Hack The Box Edition: Teacher

Hack The Box: Teacher  

Exploiting a vulnerable Linux machine at target IP 10.10.10.153 known as Teacher.

Strategy: 

Compromise the vulnerable machine to gain privileged access for the root. 

Tactics:

• Enumeration: Performing a network scan and using Nmap to discover target Ip 10.10.10.153 and scanning it for all the vulnerable ports with Nikto and checking all the accessible directories with dirb. Nmap scan revealed that port 80 has an Apache server running and has a Moodle service running. The target Ip has an “images” directory that contains a 5.png image which includes a password for user Giovanni. Password: “Th4C00lTheacha” but missing a character.

• Used a web fuzzer with a unique character wordlist to find the correct password. The special character is “#” Logged into Giovanni moodle account.

• Exploitation: The next step is trying to get shell access. Used searchsploit to check for exploits for Moodle version 3.4. I used a remote code injection in one of the quizzes to attain a reverse shell via Ncat and got access to the shell.

• After getting access to the shell, spawned a python tty shell to stabilize it and gained root access to the MariaDB mysql database using config file credentials. 

• Privilege Escalation: Exfiltrated credentials for user Giovanni through the mysql database, converted the hash to plaintext. Password: “expelled” and logged in the system as Giovanni and gained access to the user flag. Also gained access to the root flag inside the /work/tmp/tmp directory with read and write privileges.

Final Thoughts: I had been working with Moodle during my University days which got me really curious about this HTB machine. Overall had fun with this one, would rate it at a medium level difficulty CTF challenge.