Schooled is an Medium box from HTB and created by TheCyberGeek. This box features a XSS exploit and privilege escalation via
moodle and a malicious
pkg on FreeBSD for root. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with
NMAP filters shows a website available on
Port 80. Reviewing the results I see
Port 80 open and that its running an HTML based website. This tells me that I should be looking for a subdomain or a different port as in the majority of cases
HTML based websites are used for clues and rabbit holes.
HTML based website with a contact form on
I head over to the website and I’m presented with a website for an online institute. I notice it states By hml design so I verify its html by going to index.html. I also see schooled.htb. I edit my host file and navigate around the remainder of the site.
Schooled domain referenced as well as
HTML based design.
Referencing above I also begin running a
vhost search utilizing GoBuster. A subdomain for
moodle pops after a few seconds. I alter my host file to add
moodle and head over to the site.
Running GoBuster to find an additional vhost.
After arriving at the Moodle subdomain I poke around the site. To access the classes requires you to register so I try to register an account. I get an additional subdomain in the error form when registering.
Registration for moodle.schooled.htb
Navigating over to the new subdomain brings me back to the main site. Due to this I continue the registration process subbing my @islanddog.ky domain for @student.schooled.htb. I am able to login and successfully register for the Mathematics class.
Registering for the Mathematics class.
After poking around and trying to use the Private Files and Picture area on the profile area to priv esc I notice the following under announcements:
Reminder for the MoodleNet profile.
This tells me the teacher is going to be constantly checking my profile for a MoodleNet profile link. This also means she is going to click on the link. I setup an XSS request and an
nc listener and wait.
I see the cookie come through and use the Cookie Editor plugin for Firefox to take over the session.
The student has become the teacher
I look around the Teachers account for my next priv escalation. After coming up dry I research moodle with Teacher access. Eventually I find GitHub.com – lanzt – CVE2020-14321. After pulling the repo I realize I don’t have pwn which is required for the script. I install pwn using PIP and proceed to run the script.
Running CVE2020-14321 exploit with a one liner reverse shell
After establishing a low priv session I navigate around the Moodle install. I looked for the Config.php file as I know Database credentials are stored in this file.
Moodle database credentials found
Not knowing the FreeBSD platform very well I stumble around till I find the
MySQL install. I login to the database using the previously found credentials and extract the mdl_user table.
I took the hash and ran it through John. Well navigating the environment earlier and figuring out MySQL I noticed that Jamie was also an active user on the box. That alongside SSH being open I used the password found in the hash to log into the box.
john cracking the admin password hash
The first thing I do when entering the box is
sudo -l which comes back with some interesting permissions. Googling around I found LastSummer.de – Creatring Custom Packages on FreeBSD and GitHub – freebsd/pkg to create a custom
I upload the script to Jamie’s
SSH environment and then run the script.
⚠ Attack Machine
I finalized this machine well on the road using my laptop and thus the images/script used are not present. I will hopefully not be lazy and update this in the future!