HackTheBox | PermX

In this walkthrough, I demonstrate how I obtained complete ownership of PermX on HackTheBox
HackTheBox | PermX

Initial Foothold Hint

  • Only tcp/22 and tcp/80 are open on the box. You likely know SSH is almost never the first way in, so focus on your web skills here.
  • Web servers can employ a technology that allows a single IP address to host multiple host names. What is this web technology? Enumerate it to find the other host names.
  • You may have noticed that the Apache server on this target allows index listing, so reading files in open directories.
    • Check for robots.txt and comb through different directories on the web server to find the server version. Hint: Have you checked the documentation?
    • You should find lots of unauthenticated exploits for this web application. You'll just have to go through the exploit documentation and see which one is going to work based on prerequisite conditions on the web server.
    • You'll know when you've found the intended CVE

Privilege Escalation Hint

  • Pivot to User
    • It's always a good idea to check configuration files of the app you got the shell on
    • It's also always a good idea to check for information re-use
    • Go for the easy wins (the low-hanging fruit as they say)
  • Pivot to Root
    • What special commands can your user run?
    • Inspect the script carefully. Several conditions must be met:
      • There's a difference between a file mode and a file ACL
      • How might you be able to create or link a sensitive file, such that it meets one of the script conditions?
      • And, what's a good file that might be useful for overwriting as pertains to user authentication?

Nmap Results

# Nmap 7.94SVN scan initiated Mon Jul  8 12:03:10 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt
Nmap scan report for
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_  256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://permx.htb
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  8 12:03:29 2024 -- 1 IP address (1 host up) scanned in 19.01 seconds
Don't miss an opportunity to pick up any breadcrumbs in the nmap output. We can see a HTTP redirect to http://permx.htb on the tcp/80 output, so let's go ahead and add that to our /etc/hosts file.
echo -e '\t\tpermx.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Already have an account? Sign in
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.