LaVita Proving Grounds Write-Up

SUMMARY

This write-up covers the LaVita machine from Offsec’s Proving Grounds, a multi-stage Linux machine requiring lateral movement before privilege escalation.

Port 80 hosted a web application built on Laravel. Navigating to a non-existent path triggered a Laravel error that leaked the version as 8.4.0, vulnerable to CVE-2021-3129. This vulnerability abuses debug mode to achieve remote code execution via log poisoning. A public exploit confirmed RCE and a reverse shell was received as www-data.

pspy revealed a cronjob running php artisan as user skunk. The artisan file was owned by www-data with write access, so it was replaced with a PHP reverse shell script. After the cronjob fired, a shell as skunk was received. As skunk, sudo -l showed the ability to run composer as root. The GTFOBins technique for composer placing a malicious composer.json in the target directory and running sudo composer spawned a root shell.

---

PATH TO FOLLOW

1. Reconnaissance & Laravel Version Leak via Error Page
2. CVE-2021-3129 RCE via Debug Mode
3. Reverse Shell as www-data
4. Cronjob Discovery via pspy — Writable artisan Script
5. PHP Shell in artisan → Lateral Movement to skunk
6. Sudo composer Abuse via GTFOBins
7. Shell as Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.