HackTheBox Writeup — Schooled
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.234
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.234
Found 3 Open Ports:
- Port 22 -> SSH
- Port 80 -> HTTP (Web)
- Port 33060 -> MySQL (Database)
Way to Web User
Since there is a web server being hosted on the machine, I added the schooled.htb domain in my hosts file and checked the domain on the browser
Since there was nothing interesting found on the main domain web, I ran a scan for potential VHOSTS and found moodle.schooled.htb to be a valid one
Checking the new domain, its running the Moodle web application which is actually a school based web application
I registered a student user on my name, here it was required for students to have email address associated with student.schooled.htb domain, although it didnt actually sent any confirmation on any email addresses, so I used a fake one
Registration was successful and I had my own account on the school web app
Looking for potential CVEs for Moodle application, it was found that it had a stored XSS on Edit Profile page
The vulnerability exists on the MoodleNet profile field
Adding my XSS cookie stealer javascript code on the field and updating the profile
I also saw the the user Manuel Phillips is online on the web, who is actually the mathematics teacher
So I enrolled for the Mathematics course so that teacher reviews my profile and gets infected with the XSS
Looking back on my python webserver, I found that it fetched a cookie from the webserver which is the cookie of the teacher Manuel
So I injected the cookie on my browser and impersonated as the user Manuel Phillips
Now following each steps required to exploit the CVE-2020–14321, I enrolled the current user to the course
Intercepted the request on Burp Suite and changed the value of the userlist parameter to the my newly created user’s id and also changing the roletoassign paramter to 1 so that it gives the Manuel user the manager role
The response we get shows that the request made was successful
I also changed the value for the Manuel user too and can confirm that the user now also has the Manager role6
Now access any user which is already a Manager, I found Lianne was an user which is also with Manager role, check the profile of the user, I had the option to login as that user and access administrative tasks
Logged in as Lianne Carter successfully
Now moving towards the Site Administration options and selecting the Define Roles option from the Users area
Editing the roles of Manager, clicking the Save Changes options and intercepting the request in Burp Suite
Changing the parameter and replacing the content which will enable all the options and sending the request
Moving towards the Plugins area in the Site Administration and selecting the Install Plugins option
Selecting the Choose a file option
Selecting the rce.zip file and uploading it
Installation was successful
Accessing the web shell and getting code execution successfully
Getting reverse shell back to my machine through the webshell
Way to User
Enumerating the webroot, I found a config file which contained database credentials
The mysql tool was located on some other directory which I had to find
Connecting to the database and getting the table names
The interesting table here was the mdl_user table
Fetching the username and password, I was able to get the usernames and password hashes
Cracking the passwords, one them cracked successfully using john
There were only two users on the system, jamie and steve, so I used the password with one of them through SSH and got successful connection with the jamie user
Getting the user flag from the home directory of jamie user
Way to Root
Running the sudo -l command, I found that the current user can run sudo with no password on the /usr/sbin/pkg along with update or installation of any package
Creating a package file on my local kali machine which will help me get reverse shell
Uploading the package file and installing the package, the installation got hung
Looking back to the netcat listener, I got shell as root successfully
Getting the root flag from the home directory of root user
