[HTB] teacher

Attacking Vector

http->code injection->web reverse shell -> priv esc

Decision Tree

1)discovery : which ports are opened?
– only 80 port is opened

2)enumerate : third party web platform?
– use gobuster to check directory structure
– check the website, does it use open source platform? any known vulnerabilities?
– are those files really images? or have weird sizes compared to other one?
– find username and password by enumerating webpage, image files
– ask google for a help, research blog

3)manipulate webpage : any possible exploits?
– inject php code

4)get a reverse shell : can we get a reverse web shell?
– manipulate HTTP request by using burp
– php cmd shell

5)privilege escalation : any mis-configurations or vulnerabilities?
– pspy to check system process
– focus on cronjob which as privileged permission

6)manipulate file
– replace file to /etc/shadow in cronjob
– copy normal users hashed password to root in /etc/shadow

https://blog.ripstech.com/2018/moodle-remote-code-execution/

Tools & References

tools: gobuster, wfuzz, pspy
https://blog.ripstech.com/2018/moodle-remote-code-execution/
https://www.exploit-db.com/exploits/46551

Leave a Reply

Your email address will not be published. Required fields are marked *