htb: permx sanity check

Initial Reconnaissance

Nmap Scan

First, ensure you’ve conducted a thorough Nmap scan. The scan results should look something like this:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://permx.htb
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ensure you’ve identified the host and OS details and noted the server headers and supported methods.

Tip: Don’t miss an opportunity to pick up any breadcrumbs in the nmap output. We can see a HTTP redirect to http://permx.htb on the tcp/80 output, so let’s go ahead and add that to our /etc/hosts file.

FFuF Enumeration Virtual Hosts

Using a tool like FFuF, enumerate any possible subdomains.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb/ -H "Host: FUZZ.permx.htb" -fs 277-312                  
                                                                                                                                                                                                                                                                        
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://permx.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.permx.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 277-312
________________________________________________
 
www                     [Status: 200, Size: 36182, Words: 12829, Lines: 587]
lms                     [Status: 200, Size: 19347, Words: 4910, Lines: 353]

Identify any interesting subdomains to investigate.

Directory Fuzzing

Continuing with FFuF, fuzz directories on any identified subdomains:

ffuf -w /path/to/directories.txt -u http://subdomain.permx.htb/FUZZ

Pay attention to any redirected paths (301 status codes). These often lead to valuable resources but don’t rabbit hole to deep.

CMS Identification and Vulnerability Research

During directory enumeration, you might discover a CMS and its version. Perform any vulnerability research for the identified CMS version.

Understand how these vulnerabilities can be exploited by reading any CVEs exploit scripts. Ensure you have a clear method for validating whether the system is vulnerable.

Initial Foothold

By leveraging known vulnerabilities, you can gain initial access. For example, an injection point might provide a reverse shell, granting you initial access as a low-privileged user.

Privilege Escalation

If possible, run any scripts to identify privilege escalation vectors:

Have you found any passwords, are they encrypted? Don’t overthink this.

Final Steps

Read acl.sh file, path traversal time…

Root Access After escalating privileges to a higher user, continue enumeration for root access. Modify the /etc/shadow quickly, using openssl to generate new passwords because the cleaner is fast as f…

openssl passwd -6 newpassword
Replace the root hash and log in with the new credentials.

Table of Contents