Hack The Box - PermX writeup
2 min read
Nmap scan
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyYzjPGuVga97Y5vl5BajgMpjiGqUWp23U2DO9Kij5AhK3lyZFq/rroiDu7zYpMTCkFAk0fICBScfnuLHi6NOI=
| 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8A41tX6hHpQeDLNhKf2QuBM7kqwhIBXGZ4jiOsbYCI
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://permx.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
...Like most easy Linux machines, only two ports are open: SSH and HTTP. This suggests that the foothold will likely be through a web vulnerability.
Port 80
HTB PermX main page
The main page didn’t provide any useful information. I attempted to submit the contact form but it's just a dummy, it doesn't send anything.
Subdomain enumeration
I proceeded to scan for subdomains using ffuf and discovered lms.permx.htb.
HTB PermX FUFF scan
HTB PermX Chamilo page
Directory discovery
I began searching for the Chamilo version in the source code of the page but couldn’t find it. As a next step, I started running a directory scan, hoping to uncover something that could reveal the version. This led me to http://lms.permx.htb/documentation, where I discovered that the site was running Chamilo version 1.11.
HTB PermX Chamilo version
I then googled for vulnerabilities related to Chamilo version 1.11 and found CVE-2023-4220.
User flag
I followed the exploit instructions and successfully obtained a shell as www-data. From there, I began searching for a way to escalate privileges, but I couldn't find anything promising, so I decided to run linpeas.
HTB PermX DB password
linpeas discovered a password inside a PHP file, which I used to log in as the mtz user, then claimed the user flag.
Root flag
The first thing I did after logging in as mtz was to check for any sudo privileges.
HTB PermX sudo priviledges
The script used setfacl to grant permissions to files, but only if they were located within /home/mtz. To exploit this, I created a symlink to /etc/sudoers and executed the script to gain write access to the file. Once I had permissions, I edited the sudoers file to grant mtz full sudo privileges and claimed the root flag.
HTB PermX root flag
