as i bring this to you obviously this really was hours in the making in real time would i showcase it just now in this youtube video it's a little bit more somewhat polished right so that we can streamline to the proper procedure and the answer but don't forget the significant amount of time that comes with actually going through and struggling through this the very very first time as i said all of this was completely new to me so it takes much much longer when you're trying to learn on the fly and tap dance you know but that's it i might as well wrap up the video now thank you so much for watching if you like this video please do those youtube algorithm things you know like comment and subscribe if you would like to support me i would be super duper grateful i have a patreon link and a paypal link in the description and i really appreciate all your support and generous generosity thanks so much everybody i'll see you in the next video take care [Music] with
Info
Channel: John Hammond
Views: 42,442
Rating: undefined out of 5
Keywords:
Id: 8L3jTFYhUqM
Channel Id: undefined
Length: 34min 33sec (2073 seconds)
Published: Fri Jul 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.