At the bottom we see a domain name so let's add this to `/etc/hosts` file
<Imgsrc="https://imgur.com/ebUxzl5.png"/>
<imgsrc="https://imgur.com/KtBFH4j.png"/>
I did not find anything intersting on port 80 also directory fuzzing was failing so we have a domain name let's look for subdomain
<imgsrc="https://imgur.com/mLlFwE1.png"/>
Here we need to hide repsone with 461 lines
<imgsrc="https://imgur.com/OcHonJ6.png"/>
We found a subdomain `moodle.schooled.htb`
<imgsrc="https://imgur.com/pJYpuYA.png"/>
## Names found from subdomain
```
Jamie Borham
Lianne Carter
Jane Higgins
Manuel Phillips
```
Other than that nothing was interesting so let's register an account
<imgsrc="https://imgur.com/4MpScD1.png"/>
<imgsrc="https://imgur.com/OqU45ol.png"/>
It throws a lot of erros so let's fix this.
<imgsrc="https://imgur.com/tFrtgvX.png"/>
We can only enroll in maths course
<imgsrc="https://imgur.com/6x55niF.png"/>
Also we can see the teacher's profile
<imgsrc="https://imgur.com/RBSulWW.png"/>
Checking forum activity we see that there's an announcement made by the teacher
<imgsrc="https://imgur.com/qEKoyFG.png"/>
<imgsrc="https://imgur.com/iBIPzK5.png"/>
Set the MoodleNet profile
<imgsrc="https://imgur.com/ZXmCn1R.png"/>
Now we can see that Teacher is online
<imgsrc="https://imgur.com/6RfaxSS.png"/>
Here we can check for XSS
<imgsrc="https://imgur.com/7PUo1RL.png"/>
<imgsrc="https://imgur.com/gVT5uPW.png"/>
<imgsrc="https://imgur.com/dfQlWwm.png"/>
So appearntly I was doing it wrong and trying the xss session hijacking here as we were the only one who were triggering the file. The announcment had a message
```bash
This is a self enrollment course. For students who wish to attend my lectures be sure that you have your MoodleNet profile set.
Students who do not set their MoodleNet profiles will be removed from the course before the course is due to start and I will be checking all students who are enrolled on this course.
```
So instead of injecting xss on chat , let's try on where we set moodle net profile also I used this xss cookie stelaer
At first you'll see your own cookie but after sometime that script will be accessed by teacher's account and you'll get his session cookie , so copy the session cookie and replace it with your current session cookie
<imgsrc="https://imgur.com/ZQMvT3l.png"/>
After becoming the teacher , I saw an option to switch roles
<imgsrc="https://imgur.com/YmPS53j.png"/>
On moodle's there are a bunch of reported vulnerabilities so I went reading about each one seemed intersting to me
<imgsrc="https://imgur.com/FqBXwoL.png"/>
And PoC was available on github
https://github.com/HoangKien1020/CVE-2020-14321
<imgsrc="https://imgur.com/6mAZzkW.png"/>
So here enroll click on enrolling the user and intercept the request with burp then send it to repeater
<imgsrc="https://imgur.com/XdYlJwT.png"/>
<mgsrc="https://imgur.com/7flUfLy.png"/>
We can see that this user's id is 24 so we edit the request by enrolling the teaacher him self in the course and making him the `manager` by assigning role to `1`
<imgsrc="https://imgur.com/IDpRNRp.png"/>
<imgsrc="https://imgur.com/BARnBJg.png"/>
Now click on the other account who also has become manager and click on login as
<imgsrc="https://imgur.com/k74nfVB.png"/>
At the bottom you'll see `Site Administration`
<imgsrc="https://imgur.com/TJvdFX4.png"/>
There's a problem we can't upload any vulnerable plugin so we would need to modify manager role's permissions , go to `users` --> `define role` then click on edit `manager role` and go to bottom intercept `save changes` request
<imgsrc="https://imgur.com/2aPJat3.png"/>
You'll see this , send it to `repeater tab`
<imgsrc="https://imgur.com/jTFg21v.png"/>
Replace this all with the permissions seen on PoC 's repository
<imgsrc="https://imgur.com/iKWraM4.png"/>
Now we can upload plugin
<imgsrc="https://imgur.com/SHLxeo6.png"/>
Click on install
<imgsrc="https://imgur.com/b0L53J1.png"/>
<imgsrc="https://imgur.com/N06xr45.png"/>
You'll see this screen , don't click on continue instead trigger the remote code execution
<imgsrc="https://imgur.com/TOuIjwh.png"/>
<imgsrc="https://imgur.com/3BLTGmP.png"/>
Now to get a reverse shell I tried the netcat ,bash ones but they didn't worked as this was a Free BSD box so this one worked
I tried to acess user's home directory but we didn't had any permissions to view it so next in my mind came about database as moodle was storing usernames so by default websites are hosted in `/usr/local/www` on FreeBSD
<imgsrc="https://imgur.com/n1Kk4ER.png"/>
In documentation it said that database configuration is in `config.php` , so after using the find command
<imgsrc="https://imgur.com/XgTUtVz.png"/>
<imgsrc="https://imgur.com/n3JB1YA.png"/>
So mysql is running on port 3306 but since it's not a stabilized shell we can't login so we can upload `chisel` binary on the machine and forward port 3306
<imgsrc="https://imgur.com/a0Sl8IO.png"/>
```
$CFG->dbtype = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'moodle';
$CFG->dbpass = 'PlaybookMaster2020';
$CFG->prefix = 'mdl_';
```
Now we can't use mysql binary as it is not in `PATH` variable
<imgsrc="https://imgur.com/UeDz8zB.png"/>
So there's directory `/usr/local`
<imgsrc="https://imgur.com/o61aowp.png"/>
There's a binary folder which means that must be the location where all binaries i.e python,perl,bash,mysql exists so we can use python to spawn a tty shell then use mysql
<imgsrc="https://imgur.com/rRYLR0h.png"/>
Python3 exists in `/usr/local/bin` so spawn and stabilize the shell
<imgsrc="https://imgur.com/ZsRw00k.png"/>
<imgsrc="https://imgur.com/Xx4z6B1.png"/>
<imgsrc="https://imgur.com/vtzUNo1.png"/>
<imgsrc="https://imgur.com/GQEHbFN.png"/>
We can Jamie's data there and he's a user on the box
<imgsrc="https://imgur.com/tOJXYUo.png"/>
It's a bcrypt hash ,save it in a file and crack it with either hashcat or john
<imgsrc="https://imgur.com/5Dma5Sz.png"/>
SSH into the machine
<imgsrc="https://imgur.com/XObMUOT.png"/>
Doing `sudo -l` we can see that this user can install any package
<imgsrc="https://imgur.com/7qHpWOS.png"/>
Reading the configuration file for pkg
<imgsrc="https://imgur.com/zfzP9jH.png"/>
It grabs from `devops.htb` which points to a private IP
<imgsrc="https://imgur.com/0SBJBgC.png"/>
But it wasn't anything we could do so , searched for freebsd custom packages and found this article
Which explained how you can build your own packages, so bascially what this script is doing that creating a folder in james' home directory named `stage` and a `+PRE_DEINSTALL` , `+POST_INSTALL` and `+MANIFEST` file .
The article says that
> You want to run post-install and pre-deinstall tasks as it makes sure your files are in place when you do the system manipulation
So let's modify the script from article and make put a command that will make bash a SUID in `+POST_INSTALL`
```bash
#!/bin/sh
STAGEDIR=~/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
# careful here, this may clobber your system
echo "Resetting root shell"
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo "Registering root shell"
chmod +s /usr/local/bin/bash
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: "1.0_5"
origin: sysutils/mypackage
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
