10 min read hackthebox

HackTheBox - PermX Walkthrough

HackTheBox - PermX Walkthrough

Introduction

PermX is an easy-rated machine on Hack The Box, created by mtzsec. The machine begins with discovering a learning management system, identifying its version, and exploiting a CVE to gain the initial foothold. Through initial enumeration, we leveraged password reuse to escalate to a new user and then exploited a Bash script to escalate to root. Let's get right into this.

Enumeration

As always, I fired off an initial Nmap scan against all ports to understand what ports were open. Once the scan was completed, there are only two open: ports 22 and 80.

[2024-07-11 18:33:16Z] [~/D/c/h/PermX] > sudo nmap -T4 -p- 10.10.11.23 -vvv -oN scans/permx_allports --max-retries=1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 14:33 EDT
Initiating Ping Scan at 14:33
Scanning 10.10.11.23 [4 ports]
Completed Ping Scan at 14:33, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:33
Completed Parallel DNS resolution of 1 host. at 14:33, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:33
Scanning 10.10.11.23 [65535 ports]
Discovered open port 80/tcp on 10.10.11.23
Discovered open port 22/tcp on 10.10.11.23
Warning: 10.10.11.23 giving up on port because retransmission cap hit (1).
Completed SYN Stealth Scan at 14:34, 50.17s elapsed (65535 total ports)
Nmap scan report for 10.10.11.23
Host is up, received echo-reply ttl 63 (0.085s latency).
Scanned at 2024-07-11 14:33:18 EDT for 50s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 50.37 seconds

Nmap output for all port scan

22 - SSH

I am going to skip enumerating SSH for now. There is not much we can do with it right now without some user credentials or SSH keys.

80 - HTTP

When navigating to http://10.10.11.23 initially, I found that it redirected to http://permx.htb. To access the site via the hostname, I had to add permx.htb to the hosts file.

[2024-07-19 18:04:03Z] [~/D/c/h/PermX] > echo '10.10.11.23 permx.htb ' | sudo tee -a /etc/hosts
10.10.11.23 permx.htb

Adding permx.htb to hosts file

Kyle Gray

Kyle Gray

Hey there 👋 Certs - ITILv3, eJPT, PNPT, CRTP, CRTE, PJPT, CRTO