HackTheBox - Teacher

00:40 - Begin of recon 02:00 - Poking around at the website to identify what techologies it utilizes 02:30 - Discovering something odd about images/5.png 03:25 - Downloading 5.png to discover it is a text file with a portion of a password 06:00 - Finding a place to login (/moodle), attempt to enumerate valid usernames 08:00 - Using wfuzz to bruteforce the password 11:20 - Looking for a way to enumerate Moodle Versions 13:20 - Searching for exploits for this version and finding "Bad Teacher" 14:40 - Start of manually exploiting this vulnerability 16:00 - Adding a "Calculated Question" which has the formula (vulnerable) parameter 20:16 - Finding artifacts of creating/testing the machine which spoils what we are supposed to do 24:21 - Fixing our forumla to allow for code execution 28:30 - Getting a reverse shell 30:00 - Looking around the MySQL Database to discover hashes of other users 31:52 - The account Giovannibak stands out due to the hash being just MD5 32:30 - Attempting the password (expelled) of the MD5 hash above to login to "Su" to Giovannibak 36:20 - Grabbing and compiling pspy to find a cronjob 38:30 - Running PSPY to discover /usr/bin/backup.sh 40:00 - Abusing the backup cron to have it chmod 777 /etc/shadow (could do anything, sudoers is a bit less noisy)