Schooled | HackTheBox Writeup
Start with nmap scan found 3 open ports
This is the HTTP webview.
As shown below, there is a menu “teacher”.
in that, I found some of the staff names.
Lianne is a manager too.
I will use this information later.
From the footer, it shows DNS name, so I added to /etc/hosts.
Using ffuf i searched for subdomains and found a subdomain.
This is the home page.
Let’s create an account and login.
I found an available course for students.
I enrolled in that course and found an announcement.
In that, I got 2 messages.
I opened 1 and got this message.
In this message, “Manuel Philip” told that everyone should set the “MoodleNet Profile”.
As described in Github, I added XSS payload in moodlenet profile and got manuel’s cookie.
Because he told in the announcement message that he frequently checks moodlenet profile.
Using cookie editor, I changed the cookie and refreshed the page.
now I am manuel.
Check that YouTube video and come back.
As per the given instruction in the video, I enrolled Lianne ( manager ) in the course.
I intercepted the request and change the userlist to Manuel’s id (24) and roletoassign to 1, then forwarded the request.
As you can see Lianne is now manager and student.
As shown in the youtube video I clicked the username and redirected to the user’s page.
Then clicked “Log in as” and then clicked continue.
Now I logged in as Lianne and I have the privilege to edit “site administration”.
Website shows, I don’t have the privilege to install the plugin.
The Youtube video clearly explains how to add that too.
For that steps
go to users, click define roles
click on the manager
Now I have the privilege to upload and install plugins.
I decompressed, changed IP and port, then compressed to zip.
Now I uploaded the zip file as a plugin and installed it.
After the installation process, I got the shell.
I searched for config files and got moodle config.php.
It contains MySQL database name, database username, database password.
With the Mysql credentials, I checked the database and got the “mdl_user” table.
In that table, I got the password hash of the admin.
I cracked the hash with john.
with the password, I ssh to Jamie and got user flag.
I checked what commands I can run with root privilege and got this.
In the package, I changed the exploit code to “chmod +s /bin/sh”.
So I can run /bin/sh as root after it run by root.
It set the User ID on execution.
As per the GTFOBins, I added a custom package and uploaded.
The installation is completed and now I am root by running /bin/sh.