Skip to main content

HTB - Blocky

alt

Basic Nmap scan

Nmap command: nmap -Pn -n -sC -sV -oA scan_boxs/blocky/nmap/10.10.10.37-d-scan 10.10.10.37
Nmap scan report for 10.10.10.37
Host is up (0.15s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
8192/tcp closed sophos
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Open ports : 21,22,80,8192

PORTSERVICEPRODUCTVERSIONEXTRAINFO
21ftpProFTPD1.3.5a
22sshOpenSSH7.2p2 Ubuntu 4ubuntu2.2Ubuntu Linux; protocol 2.0
80httpApache httpd2.4.18
8192sophos

port 80:

Adding the ip address 10.10.14.37 host url with blocky.htb in /etc/hosts.
alt

And has wordpress running on the machine. Running wpscan to probe into the machine.

Enumerating users on wordpress environment. There is a user Notch alt

gobuster has detected few files

/index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]
/wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/wp-login.php (Status: 200) [Size: 2397]
/license.txt (Status: 200) [Size: 19935]
/wp-includes (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/javascript (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
/phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/xmlrpc.php (Status: 405) [Size: 42]
/wp-signup.php (Status: 302) [Size: 0] [--> http://blocky.htb/wp-login.php?action=register]
/server-status (Status: 403) [Size: 298]

wiki

alt

phpmyadmin

alt

plugins

Browsing through all the detected url /plugins looks promising.
alt

Downloading the BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar files.

Open jar file - jadx-gui

Extracting the source from jar file with jadx-gui

alt

found Creds

Found credentials for sql user in BlockyCore plugin

sqluser = root
sqlpass = 8YsqfCTnvxAUeduzjNSXe22

Lets try connecting to login into phpmyadmin again with these newly found cred's.

alt

Successfully able to login.

found cred's for wp-user notch in phpmyadmin on wordpress database in wp_users table. querying the table got us the cred's
alt

user_login: Notch 	
password: $P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/
user_email: [email protected]

Cracking the wordpress password

hashcat --example-hashes | grep -B12 -A2 '\$P\$'

alt

But was not successful in cracking the password.

ssh connection as notch

Now we will use the password from phpmyadmin to the user notch and connect through ssh using the root credentials earlier we found.
alt

user flag

alt

Privilege escalation

Checking sudo permission.

alt

Looks like the user notch can run any command as root user.

Root flag

alt