This exercise has been test driven and developed on MacOS & Docker.
Any other configurations will certainly need tweaking in certain parts, so be prepared to debug as you go along.
Debian based distros like Ubuntu and Kali Linux should work pretty well.
Basic PHP, Docker, *nix cli and Laravel knowledge are a must for this exercise.
If you're lacking any of these, prepare to learn and tackle a lot of issues as you proceed with this exercise.
This is NOT a copy-paste style exercise.
There are actual steps that you need to do and learn (and to search Google, quite a bit actually) in order to successfully complete the exercise.
The goal of this exercise is to teach you hands-on basic exploitation techniques that will threaten a poorly engineered PHP/Laravel application.
By understanding how to exploit stupid mistakes like not validating file uploads, or echoing user input raw into DOM, you'll hopefully be less likely to do these mistakes at your day-to-day life & work.
- Persistent XSS Attack
- SQL Injection Attack
- Password Cracking Attack (Dictionary Attack)
- RCE through Malicious File Uploads
- Privilege Escalation Attack
- Docker
- Docker Compose
- PHP (>v7.1 preferably) & Composer
- Yarn/npm
- nc (netcat)
- john (https://www.openwall.com/john/)
- sqlmap (https://sqlmap.org/)
- pspy (https://github.com/DominicBreuker/pspy)
- SecLists (https://github.com/danielmiessler/SecLists)
- Browser that runs Javascript & recognises
fetch()
without a polyfill, preferably Chrome/Firefox - ~3GB of free disk space
- Navigate to project root, and run
docker-compose build
to build the application docker image- This will take while since we're compiling Apache v2.2.20 & php v7.1.29 manually as part of the docker image building process
- After the image has built successfully, start the app container & db container via running
docker-compose up -d
- Tweak exposed ports in
docker-compose.yaml
if ports1234 && 33601
are already bound on your machine
- Tweak exposed ports in
- Install php dependencies via
composer install
cp .env.example .env
to create the.env
file- Install JS dependencies via yarn/npm, eg
yarn
ornpm install
- Build the JS bundle & compile Sass & Tailwind etc via
yarn dev
ornpm run dev
- Migrate & seed the database
docker exec laracon-app php /app/artisan migrate:fresh --seed
- If everything went well you should see "Best Laravel Jobs" & a working front-page by navigating to
https://localhost:1234
in your browser- If you're unsure about modifying your local hosts file, please skip the following option.
- You can optionally set a hostname by appending eg.
127.0.0.1 laravel-ctf.com
to/etc/hosts
, and then access the app viahttps://laravel-ctf.com:1234
- When you're done,
docker-compose down
to stop & remove the containers of this exercise. - You should also clean the locally built image (it's ~1,85GB in size...) by finding it via
docker image ls
and removing it viadocker image rm IMAGE_ID
- Open a web server on your local machine
- eg.
php -S localhost:8888
- eg.
- Find the company profile of 'Hacking Laravel Inc.' and send them a message via contact form
- Wrap the content of
exploits/xss.js
in script tags and send that as the message part of the contact form
- Wrap the content of
- Spy the user credentials from
DatabaseSeeder
and log in with those - Open dev tools in your browser before logging in
- Log into the system with the credentials
- Make sure that you see a 404 error & CORS error on your console to know that the XSS attack script executed successfully (do not log out or the cookie gets invalidated!)
- See the authentication cookie being recorded into stdout/logfile by the web server that you started in step 1
- Open a new incognito browser window
- Navigate to https://localhost:1234 & open dev tools
- Replace the session cookie value with the token that you got
- Make sure you copy only the token, not the URL encoded quotes around the actual value...
- Refresh your browser window
- Voilá, you've got initial foothold to the application now
- While logged in with the stolen token, see where you can find a job list within the application
- By investigating the page you found, you should be able to find a jobs API URL endpoint (has a
?sort=
param in it) - Test the API endpoint for SQLi vulnerabilities via
sqlmap -u api_url_that_you_found --batch --dbms=mysql
(keep the URL param in)- This can easily run for over 10 minutes if you're using docker-for-mac, be patient...
- You'll see 3 SQLi vulnerabilities listed if successful (if not, go back and try harder)
- See what options sqlmap has available via
sqlmap --help
& find a way to extract admin user's password hash - Save the password hash into a file, that'll be required in the next step
- Run
john
with top 10,000 passwords list (from SecLists) & bcrypt format, pass in the hash obtained in previous step - If you missed the password you can run
john
again with--show
flag - You should have the admin user's password now
- Switch to an admin account now to continue further
- With admin credentials you can find a file uploader in the application that's lacking proper file type validation
- Upload a backdoor / RCE script of your choice
- Pro tip: try building your own script by combining
system()
& passing in an argument from a HTTP request via PHP's superglobals
- Pro tip: try building your own script by combining
- Find the file you uploaded, and invade the machine by spawning a reverse shell connection onto the target machine (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
- Pro tip: remember to URL encode the RCE payload to preserve control characters
- You should have a shell for user
daemon
now
- There's something interesting happening on the target machine consistently... Try enumerating with
pspy
and see if you can figure out what I'm referring to.- Yes, you'll need to find a way to get the script transferred onto the machine first. See what tools you've got at your disposal that suit the task at hand.
- If you don't see anything after sniffing for over 10-minutes with
pspy
, restart the containers viadocker-compose restart
& try again
- Research your findings online, and find out how the process you discovered is being configured & operated
- Hijack the process and escalate to root privileged reverse shell session
- Congratulations, you've just rooted the machine & completed the exercise.
Preferably open a PR directly rather than an issue if you find something wrong in the app and/or its documentation.
As the license states this software comes "as is" with absolutely no warranty whatsoever, and therefor isn't guaranteed to be maintained and/or updated even if found faulty.
Yes, eg. configuring a Selenium container (via Laravel Dusk for example) to trigger the XSS exploit code would be epic, rather than having to fire it manually like currently is the case.
Feel free to open a PR for such if you get inspired.
Feature wise however lets keep the application as it is, to not broaden its scope into an unmaintainable mess.
MIT - see LICENSE file