search

Schooled

hashtag
Gaining Access

Nmap scan:

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx

Did a detailed scan as well:

$ nmap -p 80,33060 -sC -sV --min-rate 5000 10.129.155.68          
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-09 22:25 EST
Nmap scan report for 10.129.155.68
Host is up (0.0082s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Schooled - A new kind of educational institute
<OTHER PORT IRRELEVANT>

I added schooled.htb to the /etc/hosts file as per standard HTB practice.

hashtag
Web Enum -> Moodle XSS

The website was for an educational institution:

The page was rather static, so I did a directory and subdomain scan. gobuster didn't reveal much, but the wfuzz subdomain scan shows this:

Moodle is a open-source learning platform software.

This is probably an outdated software with some security vulnerabilities, and the box was released back in 2021. Interestingly, there's an entire page on Hacktricks for enumerating this software.

LogoMoodle - HackTricksbook.hacktricks.xyzchevron-right

There was a linked scanner on the page:

LogoGitHub - inc0d3/moodlescan: Tool for scan vulnerabilities in Moodle platformsGitHubchevron-right

This allowed me to enumerate the version that was running:

On Hacktricks, there seems to be an RCE vulnerability, but that requires manager privileges on Moodle. I created an account and logged in to the platform. After logging in, I saw that I could enrol in courses:

There was one announcement in the Mathematics course:

So there's a user checking profiles, and on HTB a user checking a page consistently likely means an XSS exploit is possible. This Github repository contains steps on how to exploit the XSS affecting this version of Moodle:

LogoGitHub - HoangKien1020/CVE-2020-25627: Stored XSS via moodlenetprofile parameter in user profileGitHubchevron-right

Here's the payload I used:

This would be entered into the MoodleNet profile.

After a while, a HTTP server would get a request:

After replacing the cookie, I got access to the 'Manuel Phillips' user, who I presume is the course administrator.

hashtag
Teacher -> Manager -> RCE

There was nothing inherently interesting about a teacher's account, however there is one CVE to go from a teacher to the site manager.

https://moodle.org/mod/forum/discuss.php?d=407393moodle.orgchevron-right

I have to 'enrol' myself as the manager, so I headed to the course the user was a teacher for and saw the 'Enrol users' option.

This is the request sent when I enrol someone:

From this, I cna change the userlist parameter to 24 (the current user ID) and change the roleassign to 1. The change is reflected on the table:

Using this, I also made the account I control a Manager. There was a new option to Login in as an administrator.

The above was possible because both users are Managers. However, because the user I cerated was a student, it had no privileges. Setting a staff like Lianne Carter to an administrator and then logging in as them allows me to access the Site Administration:

Next, I have to get full privileges over the site, and this can be done using this repo:

LogoGitHub - HoangKien1020/CVE-2020-14321: Course enrolments allowed privilege escalation from teacher role into manager role to RCEGitHubchevron-right

The above also includes the file for RCE. To use this, go to Users > Define roles > Manager. Then, just press Save changes to see this massive request:

Keep the sesskey variable intact and replace the rest with the payload from the repo. This opens the Plugins directory from the main admin panel:

On the plugin installation page, upload rce.zip from the repo:

Then go ahead and install this plugin, and this would allow for rce at http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=id.

Then, a reverse shell is easy.

hashtag
Privilege Escalation

hashtag
Database Creds -> User Hash

There were 2 users on this machine:

There was also a config.php file present with database credentials:

This password was not used for any user but I could login to the database to enumerate the user hashes there. I can proceed to enumerate the database:

Using this, I could view the mdl_users table:

Massive number of hashes, and since there only jamie and stevie on the machine, I just cracked the hash for admin, since it used the email of jamie.

This hash had to be brute forced character by character to give !QAZ2wsx, and using this I could ssh in as jamie:

hashtag
Sudo Privileges

This user had some sudo privileges:

GTFOBins has an entry for this particular binary, and it uses fpm as well. I ran the commands on my machine to make /bin/bash a SUID binary.

Afterwards, transfer x-1.0.txz to the target machine, and install it using pkg.

Rooted!

PreviousRetiredNextScrambled

Last updated