- Published on
Hack The Box - Teacher
We are going to pwn Teacher from Hack The Box.
Link : https://www.hackthebox.eu/home/machines/profile/165
Like always begin with our Nmap Scan.
Nmap Scan Results:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 4.2 (95%), Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.8 - 3.11 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Lets begin our enumeration from webpage 
Looks like an normal webpage
While looking at each pages I found something on /gallery source code. 
If I click the image link it shows me some error. 
So I downloaded it into my machine and I used stringsbr/ 
br/ It gives me some message along with user:giovanni and password:Th4C00lTheacha(Missing Char)
Which means there must be a login page so I started my Gobuster
Gobuster Results:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.153
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/11 19:07:47 Starting gobuster
===============================================================
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/js (Status: 301)
/manual (Status: 301)
/moodle (Status: 301)
/phpmyadmin (Status: 403)
/server-status (Status: 403)
===============================================================
2019/12/11 19:10:25 Finished
===============================================================
While checking them found some new page /moodlebr/ 
br/ So I bruteforce this directory
Gobuster Results of /moodle:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.153/moodle/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/13 17:47:47 Starting gobuster
===============================================================
/admin (Status: 301)
/analytics (Status: 301)
/auth (Status: 301)
/backup (Status: 301)
/blocks (Status: 301)
/blog (Status: 301)
/cache (Status: 301)
/calendar (Status: 301)
/comment (Status: 301)
/course (Status: 301)
/error (Status: 301)
/files (Status: 301)
/filter (Status: 301)
/group (Status: 301)
/index.php (Status: 200)
/install (Status: 301)
/lang (Status: 301)
/lib (Status: 301)
/local (Status: 301)
/login (Status: 301)
/media (Status: 301)
/message (Status: 301)
/mod (Status: 301)
/my (Status: 301)
/notes (Status: 301)
/pix (Status: 301)
/portfolio (Status: 301)
/question (Status: 301)
/rating (Status: 301)
/report (Status: 301)
/repository (Status: 301)
/rss (Status: 301)
/search (Status: 301)
/tag (Status: 301)
/theme (Status: 301)
/user (Status: 301)
/webservice (Status: 301)
===============================================================
2019/12/13 17:50:22 Finished
===============================================================
Its quite a lot
Finally I found a login page /moodle/login/index.php 
br/ We already have a user and password along with a missing character So we need to bruteforce the character
I started my burp and capture the login intercept and send that to intruder 
I created my wordlist we need to find the last character or letter sobr/ 
I added !@#$%^&*() manually and my wordlist is ready
I uploaded them into the payload sectionbr/ 
Started the attack and this one length is different that other , it might be the correct passsword 
Yes I logged in 
giovanni:Th4C00lTheacha#
Now we need to get a reverse shell and I found this
https://blog.ripstech.com/2018/moodle-remote-code-execution/
I did the same process from the blog 
Added the code br/ 
From the code I came to know we need to call hack for any command execution.
Then I send that request to burp and it worked I got reverse shell.br/ 
Immediately I started searching for conf files and I got thisbr/ 
mysql -u root -D moodle -p
-u db user
-D db name
-p password
Once we entered it will ask for password by entering them I logged in.
SHOW DATABASES; Will show all the databases
And then I use moodle by using USE moodle;
SHOW TABLES; Will show all the tables on the particular database.
From there I chosed mdl_user and got some hashesbr/ 
I cracked giovanni's hash using Crack Station 
giovanni:expelledbr/ 
Im giovanni now
Privilege Escalation:
I tried running Linux Enumeration script , Nothing usefull So I uploaded pspy
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
There is a cronjob running on the background.
While checking the script I came to know it going to /giovanni/work and compress all files in /courses and then it moving to /tmp and extract them and giving them permission recursively. ![](https://ra