Disassembly of ippsec’s youtube video HackTheBox - Teacher. Box includes a web-app that is vulnerable to a php bug with allows for RCE. The usage of pspy to discover cron jobs and taking advantage of a root task that leads to root access.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
nmap scan:
1 | |
(output)
1 port open which looks to be the web-server on port 80.
Investigate web-server
before continuing investigating site, start a dirbuster in the background as to always have something enumerating on the backend.
gobuster (background task)
1 | |
Return to web-server
Check out links and see if site gives out types of extensions to figure out what type of web-server it is and if code is being processed.
check out code for some css or static code:
images are tried to load an *onerror=*"*console.log*
back on webpage access console with F12:
console is reporting “That’s an F”
invesgating that 5.png
an error occurs as the image doesn’t seem to exist.
download 5.png locally
1 | |
Open file to investigate with xxd (hex editor):
1 | |
check the contents
1 | |
we have a partial password at this point.
find way into login to webapp
gobuster results:
check out /phpmyadmin
forbidden
Forbidden workaround via burp: Capture request and send to repeater
- tactic modification of host: localhost
forbidden
- tactic add X-Forwarded-For: localhost
check out link for more info: https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/
forbidden
In this example we could not bypass the 403 Forbidden.
check out /moodle
dynamically created page. In right corner we do see a “You are not logged in”.
attempt login with credentials/forgot password
first move to see if the forgot password will enumerate any further information remember that the actual message stated “ I forgot the last charachter of my password. The only part I remembered is Th4c00lTeacha.” But doesnt give a username.
Use forgot password to verify if a username is an account is valid.
“says that if supplied a correct username or email then an email should have been sent to you.” Not very helpful with enumeration.
Login as guest:
guest can’t access user accounts.
Guessing the Username as Giovanni
Capture request with burp suite:
send to repeater:
There are no CRSF tokens which would stop from enumerating with wfuzz
enumerating password with wfuzz
1 | |
password enumerated as: Th4C00lTeacha#
Giovanni Captured
Login:
poke around server and nothing is of immediate interest. There is an upload under private files.
searchsploit moodle
1 | |
github moodle
Checking for any type of change log with issues addressed.
of the files there is a version.php which should be checked with the version of moodle on the target system.
from out target system only a blank page is returned.
enumerating moodle
google search: “moodle enumerate versions”
to check the moodle docs on page:
URL states that we are */34* version.
Google: moodle release notes to find date:
Released 13 November 2017
google search moodle exploit
search: “moodle exploit 3.4 3.5” as both version where missing from the searchsploit
ripstech blog offers a more detailed explanation as to how the exploit is going to function.
exploit explanation in a nutshell:
1 | |
There is a metasploit module available but working manually work to create the exploit.
manually exploit moodle
On moodle web-app searching for a way to add a quiz:
Turn editing on under gear.
Add an activity:
save a template and edit to add question that will have a formula:
Using the ripstech block post if we enter the str we should get a “success”
1 | |
in this situation changing the GET parameter to REQUEST
1 | |
submitted:
error regarding the semicolon, removed all semicolons and change the grade to 100%
(results)
formula seems to have been taken over at this point but has an error in syntax.
Searching around the question bank contains old questions from the creation of the box.
investigating creator formulas to discover exactly how they passed the request:
Modifying original request and adding information from our sample:
1 | |
resulted in the REQUEST being passed by the moodle web-app.
burp the REQUEST to RCE
Burp that exact request and sent to repeater and adding to send an ICMP packet:
1 | |
setup tcpdump to capture the packet:
1 | |
-n = no dns resolution
packets are being sent from target equating to we have remote code execution (RCE) on the box.
Reverse Shell
Sending the reverse shell with the RCE
1 | |
setup listener
1 | |
execute and returns with a remote shell of box.
upgrade partial sell to ptty
1 | |
enumerating the web-server
first things should consist of searching for the database and poking around it.
to search for database:
1 | |
checkout config.php
database credentials have been retrieved.
connect to mysql sever
1 | |
Show tables and search for “user”:
1 | |
Show whats inside mdl_user:
1 | |
show usernames and passwords:
1 | |
we now have bcrypt hashes for a list of users and 1 that looks like an MD5 hash. The fastest way to decrypt MD5 hashes is simply with google.
Results:
1 | |
Priv-Esc
with a passwd check we have a user giovanni and switch users and enter newly acquired password.
1 | |
enumerating as giovanni
search the /work directory:
1 | |
Check cron:
1 | |
there is a cron.d for php
1 | |
nothing here just a session cleanup. Every minute an event is occurring… which the cron could be under the root user which at this point there is no way to view that without a tool pspy.
download pspy: https://github.com/DominicBreuker/pspy
build pspy
1 |
|
to download the extra packages
1 | |
rebuild:
1 |
|
next were are going to send pspy to our target box with a simplehttpserver
target save location /dev/shm
1 | |
execute, and now it is watching processes
pspy output:
now we now that */bin/sh* is running the backup.sh
investigating the backup.sh
1 | |
read with less:
1 | |
(sidenote) to be able to clear the screen we need to export $TERM
1 | |
disassembling the backup.sh
we know at this point were moving to /work tar’ing a file moving to /tmp tar’ing another fold and then chaning the chmod. If we can point the /tmp file to /etc/shadow we will be able to grab the hashes.
pointing a file at another file with ln:
1 | |
now after the cron is performed we can now control /etc/shadow
view shadow:
and now we can edit this file and change the root password to giovanni as we know what it is.
1 | |
now put it over the top of the root password:
Root&Loot
Switch users to root:
1 | |
the loot
If you don’t know who ippsec is check him out at
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec