Today we’re going to solve another CTF machine “Teacher”. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.153
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumeration

Let’s do some enumeration and browse URL http://10.10.10.153/

We have do directory enumeration to find hidden directories or files.

Dirb

Result

DIRECTORY: http://10.10.10.153/moodle/

We found moodle CMS installed on 10.10.10.153/moodle location.

After that we have to login in order to move forward but we don’t have credential and there’s only guest:guest login.

Let’s find username first, there’s a simple technique to find username you have to go to forgot password and enter random usernames to see if they verify that password has been sent for this username etc.. something like that so we can be sure of that username availability.

I found two usernames: admin | giovanni

Now, we have to enumerate more in order to find password.

Let’s take a look at source code of view-source:http://10.10.10.153/gallery.html and see if there’s something odd.

We see onerror="console.log('That\'s an F');"

Let’s take a look at the image!

Now curl this image and see what’s it’s hiding.

curl -O http://10.10.10.153/images/5.png

We can rename 5.png to 5.txt and cat the text file.

We have a password: Th4C00lTheacha but it’s incomplete and we don’t know what’s the last digit it include.

Creating WordList Using Crunch

We’re gonna create different wordlists in order to find the last digit for our password.

WFuzz

We can also use SecList Fuzzing wordlists alphanum-case-extra.txt

We found our password: Th4C00lTheacha#

Burp Suite

Low-Privilege Shell

We have found credential for Moodle CMS. let’s move forward and find a way to exploit.

https://blog.ripstech.com/2018/moodle-remote-code-execution/

After logging in and prodding around the environment, we stumble across a page that lets us upload custom questions for a Quiz. This is exactly the page we needed, as previous research has indicated that this version of Moodle has a security flaw which allows a teacher to execute code within the custom quiz creation.

Let’s get started!

Login to moodle

Username: giovanni Password: Th4C00lTheacha#

Go to http://10.10.10.153/moodle/course/view.php?id=2 Click Turn editing on.

After that click on Add an activity or resource.

A pop-up window will appear asking to add activity or resource select Quiz and Add.

Now, name your quiz and click save.

Now, click on Edit quiz

 

And click on a new question

A pop-up window will appear and select Calculated and Add.

Now here in the formula add /*{a*/$_GET[0];//{x}}

After clicking on Save changes we can get reverse shell.

Now, that we have got low privilege let’s upgrade shell.

First let’s take a look around in moodle source code to find config file.

We got database credentials root:Welkom1!

Connect to the mysql console.

Let’s take a look inside moodle database and look for users tables or similar where we can find credentials.

We got MD5 hash let’s decrypt it using online crackers first.

Let’s try switching to giovanni user in reverse shell.

We can find user.txt flag

Privilege Escalation

After checking few things we found a process running through cron jobs and executing as root. We can use pspy tool to see a cron running very few seconds.

Let’s create a symlink between the root file and cron file.

Let the cron job do it’s thing and wait for your root file.