PermX HTB Walkthrough by Laith Younes

Hack the Box Challenge Target: A Linux Operating System with a web application vulnerability leading to total system takeover.

Difficulty: Easy

Summary: The PermX machine on Hack The Box conceals a significant vulnerability: an insecure deserialization flaw in the web application, allowing an attacker to gain unauthorized access. By exploiting this vulnerability, an attacker can execute arbitrary code and potentially escalate privileges, leading to a complete system compromise.

Walkthrough Warning: The following contains spoilers for solving the PermX challenge!

Enumeration

Starting off with an Nmap scan of the target provides insight into open ports and services running on the machine.

Great news!?The service is accessible on both HTTP.?Time to visit the web page!

To expand our knowledge of the system,?let's scan for additional subdomains beyond the identified ones.

Ready for some pathfinding? Let's navigate these routes in the browser and see where they lead.

After fuzzing the directories, I discovered /documentation, where I noticed that Chamilo is running version 1.11. A quick search for CVEs revealed some potential vulnerabilities related to this version.

Let's Clone the exploit ..

Summary of the Exploit

The exploit.py is a Python script designed to exploit a deserialization vulnerability in the Chamilo web application. It accomplishes this in several steps:

1. Vulnerability Check: The script verifies if the target is vulnerable by sending a request to a specific endpoint.

2. Web Shell Upload: If the target is confirmed vulnerable, it uploads a PHP web shell to the server. This web shell allows for remote command execution.

3. Reverse Shell Setup: The exploit then creates a Bash script that establishes a reverse shell connection back to the attacker's machine, allowing for full command execution control over the compromised server.

Boom! Your reverse shell is alive, and you're one step closer to victory.

A hidden gem revealed itself within the depths of the system: configuration.php, tucked away in /var/www/chamilo/app/config. What secrets might it reveal?

We got a user and password here! I tried to SSH but I didn't get an access for the machine!

After digging in /etc/passwd i found a User here!

Let's try to SSH through this User!

Woohoo! Flag captured!?Take a victory lap,?then refocus and unleash your skills on the next stage.

Privilege escalation:

After discovering that the current user can run “/opt/acl.sh” as root, we identify the existing script “acl.sh” as a means for privilege escalation.

This script allows the user mtz to change permissions on any file for any user, provided the target file is located within the mtz user's home directory. We leverage this capability to create a symlink to the /etc/passwd file

First, I create a symbolic link to /etc/passwd, naming it "test." This symlink allows me to modify root permissions on the original file using acl.sh.

Next, I grant read and write permissions to the symlink for the user "mtz" using acl.sh.

Then, I assign permissions to "root3" by echoing the changes onto the symlink. Since the symlink points to /etc/passwd, the modifications apply to the original file as well.

Finally, I switch to the user "root3" using the command su root3.

Root? Check! Privilege escalation? Piece of cake! We're scaling the system like a mountain climber, and guess what? We reached the summit - the root flag is ours!

Until next time, may your exploits be fruitful, and your flags plentiful!