User

#

ffuf -u http://permx.htb -H "Host:FUZZ.permx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fw 18

www. lms.

linpeas all users

MTZ

/app/config/configuration.php

$_configuration[‘main_database’] = ‘chamilo’; $_configuration[‘db_user’] = ‘chamilo’; $_configuration[‘db_password’] = ‘03F6lY3uXAP2bkW8’;

password was the same as the database

ALWAYS TRY REUSE PASSWORDS

Root

#

ran linpeass

acl script let write permission

This script did was use setfacl to change the permisions on a file but the problem was it had to be in /home/mtz/*

There was multiple ways to exploit this to get root but what i did was use sym links “ln -s” to link /etc/sudoers to a file named po in my home directory

Then i couldn’t edit myself into it but after changing my permisions for mtz to rwx i put myself in sudoers and then used “sudo -s” to get a root shell

Very interesting box!

Thanks for reading