InfoSec LAB

PermX_Web_lms.permx.htb

Created: 3 min read

lms.perm.htb

The lms.permx.htb sub-domain, on the other hand, hosts a different web application, namely Chamilo

Additionally, there is information disclosure about the admin user; Davis Miller

Chamilo

Chamilo is a free software (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally. It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and the building of a network of services providers and software contributors.

Wappalyzer identified technologies involved It’s a PHP application

Source code contains interesting information

Fuzzing

┌──(kali㉿kali)-[~/…/htb/labs/permx/CVE-2024-6387]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -t 200 -u http://lms.permx.htb/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://lms.permx.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
license.txt             [Status: 200, Size: 1614, Words: 206, Lines: 36, Duration: 31ms]
robots.txt              [Status: 200, Size: 748, Words: 75, Lines: 34, Duration: 27ms]
terms.php               [Status: 200, Size: 16127, Words: 4075, Lines: 320, Duration: 76ms]
.                       [Status: 200, Size: 19348, Words: 4910, Lines: 353, Duration: 70ms]
index.php               [Status: 200, Size: 19356, Words: 4910, Lines: 353, Duration: 663ms]
favicon.ico             [Status: 200, Size: 2462, Words: 3, Lines: 2, Duration: 2041ms]
user.php                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2336ms]
web.config              [Status: 200, Size: 5780, Words: 1119, Lines: 107, Duration: 4088ms]
news_list.php           [Status: 200, Size: 13995, Words: 3256, Lines: 279, Duration: 3177ms]
whoisonline.php         [Status: 200, Size: 15471, Words: 3877, Lines: 315, Duration: 96ms]
:: Progress: [16244/16244] :: Job [1/1] :: 190 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/…/htb/labs/permx/CVE-2024-6387]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://lms.permx.htb/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://lms.permx.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
main                    [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 80ms]
                        [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 117ms]
documentation           [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 32ms]
bin                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 29ms]
src                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 33ms]
app                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 27ms]
vendor                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 26ms]
LICENSE                 [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 37ms]
plugin                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 32ms]
certificates            [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 37ms]
web                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 3271ms]
custompages             [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 28ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 25ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 190 req/sec :: Duration: [0:07:27] :: Errors: 0 ::

robots.txt

Version Information

The version information can be found under the /documentation directory It’s Chamilo 1.11.24

Vulnerability

Looking it up online for vulnerabilities, it appears to suffer from multiple vulnerabilities One of which, [[PermX_CVE-2023-4220#[CVE-2023-4220](https //nvd.nist.gov/vuln/detail/CVE-2023-4220)|CVE-2023-4220]], is an unauthenticated RCE vulnerability

Interactive Graph View

Backlinks