Schooled | HackTheBox Writeup

Overview

Schooled is a medium based Linux machine in HackTheBox by TheCyberGeek

User Part

Start with nmap scan found 3 open ports

This is the HTTP webview.

As shown below, there is a menu “teacher”.

in that, I found some of the staff names.

Lianne is a manager too.

I will use this information later.

From the footer, it shows DNS name, so I added to /etc/hosts.

Using ffuf i searched for subdomains and found a subdomain.

This is the home page.

Let’s create an account and login.

I found an available course for students.

I enrolled in that course and found an announcement.

In that, I got 2 messages.

I opened 1 and got this message.

In this message, “Manuel Philip” told that everyone should set the “MoodleNet Profile”.

Then I searched for “moodlenet profile exploit” and got this website.

I open that link and got CVE id.

Then I searched for the POC and got the GitHub link.

In that, he clearly explained how to exploit it.

As described in Github, I added XSS payload in moodlenet profile and got manuel’s cookie. 

Because he told in the announcement message that he frequently checks moodlenet profile.

Using cookie editor, I changed the cookie and refreshed the page.

now I am manuel.

I checked with moodlescan and found moodle version

I googled about exploit and found a youtube video of RCE.

 

Check that YouTube video and come back.

As per the given instruction in the video, I enrolled Lianne ( manager ) in the course.

I intercepted the request and change the userlist to Manuel’s id (24) and roletoassign to 1, then forwarded the request.

As you can see Lianne is now manager and student.

As shown in the youtube video I clicked the username and redirected to the user’s page.

Then clicked “Log in as” and then clicked continue.

Now I logged in as Lianne and I have the privilege to edit “site administration”.

Website shows, I don’t have the privilege to install the plugin.

The Youtube video clearly explains how to add that too.

For that steps

  1. go to users, click define roles
  2. click on the manager
  3. click edit

Now intercept the “save changes” and changed accordingly this Github Repo shown.

I changed everything other than sesskey in POST Request. 

Now I have the privilege to upload and install plugins.

Then I searched for “moodle plugin install exploit” got this article.

In that article, he gave the zip file link also mentioned that,  decompress and change IP and port.

I decompressed, changed IP and port, then compressed to zip.

Now I uploaded the zip file as a plugin and installed it.

After the installation process, I got the shell.

I searched for config files and got moodle config.php.

It contains MySQL database name, database username, database password.

With the Mysql credentials, I checked the database and got the “mdl_user” table.

In that table, I got the password hash of the admin.

I cracked the hash with john.

with the password, I ssh to Jamie and got user flag.

Root Part

I checked what commands I can run with root privilege and got this.

I searched GTFOBins and got how to exploit it.

Also, this Article helped me to know more details about creating and installing packages.

 

In the package, I changed the exploit code to “chmod +s /bin/sh”.

So I can run /bin/sh as root after it run by root.

It set the User ID on execution.

As per the GTFOBins, I added a custom package and uploaded.

The installation is completed and now I am root by running /bin/sh.

Share on facebook
Share on twitter
Share on linkedin