HackTheBox Writeup — Schooled

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.234

Port Scan / Enumeration

Found 3 Open Ports:

  • Port 22 -> SSH
  • Port 80 -> HTTP (Web)
  • Port 33060 -> MySQL (Database)

Way to Web User

Since there is a web server being hosted on the machine, I added the schooled.htb domain in my hosts file and checked the domain on the browser

Since there was nothing interesting found on the main domain web, I ran a scan for potential VHOSTS and found moodle.schooled.htb to be a valid one

Checking the new domain, its running the Moodle web application which is actually a school based web application

I registered a student user on my name, here it was required for students to have email address associated with student.schooled.htb domain, although it didnt actually sent any confirmation on any email addresses, so I used a fake one

Registration was successful and I had my own account on the school web app

Looking for potential CVEs for Moodle application, it was found that it had a stored XSS on Edit Profile page

The vulnerability exists on the MoodleNet profile field

Adding my XSS cookie stealer javascript code on the field and updating the profile

I also saw the the user Manuel Phillips is online on the web, who is actually the mathematics teacher

So I enrolled for the Mathematics course so that teacher reviews my profile and gets infected with the XSS

Looking back on my python webserver, I found that it fetched a cookie from the webserver which is the cookie of the teacher Manuel

So I injected the cookie on my browser and impersonated as the user Manuel Phillips

Now following each steps required to exploit the CVE-2020–14321, I enrolled the current user to the course

Intercepted the request on Burp Suite and changed the value of the userlist parameter to the my newly created user’s id and also changing the roletoassign paramter to 1 so that it gives the Manuel user the manager role

The response we get shows that the request made was successful

I also changed the value for the Manuel user too and can confirm that the user now also has the Manager role6

Now access any user which is already a Manager, I found Lianne was an user which is also with Manager role, check the profile of the user, I had the option to login as that user and access administrative tasks

Logged in as Lianne Carter successfully

Now moving towards the Site Administration options and selecting the Define Roles option from the Users area

Editing the roles of Manager, clicking the Save Changes options and intercepting the request in Burp Suite

Changing the parameter and replacing the content which will enable all the options and sending the request

Moving towards the Plugins area in the Site Administration and selecting the Install Plugins option

Selecting the Choose a file option

Selecting the rce.zip file and uploading it

Installation was successful

Accessing the web shell and getting code execution successfully

Getting reverse shell back to my machine through the webshell

Way to User

Enumerating the webroot, I found a config file which contained database credentials

The mysql tool was located on some other directory which I had to find

Connecting to the database and getting the table names

The interesting table here was the mdl_user table

Fetching the username and password, I was able to get the usernames and password hashes

Cracking the passwords, one them cracked successfully using john

There were only two users on the system, jamie and steve, so I used the password with one of them through SSH and got successful connection with the jamie user

Getting the user flag from the home directory of jamie user

Way to Root

Running the sudo -l command, I found that the current user can run sudo with no password on the /usr/sbin/pkg along with update or installation of any package

Creating a package file on my local kali machine which will help me get reverse shell

Uploading the package file and installing the package, the installation got hung

Looking back to the netcat listener, I got shell as root successfully

Getting the root flag from the home directory of root user

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover