Published on

HTB: PermX Sanity Check | CBBH - CPTS

Authors

These notes serve primarily as a validation and reference tool for HTB Academy Modules, documenting the insights acquired from HTB machines/boxes that have contributed to my progression in the CBBH & CPTS path from Hackthebox. They are not designed as instructional guides, but they do contain spoilers and insights as you advance further.

PermX.png

Sanity Checklist

TopicModuleStatus
✅ EnumerationGETTING STARTED◻️ Did you enumerate everything?
✅ NmapSERVICE ENUMERATION◻️ nmap scan all ports?
✅ Page FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ What is the site extension?
✅ Vhost FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ Any subdomains available?
✅ Directory FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ Discover all directories?
✅ Shells & PayloadsREVERSE SHELLS◻️ Rreverse shell? any CVE available?
✅ Privilege EscalationSUDO◻️ Priv escalation info? ◻️ Any leaked credentials

⚠️ Contains spoilers ahead that assist beyond the Sanity Check ⚠️

Initial Reconnaissance

Nmap Scan

First, ensure you've conducted a thorough Nmap scan. The scan results should look something like this:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://permx.htb
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ensure you've identified the host and OS details and noted the server headers and supported methods.

Tip: Don't miss an opportunity to pick up any breadcrumbs in the nmap output. We can see a HTTP redirect to http://permx.htb on the tcp/80 output, so let's go ahead and add that to our /etc/hosts file.

FFuF Enumeration Virtual Hosts

Using a tool like FFuF, enumerate any possible subdomains.

╭─kali at kali in ~                                                                                                                                         
╰─○ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb/ -H "Host: FUZZ.permx.htb" -fs 277-312                  
                                                                                                                                                                                                                                                                        
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://permx.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.permx.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 277-312
________________________________________________

www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 1ms]
lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 46ms]

Identify any interesting subdomains to investigate.

Directory Fuzzing

Continuing with FFuF, fuzz directories on any identified subdomains:

ffuf -w /path/to/directories.txt -u http://subdomain.permx.htb/FUZZ

Pay attention to any redirected paths (301 status codes). These often lead to valuable resources but don't rabbit hole to deep.

CMS Identification and Vulnerability Research

During directory enumeration, you might discover a CMS and its version. Perform any vulnerability research for the identified CMS version.

Understand how these vulnerabilities can be exploited by reading any CVEs exploit scripts. Ensure you have a clear method for validating whether the system is vulnerable.

Initial Foothold

By leveraging known vulnerabilities, you can gain initial access. For example, an injection point might provide a reverse shell, granting you initial access as a low-privileged user.

Privilege Escalation

If possible, run any scripts to identify privilege escalation vectors:

Have you found any passwords, are they encrypted? Don't overthink this.

Final Steps

Read acl.sh file, path traversal time...

Root Access After escalating privileges to a higher user, continue enumeration for root access. Modify the /etc/shadow quickly, using openssl to generate new passwords because the cleaner is fast as f...

openssl passwd -6 newpassword
Replace the root hash and log in with the new credentials.
Discuss on TwitterView on GitHub