HackTheBox – PermX Walkthrough

Hello all, it's been a long time since I posted a blog here. So, I might be a bit rusty. Spare me a few errors here and there, and comment if you want to see this HackTheBox walkthrough series continue. At some point, we will also release blogs relevant to product security and development. With that said now let's dive into the machine.

Before starting any HTB machine there are a few rituals that need to be done i.e. let's add the IP and Host to the /etc/hosts file and start with the Nmap scan.

nmap -sC -sV -A -T4 10.10.11.23 -oN nmap.txt

I generally start my directory bruteforcing on the backend look at the results and check if anything is interesting.

ffuf -w ~/SecLists/Discovery/Web-Content/raft-medium-files.txt -u http://permx.htb/FUZZ -mc 200 -s

Now below let’s take a look at the website which is open at port 80 as I don’t think that there is a public exploit for the SSH version. While browsing the website you will observe that it is a completely static website with no links and forms or even a login page. Looking at the source code will also not give you anything interesting. When this kind of situation arrives, I generally check the wappalyzer to fingerprint what technology is being used as well as try to find if it is a vulnerable version or not. In this case, it is not vulnerable so let’s take a look at the data our directory brufeforce gave us.

Uhmm there is nothing much interesting. Well, this is the point where I thought a subdomain bruteforce was necessary. I started the subdomain bruteforce with FFUF.

ffuf -u http://FUZZ.permx.htb -w ~/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -s

While the subdomain bruteforce was happening, I was checking the requests, and responses of the URL in burp, just clicking random stuff on the website to find an entry point. I didn’t find anything interesting there. So, I looked at the subdomain bruteforce results which has a new subdomain for me.

It looks like a CMS portal, I started directory bruteforcing. While I tried to put in the default username and password for the portal.

I tried to go in file by file, but looking at the License.txt file, I got to know the version of the CMS was 1.11

I searched for the exploit on google and found a github repository. I quickly downloaded it and ran, it with the Netcat listener on my host machine.

Voila, now we have the shell on the machine, let's look at stabilizing further so that I don’t get any garbage characters while doing up and down arrows. This S1ren trick has saved me so much time in other boxes where you have to navigate within the box. Even if you do Cntrl + C the shell would not break.

python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
Ctrl + Z [Background Process]
stty raw -echo ; fg ; reset
stty columns 200 rows 200

Now since my shell is stabilized, let’s look around to find more information about the machine. Generally, on this kind of machine, you would have to laterally move to a user and then root to grab the flags.

After doing a bit of digging, I saw that there was a user mtz on the machine. Now I was just searching through the web. config file to find a password where I saw a .php database file. I forgot the take its screenshot sadly but there I found the password for the user mtz. Now that I have the password let’s log in by doing su mtz and then adding the password.

Now let’s grab the user.txt under /home/mtz .

After I logged in as mtz, I tried sudo -l to check what permissions I had and saw a acl.sh file under the /opt folder. Let’s try to understand what it says.

It is a relatively small program that has 3 permissions where it says for user mtz you can add any permissions but the path has to be /home/mtz/* and the target must be a file. But if you check the home directory for mtz there is nothing.

Now it clicked into my mind that if we create a symlink with the /etc/sudoers file then we could edit it from the mtz home directory and escalate to root. Let’s try that.

Voila, it worked !! Now let’s grab the root flag and we are done.

If you enjoyed the write-up, then you can follow the website, read more about CTFs and labs here, and see weekly updated content related to security and you can follow me on LinkedIn.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.