Foothold
1. ffuf vhost to find lms.permx.htb
2. CVE-2023-4220 to get foothold
3. dump password from ~/app/.../configuration.php
4. reuse password to get access to user mtz
2. CVE-2023-4220 to get foothold
3. dump password from ~/app/.../configuration.php
4. reuse password to get access to user mtz
PrivEsc
1. sudo -l and see that we can run /opt/acl.sh
2. /opt/acl.sh runs setfacl to change permissions of a file
3. we can’t change the permissions of /root/root.txt directly as we don't have write permissions to /root folder
4. /opt/acl.sh also checks if there are .. characters to prevent directory traversal
5. we overcome this by creating a symlink to /
ln -s / pwned
6. generate a dummy password
openssl passed owned
7. modify permissions of /etc/passwd
sudo /opt/acl.sh mtz rwx /home/mtz/pwned/etc/passwd
8. change the password of root to the newly generated password above
9. su and enter the password to get root access
2. /opt/acl.sh runs setfacl to change permissions of a file
3. we can’t change the permissions of /root/root.txt directly as we don't have write permissions to /root folder
4. /opt/acl.sh also checks if there are .. characters to prevent directory traversal
5. we overcome this by creating a symlink to /
ln -s / pwned
6. generate a dummy password
openssl passed owned
7. modify permissions of /etc/passwd
sudo /opt/acl.sh mtz rwx /home/mtz/pwned/etc/passwd
8. change the password of root to the newly generated password above
9. su and enter the password to get root access