{"id":489,"date":"2024-09-28T20:29:31","date_gmt":"2024-09-28T20:29:31","guid":{"rendered":"https:\/\/infosecjake.net\/?p=489"},"modified":"2025-02-05T02:32:02","modified_gmt":"2025-02-05T02:32:02","slug":"hackthebox-permx-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=489","title":{"rendered":"HackTheBox – PermX Walkthrough"},"content":{"rendered":"\n

Hey everyone, it’s been a minute since I’ve dropped a walkthrough. Life has kept me busy lately and I just haven’t had the time to do one. Additionally, I have started to focus more on HackTheBox machines than TryHackMe. I would encourage either, for those interested. However, HTB does tend to be a little more difficult with less guidance. HackTheBox does have some helpful information on their VPN system that you will need to use to work on these machines.<\/p>\n\n\n\n

Today, we are doing an easy machine called PermX.<\/p>\n\n\n\n

Without further ado, let’s get to it!<\/p>\n\n\n\n

As usual, we will kick off with a port scan.<\/p>\n\n\n\n

\"Port<\/figure>\n\n\n\n

Port scan shows that we have SSH open and HTTP on port 80. As is typical with these HTB boxes, it\u2019s a bit apparent that our avenue into the box will have to do with the http service on port 80. So, let\u2019s take a look at that.<\/p>\n\n\n\n

First, we want to add this IP\/hostname to our hosts file.<\/p>\n\n\n\n

\"Adding<\/figure>\n\n\n\n

Which reminds me that I need to clean up my hosts file from previous boxes \ud83d\ude0a.<\/p>\n\n\n\n

Now, we can navigate to the site. Here\u2019s what we get.<\/p>\n\n\n\n

\"permx<\/figure>\n\n\n\n

After some quick site browsing, I\u2019m not seeing anything that stands out just yet. So, let\u2019s do some directory browsing with dirb.<\/p>\n\n\n\n

Not much from dirb, not seeing anything in these directories that sticks out.<\/p>\n\n\n\n

\"Dirb<\/figure>\n\n\n\n

Dirb is decent but not the best at finding things, so let\u2019s use ffuf.<\/p>\n\n\n\n

\"ffuf<\/figure>\n\n\n\n

Now, we have found a couple subdomains for the site. First thing, we gotta add these to our \/etc\/hosts file as well.<\/p>\n\n\n\n

After that, let\u2019s look at them.<\/p>\n\n\n\n

Navigating to lms.permx.htb gets us a login page to Chamilo.<\/p>\n\n\n\n

\"Chamilo<\/figure>\n\n\n\n

After doing some quick searching for Chamilo vulnerabilities I found that it has a file upload RCE vulnerability for CVE-2023-4220<\/strong>. After further research, it does appear that there are POC exploits and a manual exploit listed here: https:\/\/starlabs.sg\/advisories\/23\/23-4220\/<\/a><\/p>\n\n\n\n

I first started off with attempting the manual exploit, I was able to get the \u2018id\u2019 command to work, so I know it does work. However, I found a nifty script that seems to do it all. That script is here: https:\/\/github.com\/m3m0o\/chamilo-lms-unauthenticated-big-upload-rce-poc<\/a>

Following the documentation, I ran the main.py script with the \u2018-a scan\u2019 flag, then the \u2018-a webshell\u2019 flag, and finally with the \u2018-a revshell\u2019 flag. Of course, I had my netcat listener running. Finally, we have a reverse shell.<\/p>\n\n\n\n

\"Reverse<\/figure>\n\n\n\n

Next, let\u2019s look around and see what we can find\u2026and then elevate privileges.<\/p>\n\n\n\n

When in doubt\u2026.linpeas it out?<\/p>\n\n\n\n

\"launch<\/figure>\n\n\n\n
\"finding<\/figure>\n\n\n\n

After a bit of searching through the results, I noticed that I was able to find a password. A little more searching and I noticed a user named \u2018mtz\u2019 and a \/home directory for mtz. So\u2026taking a long shot. I tried to SSH into the box with the username mtz and password I found in linpeas.<\/p>\n\n\n\n

\"SSH<\/figure>\n\n\n\n

Well then, I was not expecting that to be the correct password. However, here we are!<\/p>\n\n\n\n

\"user<\/figure>\n\n\n\n

User flag captured!<\/p>\n\n\n\n

I once again ran linpeas and found the below that stuck out to me.<\/p>\n\n\n\n

\"acl.sh<\/figure>\n\n\n\n

A quick look at acl.sh and this looks pretty interesting. I\u2019m thinking that this is the way to root.<\/p>\n\n\n\n

\"acl.sh<\/figure>\n\n\n\n

I\u2019m not familiar with this but after some more googling fun, it looks like this will allow me to change permissions on any file for any user as long as it\u2019s in mtz\u2019s home directory. Now, my first question was \u201cwell how would I do that when I know it wont let me move a \u2018root\u2019 owned file?\u201d. Well, after a bit MORE research, I dug into \u2018smlink\u2019. This provides a way to create references or pointers to files or directories. So, I could have a \u2018shortcut\u2019, in essence, in mtz\u2019s directory that links to another file somewhere else. Symlinks are \u2018symbolic links\u2019 and that is exactly what they do. Having never used a symbolic link for privilege escalation, this would be interesting.<\/p>\n\n\n\n

Onwards we go.<\/p>\n\n\n\n

After much toiling\u2026.we created a symlink to \/etc\/passwd<\/p>\n\n\n\n

\"Creating<\/figure>\n\n\n\n

Now, we can see \/etc\/passwd. How to change the root password?<\/p>\n\n\n\n

\"\/etc\/passwd\"<\/figure>\n\n\n\n

Currently we see that it is set, indicated by the x.<\/p>\n\n\n\n

Well, what if instead of the passwd file, we create a link to \/etc\/shadow? Well, I tried this and it was encrypted with yescrypt and I could not find an easy way to decrypt the root password. If you can, I\u2019d like to hear how you did it!<\/p>\n\n\n\n

So, back to the \/etc\/passwd file instead. Since we know that probably can\u2019t decrypt the password, what if we either clear the password or even create a new root user?<\/p>\n\n\n\n

Let\u2019s try the latter option\u2026<\/p>\n\n\n\n

\"creating<\/figure>\n\n\n\n

Created a new root user in the file.<\/p>\n\n\n\n

\"root2<\/figure>\n\n\n\n

Validated that it is there. Now to switch over to root2.<\/p>\n\n\n\n

\"Changing<\/figure>\n\n\n\n

Voila!<\/p>\n\n\n\n

We now have root access.<\/p>\n\n\n\n

\"root<\/figure>\n\n\n\n

And there we go! Root flag captured!<\/p>\n\n\n\n

Hope you enjoyed this one, some new stuff to learn and it was pretty fun. Until next time!<\/p>\n","protected":false},"excerpt":{"rendered":"

Hey everyone, it’s been a minute since I’ve dropped a walkthrough. Life has kept me busy lately and I just<\/p>\n

Continue readingHackTheBox – PermX Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[42,43,34],"class_list":["post-489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-hackthebox","tag-permx","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2024\/09\/image-2.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=489"}],"version-history":[{"count":2,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/489\/revisions"}],"predecessor-version":[{"id":549,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/489\/revisions\/549"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/492"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}