Unlocking PermX on HackTheBox: A Comprehensive Guide

HackTheBox is a robust platform that provides a hands-on approach to cybersecurity and penetration testing. One of the notable challenges available on this platform is the “PermX” machine. In this guide, we will walk through the entire process of tackling this challenge, using various tools and techniques to gain access and ultimately escalate our privileges.

1. Introduction

Before we delve into the specifics, it’s essential to set the stage. The world of penetration testing is vast, and it is vital as a cybersecurity enthusiast to understand how to discover vulnerabilities and exploit them in a responsible and ethical manner. The PermX challenge is a typical environment that allows you to practice these skills in a controlled setting.

2. Starting the Reconnaissance

Our journey begins with reconnaissance, a phase critical to any penetration testing exercise. We use Nmap to scan the target machine and discover open ports, services running, and potential entry points. The command can be straightforward but effective:

nmap -sV -A <target-ip>

This command not only identifies open ports but also probes them to reveal service versions. The output from Nmap can provide insights into services that might be outdated or vulnerable.

3. Fuzzing for Virtual Hosts

Once we’ve done our initial reconnaissance, the next step involves fuzzing for virtual hosts and subdomains. FFUF (Fuzz Faster U Fool) is a powerful tool that aids this process. We can specify a wordlist to enumerate subdomains and look for hidden directories:

ffuf -u http://<target-ip>/FUZZ -w /path/to/wordlist.txt

Here, our objective is to find additional applications or endpoints that may be exposed. In the case of PermX, we can discover a Learning Management System (LMS) subdomain hosting Chamilo.

4. Enumerating Versions of Open Source Applications

Now that we have discovered the Chamilo instance, we focus on enumerating the version of the application. Chamilo, being an open-source platform, may have known vulnerabilities associated with specific versions. Tools like WhatWeb or manual inspection can help identify the version.

whatweb http://<lms-subdomain>

Knowing the version gives us a targeted route for our exploitation path.

5. Analyzing Git and MD5 File Comparisons

An interesting facet of this challenge involves examining the git repository. We can pull MD5 hashes for every file in the repository to determine when files were introduced. The following bash one-liner can find the MD5 for each file:

bash
git ls-files | xargs -I {} md5sum {}

This assists in tracking code changes and potentially identifying vulnerable code that may have been present in older versions.

To streamline this process, we can convert our one-liner into a bash function and add it to our .bashrc for repeated use.

6. Exploit Hunting

With enough information gathered, we start hunting for exploits. Multiple Python scripts are available online that we can analyze to understand their functionality. Testing these scripts is critical. We can use curl to upload files to the server safely. This helps us confirm what the exploit does without inadvertently causing disruptions.

7. Discovering Vulnerable Configurations

Upon successful uploads and analysis, we stumble upon valuable configurations. It’s crucial to check if users have a similar password to the database; this is a common misconfiguration that exploits can leverage.

8. Gaining Privileges

Through our reconnaissance, we uncover that the “MTZ” user can run a particular bash script with sudo privileges. By examining this script closely, we realize it is vulnerable to symlink attacks. A symlink can redirect the original file to another, allowing us to control the command’s behavior.

By creating a symlink in the sudoers configuration, we can gain write access to critical files.

9. Managing Permissions

While we can exploit symlinks effectively, we face limitations when attempting to replace SetUID binaries. This occurs because SetUID permission is stripped when files are written to by a non-owner.

We also find that cron jobs will reject tasks with overly permissive permissions. By modifying cron settings, we can remove restrictions temporarily and manage our remote code execution (RCE) needs without leaving traces.

10. Conclusion

Successfully unlocking the PermX machine on HackTheBox not only equips you with invaluable penetration testing skills but also reinforces ethical hacking principles. This guide should provide you with a roadmap to navigate the challenges effectively. Remember, the goal is to learn and grow as cybersecurity practitioners while contributing positively to the field. Happy hacking!