LaVita
Summary
Only two open ports: SSH (22) and a Laravel-based web app on port 80.
Identified Laravel log file path on the web server.
Leveraged CVE-2021-3129 β a Laravel deserialization RCE vulnerability via log poisoning and debugging mode.
Achieved code execution through poisoned logs.
Got reverse shell by modifying the exploit payload.
𧡠Let's Unpack
Enumeration
sudo nmap -A -T4 -sV -sC -p- -Pn 192.168.229.38 --openOpen Ports:
22/tcpβ OpenSSH 8.4p1 Debian80/tcpβ Apache 2.4.56 (Laravel app)
π Observed a default W3.CSS template on HTTP page.
Manually enumerating team names from the web app:
Jan Ringo
Kai Ringo
Rebecca Flex
Johnny Skunk
Useful for wordlists or user enumeration later.
Initial Foothold
𧨠Vulnerable Laravel app β exploited CVE-2021-3129 (Ignition RCE via log file):
Public exploit used: β Laravel Ignition RCE Exploit
π After verifying command execution, updated payload with reverse shell:
Got a reverse shell from the web server.
Privilege Escalation
Last updated