IP: 10.10.11.23

An nmap scan shows 2 ports open: 22 (SSH) and 80 (HTTP). The http service on port 80 will redirect to permx.htb, so this host should be added to the /etc/hosts file to be accessible.

The site appears to be an eLarning platform with no real functionality.

Performing a vhost discovery using ffuf, it is possible to find a the subdomain lms:

This subdomain is running Chamilo , an open-source PHP-based Learning Management System (LMS). Searching online about this software, will show that a version of it was vulnerable to CVE-2023-3533, an unauthenticated RCE vulnerability.

This vulnerability is easy to exploit by using a publicly available PoC. A single run can hand over a reverse shell:

Once inside the server, it is possible to see that it is listenning on port 3306 (mysql). The credentials for MySQL are stored in the database configuration file located at /var/www/chamilo/app/config/configuration.php.

The databse credentials are chamilo:03F6lY3uXAP2bkW8. This is the same password for user mtz:

With this, the first flag can be captured:

Checking the output of the command sudo -l, reveals that this user can run the script located at /opt/acl.sh as root and without password:

This script appears to change the access control of a given file inside the home directory for user mtz:

The easy way to exploit this is by creating a soft link to /etc/passwd into the mtz’s home and then use this script to give read and write permissions to the link. This can be done with the following one liner:

ln -s /etc/passwd lvmalware && sudo /opt/acl.sh mtz rwx /home/mtz/lvmalware && vi lvmalware

This will allow the user to view and edit the shadow file:

The password hash for the root user doesn’t seem to be crackable, but it is possible to add a password entry for a (fake) root user with a known password. The password hash can be generated using a website like this one:

And then copy the entry for the root user, changing only the password hash:

And then log in as lvmalware to get a root shell. The second flag is inside root’s home directory.