• ~/
  • /posts
  • /tags
2024 © sk8thing

Hack The Box - PermX writeup

3 November 2024
CTF
HTB
Linux
Easy

Nmap scan

...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyYzjPGuVga97Y5vl5BajgMpjiGqUWp23U2DO9Kij5AhK3lyZFq/rroiDu7zYpMTCkFAk0fICBScfnuLHi6NOI=
|   256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8A41tX6hHpQeDLNhKf2QuBM7kqwhIBXGZ4jiOsbYCI
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://permx.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

Like many other easy Linux boxes, only two ports are open: SSH and HTTP. This suggests that the foothold will likely be through a web vulnerability.

Port 80

main_page.png

The main page didn’t provide any useful information. I attempted to submit the contact form but it's just a dummy, it doesn't send anything.

Subdomain enumeration

I then proceeded to scan for subdomains using ffuf and discovered lms.permx.htb.

ffuf_scan.png
chamilo_page.png

Directory discovery

I began searching for the Chamilo version in the source code of the page but couldn’t find it. As a next step, I started running a directory scan, hoping to uncover something that could reveal the version. This led me to http://lms.permx.htb/documentation, where I discovered that the site was running Chamilo version 1.11.

chamilo_version.png

I them googled for vulnerabilities related to Chamilo version 1.11 and found CVE-2023-4220.

User flag

I followed the exploit instructions and successfully obtained a shell as www-data. From there, I began searching for a way to escalate privileges, but I couldn't find anything promising, so I decided to run linpeas.

db_password.png

linpeas discovered a password inside a PHP file, which I used to log in as the mtz user. Once inside, I just claimed the user flag.

Root flag

The first thing I did after logging in as mtz was to check for any sudo privileges.

sudo_priviledges.png

The script used setfacl to grant permissions to files, but only if they were located within /home/mtz. To exploit this, I created a symlink to /etc/sudoers and executed the script to gain write access to the file. Once I had permissions, I edited the sudoers file to grant mtz full sudo privileges and claimed the root flag.

root_flag.png