PermX Hack the Box Walkthrough

 Welcome to another Hack The Box exercise. Today, we will try and pwn the PermX machine on Hack The Box. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.

The first step in solving this machine is to connect the Kali Linux machine with the Hack the Box server. To do this, I logged in to my HTB account and click “Connect to HTB.” I chose the EU server and click on the “Download VPN” button.

About the machine

PermX is an "easy" difficulty Linux machine on HackTheBox (HTB) that involves concepts such as RCE in an LMS, credential hunting, and exploiting a misconfigured script. The machine's write-ups detail the exploitation of a Chamilo LMS web application to gain root access. PermX is a Linux machine featuring a learning management system vulnerable to unrestricted file uploads via [CVE-2023-4220](https://nvd.nist.gov/vuln/detail/CVE-2023-4220). This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A `sudo` misconfiguration is then exploited to gain a `root` shell.

Once the download has been completed (.ovpn file), I moved it into the new folder I have just created on my desktop called "PermxHTB.”. Once the file has been moved/copied, I opened the directory in my terminal by right-clicking and chose the option “Open in terminal.” Once my terminal has been opened, I typed the following commands to establish a connection between my Kali Linux terminal and Hack The Box server:

sudo openvpn permx.ovpn

Once the connection has been successfully established, “Connect to HTB” button turned green and shows the number of active connections. Next, I clicked on “machines” and choose “PermX”, then clicked on “Join machine” to start the machine. The machine was assigned an IP address of 10.10.11.23.

Afterwards, I performed enumeration using Nmap by typing the following command in my terminal.

nmap -sCV -A 10.10.11.23

This scanned all the ports available on the target machine (10.10.11.23) and provide a detailed report on each of the ports.

I found two open ports on the target machine (port 22/tcp and port 80/tcp). On port 80, it can be seen that the port is a web application because it uses http-title and we can also see that the platform is an E-learning website.

The next step was adding the target IP address and URL domain name to the /etc/host folder. To add the IP address, I typed the following command in my terminal.

sudo nano /etc/hosts

This launched the GNU interface allowing me to add the IP address and URL domain name. After this has been successfully added, I performed a subdomain enumeration using ffuf which showed other URL subdomain that may be associated with the target system. I ran the following commands in my terminal afterwards:

ffuf -u http://permx.htb -H "Host:Fuzz.permx.htb" -w /usr.share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -fw 18

I found two subdomains

• www
• lms

Which I will add these to my vhost file using the following command:

sudo nano /etc/hosts

Then I added the following in the /etc/hosts file:

10.10.11.29 lms.permx.htb

Then I opened my FireFox browser and visited lms.permx.htb

Upon visiting the website, I found out the website has a login screen with a username and password text input field. I tried using common default username and password but none works! So, I tried to find another way to solve this.

I started looking for vulnerabilities associated with Chamilo application by looking it up on Google and ExploitDB. I came across a GitHub repository with PoC to gain unauthenticated reverse shell on websites running Chamilo.

I downloaded this exploit by clicking on “Code” and then on “Download ZIP”. Once the zip file has been downloaded, I unzipped it by running the following code:

unzip Chamilo-CVE-2023–4220.zip .

This unzipped the file and I navigated into the directory. Afterwards, I downloaded a reverse shell php file on pentest monkey to gain a reverse shell.

Inside the extracted CVE-2023–4220 folder, I right-clicked and chose the option “open in terminal” and this launched the terminal. Inside the terminal, I ran the following commands to give admin privilege to run/execute the CVE-2023–4220.sh file:

chmod +x CVE-2023–4220.sh

./CVE-2023–4220.sh

Once this has been completed, I uploaded the reverse shell file on lms.permx.htb by running the following command:

./CVE-2023–4220.sh -f reverse-shell.php -h http://lms.permx.htb -p 4444

To stabilize the connection, I ran the following commands in the terminal:

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

Then I pressed and hold CTRL + Z, followed by:

stty raw -echo; fg

After getting the reverse shell, I navigated into the directory in the following order by running the following command in the terminal:

cd /var/www/app/config

Then I opened the configuration.php file by running the following command in the terminal:

cat configuration.php

This opened the configuration.php file and I found the db_admin username and password

Next, I ran the ssh command by opening a new terminal. In the new terminal, I typed the following command:

ssh mtz@10.10.11.23

This created a reverse shell at mtz@10.10.11.23

Next, I listed the files/directory in the user mtz root directory by running ls command

Then I read the content of the user.txt file by running cat user.txt. There I found my user flag. I copied it and submit it on hack the box.

Next, I tried to find the root flag. So, I ran the sudo -l command to see if there is any command mtz user can run as sudo and I found:

I found out that User mtz may run the following commands on permx. To read the file,  I typed the following commands in the terminal:

cat /opt/acl.sh

By running the command above, it displayed the content of the acl.sh file. Afterwards, I used this script to change the permissions on the sudoers file and modified it to give the mtz user sudo privileges on the host. To achieve this, I created a symbolic link to the /etc/sudoers file on /home/mtz directory and used the script to give read/write permissions to the user.

I got the root shell. Next, I changed the directory to previous directory (twice) and list the files in the directory by running (cd root). Once the directory has been successfully changed, I listed all the files and read the root flag by running the command:

cat root.txt

Hurray!! I got my root flag

If you enjoy reading my writeup and would want to get notification as soon as I make a new writeup, do not forget to subscribe to my YouTube channel and follow me on my other social media accounts. Thank you.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1

Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Follow me on Twitter: https://x.com/Isiaq_Ibrahim99

Follow me on Twitter: https://x.com/BoltechNG

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib

Download my writeup here: https://drive.google.com/file/d/1A7TDAZZPFHxDBNBtzzWd8kOhdcMoUheW/view?usp=drive_link

This walkthrough was first published on Medium on July 19th 2024, but was pulled down by Hack The Box and Medium. The reason was: I uploaded a spoiler which is in violation of the terms and agreement of Hack the Box. The walkthrough had 55 views and 37 reads on Medium and 4,128 views on YouTube.