Lavita 🔸

Enumeration

Page shows a template

Feroxbuster finds a register path

We can create an account and

Searching exploits for laravel and debug we find https://github.com/rocketscientist911/CVE-2021-3129

We need to clone https://github.com/ambionics/phpggc.git to the same folder as the py file and edit the exploit with the url and the payload

Get the flag

Using pspy64 we notice a task with the user skunk that uses artisan

So we replace artisan with a reverse php shell

Now using sudo -l

This user can execute composer in that specific path so reading on gtfobins

I'll use the first user www-data to put the payload in the composer.json

And now execute composer with skunk

Get the flag