Disassembly of ippsec’s youtube video HackTheBox - Teacher. Box includes a web-app that is vulnerable to a php bug with allows for RCE. The usage of pspy to discover cron jobs and taking advantage of a root task that leads to root access.
Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
1 port open which looks to be the web-server on port 80.
before continuing investigating site, start a dirbuster in the background as to always have something enumerating on the backend.
gobuster (background task)
Return to web-server
Check out links and see if site gives out types of extensions to figure out what type of web-server it is and if code is being processed.
check out code for some css or static code:
images are tried to load an
back on webpage access console with F12:
console is reporting “That’s an F”
an error occurs as the image doesn’t seem to exist.
download 5.png locally
Open file to investigate with xxd (hex editor):
check the contents
we have a partial password at this point.
find way into login to webapp
Forbidden workaround via burp: Capture request and send to repeater
- tactic modification of host: localhost
- tactic add X-Forwarded-For: localhost
check out link for more info: https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/
In this example we could not bypass the 403 Forbidden.
dynamically created page. In right corner we do see a “You are not logged in”.
attempt login with credentials/forgot password
first move to see if the forgot password will enumerate any further information remember that the actual message stated “ I forgot the last charachter of my password. The only part I remembered is Th4c00lTeacha.” But doesnt give a username.
Use forgot password to verify if a username is an account is valid.
“says that if supplied a correct username or email then an email should have been sent to you.” Not very helpful with enumeration.
Login as guest:
guest can’t access user accounts.
Guessing the Username as Giovanni
Capture request with burp suite:
send to repeater:
There are no CRSF tokens which would stop from enumerating with wfuzz
enumerating password with wfuzz
password enumerated as: Th4C00lTeacha#
poke around server and nothing is of immediate interest. There is an upload under private files.
Checking for any type of change log with issues addressed.
of the files there is a
version.php which should be checked with the version of moodle on the target system.
from out target system only a blank page is returned.
google search: “moodle enumerate versions”
to check the moodle docs on page:
URL states that we are
Google: moodle release notes to find date:
Released 13 November 2017
google search moodle exploit
search: “moodle exploit 3.4 3.5” as both version where missing from the searchsploit
ripstech blog offers a more detailed explanation as to how the exploit is going to function.
exploit explanation in a nutshell:
There is a metasploit module available but working manually work to create the exploit.
manually exploit moodle
On moodle web-app searching for a way to add a quiz:
Turn editing on under gear.
Add an activity:
save a template and edit to add question that will have a formula:
Using the ripstech block post if we enter the str we should get a “success”
in this situation changing the
GET parameter to
error regarding the semicolon, removed all semicolons and change the grade to 100%
formula seems to have been taken over at this point but has an error in syntax.
Searching around the question bank contains old questions from the creation of the box.
investigating creator formulas to discover exactly how they passed the request:
Modifying original request and adding information from our sample:
resulted in the REQUEST being passed by the moodle web-app.
burp the REQUEST to RCE
Burp that exact request and sent to repeater and adding to send an ICMP packet:
setup tcpdump to capture the packet:
-n = no dns resolution
packets are being sent from target equating to we have remote code execution (RCE) on the box.
Sending the reverse shell with the RCE
execute and returns with a remote shell of box.
upgrade partial sell to ptty
enumerating the web-server
first things should consist of searching for the database and poking around it.
to search for database:
database credentials have been retrieved.
connect to mysql sever
Show tables and search for “user”:
Show whats inside
show usernames and passwords:
we now have bcrypt hashes for a list of users and 1 that looks like an MD5 hash. The fastest way to decrypt MD5 hashes is simply with google.
with a passwd check we have a user giovanni and switch users and enter newly acquired password.
enumerating as giovanni
there is a cron.d for php
nothing here just a session cleanup. Every minute an event is occurring… which the cron could be under the root user which at this point there is no way to view that without a tool
download pspy: https://github.com/DominicBreuker/pspy
to download the extra packages
next were are going to send pspy to our target box with a
target save location
execute, and now it is watching processes
now we now that
*/bin/sh* is running the backup.sh
read with less:
(sidenote) to be able to clear the screen we need to export $TERM
disassembling the backup.sh
we know at this point were moving to
/work tar’ing a file moving to
/tmp tar’ing another fold and then chaning the chmod. If we can point the
/tmp file to
/etc/shadow we will be able to grab the hashes.
pointing a file at another file with
now after the cron is performed we can now control
and now we can edit this file and change the root password to giovanni as we know what it is.
now put it over the top of the root password:
Switch users to root:
If you don’t know who ippsec is check him out at
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec