Author: lomar
Discovery
From the Nmap scan, we see that only ports 22 and 80 are open.
When we scan Virtual Host with FFuZ tool, we see that there are two subdomains, www.permx.htb and lms.permx.htb.
To access the lms.permx.htb subdomain, edit the /etc/hosts file.
When we go to lms.permx.htb, we see that the Chamilo Learning Management System application is running, it asks for username and password input to log in.
Initial Access
With a simple Google, it seems that there is a CVE record with an Unauthenticated RCE vulnerability.
User
When I examine the files in the /var/www/camilo directory, I see that the cli-config.php file contains information for database access.
I use the grep command to search for the file containing this database information and find the file containing all the data required for the database connection. When I use the password for the database to log in to the user mtz I am successful
Root
When I run the sudo -l command, I see that I am authorised to run the file /opt/acl.sh as root. When I examine this file, I understand that I can change the write, read and execute permissions of a file as long as it is in the /home/mtz directory.
I link /etc/shadow to /home/mtz/shadow with the command ln -s /etc/shadow /home/mtz/shadow and give myself write, read and run permission with the command sudo /opt/acl.sh mtz rwx /home/mtz/shadow. Then I edit the shadow file with the command vim /home/mtz/shadow and delete the password of the root user.