Skip to content

Latest commit

 

History

History
129 lines (69 loc) · 6.54 KB

Environment_HTB.md

File metadata and controls

129 lines (69 loc) · 6.54 KB

🚩 Environment — HTB Writeup

We will root Environment HTB machine step by step.

🔍 Enumeration

First we will scan with nmap the target IP

Screenshot 2025-09-05 162312

We can find SSH and normal HTTP open ports.

🌐 Web Exploration

Now let’s see the website

Screenshot 2025-09-05 162630

Okay now let’s use dirsearch tool to fuzz directories. As we can see we got some directories:

Screenshot 2025-09-05 163117

This is a normal login page, let’s explore the other directories:

Screenshot 2025-09-05 165449

⚠️ Information Leak

As we can see here it tells us upload directory. It shows us error because we used GET and not POST, and it shows us code exposure to this part:

Screenshot 2025-09-05 163317

Let’s use this and try to make error so it can reveal something that could help us. Like this is a normal request:

Screenshot 2025-09-05 165504

So we tried to generate error page by leaving the remember parameter empty (not true or false) and we got the error page. Now let’s see what we got:

Screenshot 2025-09-05 165536

As we can see it tells that if we make a specific parameter=preprod we will login as admin without authentication:

Screenshot 2025-09-07 035215

🔎 Research

Now let’s Google this with the Laravel version we have:

Screenshot 2025-09-05 170044

As we can see we got something, let’s Google it:

Screenshot 2025-09-05 170626 Screenshot 2025-09-05 170648

And we can see the --env parameter:

Screenshot 2025-09-05 170716

Let’s try it:

Screenshot 2025-09-05 171130

✅ Boom — we logged in!

Screenshot 2025-09-05 171147

📤 File Upload RCE

We can see we can upload profile img:

Screenshot 2025-09-05 171453

So let’s try to upload this malicious file, and we did .php. to bypass and get uploaded:

Screenshot 2025-09-05 185205

✅ Boom it worked!

Screenshot 2025-09-05 185314

Now let’s set our listener and get reverse shell:

Screenshot 2025-09-05 171708

✅ BOOM — we got the shell!

Screenshot 2025-09-05 190641

📦 Looting Credentials

We want to try sudo -l but we do not have password. As we can see here we find a backup file that has encoded file.gpg:

Screenshot 2025-09-06 192301

And we can see hidden directory .gnup that contains keys to decode the file:

Screenshot 2025-09-06 192318

So let’s send them to our attack machine and decode it locally:

Screenshot 2025-09-06 195128

✅ Boom we got the password of hish:

Screenshot 2025-09-06 195139

🔐 SSH Access

Let’s login with SSH as hish:

Screenshot 2025-09-06 195209

Now let’s try sudo -l and we got /usr/bin/systeminfo. We can see Bash_ENV is used like path:

Screenshot 2025-09-06 195321

⚡ Privilege Escalation (Bash_ENV Abuse)

So let’s create our malicious file and change the Bash_ENV to our malicious file. Then try to exploit it and run with sudo to run as root:

Screenshot 2025-09-06 200204

And let’s see if it worked — ✅ BOOM it worked!

Screenshot 2025-09-06 200217

Now let’s do bash -p to drop into root shell and get your root flag hacker:

Screenshot 2025-09-06 200229

🏁 Rooted!

We have successfully rooted Environment HTB machine 🎉