Skip to content

Lavita 🔸

Enumeration

Page shows a template.

feroxbuster finds a register path.

We can create an account and...

Initial Access

Searching exploits for laravel and debug, we find https://github.com/rocketscientist911/CVE-2021-3129.

We need to clone https://github.com/ambionics/phpggc.git to the same folder as the .py file and edit the exploit with the URL and the payload.

Get the flag.

Privilege Escalation

Using pspy64, we notice a task with the user skunk that uses artisan.

So we replace artisan with a PHP reverse shell.

Now using sudo -l...

This user can execute composer in that specific path, so reading on gtfobins...

I'll use the first user www-data to put the payload in the composer.json.

And now execute composer with skunk.

Post Exploitation

Get the flag.