HackTheBox
  • HackTheBox
  • Windows
    • Devel
    • Optimum
    • Arctic
    • Granny
    • Grandpa
    • Blue
    • Netmon
  • Linux
    • Lame
    • Beep
    • Bank
    • Blocky
    • Mirai
    • Shocker
    • Nibbles
    • Irked
    • Solid State
    • Cronos
Powered by GitBook
On this page
  • Overview
  • Enumeration
  • Web Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Linux

Blocky

PreviousBankNextMirai

Last updated 4 years ago

Was this helpful?

Overview

Initial Foothold : Credential Leakage

Privilege Escalation : Sudo Rights

Enumeration

Start with port scanning

PORT      STATE SERVICE   VERSION
21/tcp    open  ftp       ProFTPD 1.3.5a
22/tcp    open  ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open  http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
25565/tcp open  minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Done with full port scanning

Lets start with web enumeration because ftp doesn't allows anonymous access

Web Enumeration

Visit the webpage

After some review got that website is running on wordpress

Use wpscan for enumeration of wordpress

wpscan --url 10.10.10.37

According to this scan wordpress 4.6 was running

We also got one username called Notch on the webpage

Start dirbuster scan for finding web directories

Its odd to find plugins directory on the main web page

Open the web directory

Got two jar files download them and start reviewing them

Extract the jar files and review the contents

jar xf BlockyCore.jar

After extraction got an interesting file BlockyCore.class

Use strings to observe the content of the file

Looks like we got some database credentials

Lets see where we can possibly use this credentials

  1. phpmyadmin

  2. wordpress login

  3. SSH Login

Exploitation

We havent got much interesting information on phpmyadmin and wordpress

Lets use this creds on ssh login

With root user this creds havent worked

Give a try with notch username

Oh yeah !! Got ssh shell as notch user

Privilege Escalation

Run sudo -l

User notch has full access with root privileges lets sudo user to root

Got root Access

That's all for this box

Good Bye :)