Blocky

An easy Linux box from HackTheBox, downloading some configuration files and using proper wordpress enumeration to get root.

Blocky #

Recon #

Start with the default nmap

nmap -sC -sV -oA blocky.nmap 10.10.10.37

PORT     STATE  SERVICE VERSION  
21/tcp   open   ftp     ProFTPD 1.3.5a  
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:    
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)  
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)  
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)  
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))  
|_http-server-header: Apache/2.4.18 (Ubuntu)  
|_http-generator: WordPress 4.8  
|_http-title: BlockyCraft – Under Construction!  
8192/tcp closed sophos  
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Searching on launchpad for Apache 2.4.18, find that it’s Ubuntu Xenial from 2017, so no super old exploits like shellshock

Going to the web page, see it’s using wordpress and php, with a wordpress login at /wp-login.php

There are also 2 downloadable RSS files on the page, but they are just a couple HTML files, of no use

Doing directory enumeration with gobuster, find the /plugins directory, and within there are 2 .jar files

Exploitation #

Clock to download the files, then open them with

unzip BlockyCore.jar

Inside, there is a file under com/myfirstplugin/ called BlockyCore.class

Can open it using the gui application JD-gui from terminal

jd-gui

Can see the sql server credentials in plaintext, thought the password seems encrypted

The initial nmap scan didn’t find any sql server, so will do a full port scan next

nmap -p- -sC -sV -oA all_ports 10.10.10.37

Don’t get a sneaky SQL server, but get a Minecraft server instead

PORT      STATE  SERVICE   VERSION  
21/tcp    open   ftp       ProFTPD 1.3.5a  
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:    
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)  
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)  
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)  
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))  
|_http-server-header: Apache/2.4.18 (Ubuntu)  
|_http-generator: WordPress 4.8  
|_http-title: BlockyCraft – Under Construction!  
8192/tcp  closed sophos  
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)  
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

This is where I got stuck, realized that I needed to do more recon, need to run wordpress scan, wpscan, on the website

In the future, its really helpful to use the agressive modifiers for wpscan, in addition to checking for all plugins

wpscan --url http://10.10.10.37 --enumerate u,ap,tt,t -o blocky_wpscan.out

It finds a user called Notch (or notch), by enumerating the wordpress users on the url like \http://10.10.10.37/index.php?author=1 , \http://10.10.10.37/index.php?author=2

Trying to ssh to notch@10.10.10.37 with 8YsqfCTnvxAUeduzjNSXe22 as the password, get in to the box

Run sudo -l to list notch’s priveleges, and find out he can run sudo with his own password

So getting root is simple as running

sudo su -

And typing in notch’s password 8YsqfCTnvxAUeduzjNSXe22