HTB - Blocky

alt

Basic Nmap scan

Nmap command: nmap -Pn -n -sC -sV -oA scan_boxs/blocky/nmap/10.10.10.37-d-scan 10.10.10.37
Nmap scan report for 10.10.10.37
Host is up (0.15s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
8192/tcp closed sophos
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Open ports : 21,22,80,8192

PORT	SERVICE	PRODUCT	VERSION	EXTRAINFO
21	ftp	ProFTPD	1.3.5a
22	ssh	OpenSSH	7.2p2 Ubuntu 4ubuntu2.2	Ubuntu Linux; protocol 2.0
80	http	Apache httpd	2.4.18
8192	sophos

port 80:

Adding the ip address 10.10.14.37 host url with blocky.htb in /etc/hosts.
alt

And has wordpress running on the machine. Running wpscan to probe into the machine.

Enumerating users on wordpress environment. There is a user Notch alt

gobuster has detected few files

/index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]
/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]
/wp-login.php         (Status: 200) [Size: 2397]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://blocky.htb/wp-login.php?action=register]
/server-status        (Status: 403) [Size: 298]

wiki

alt

phpmyadmin

alt

plugins

Browsing through all the detected url /plugins looks promising.
alt

Downloading the BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar files.

Open jar file - jadx-gui

Extracting the source from jar file with jadx-gui

alt

found Creds

Found credentials for sql user in BlockyCore plugin

sqluser = root
sqlpass = 8YsqfCTnvxAUeduzjNSXe22

Lets try connecting to login into phpmyadmin again with these newly found cred's.

alt

Successfully able to login.

found cred's for wp-user notch in phpmyadmin on wordpress database in wp_users table. querying the table got us the cred's
alt

user_login: Notch 	
password: $P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/ 	
user_email: notch@blockcraftfake.com

Cracking the wordpress password

hashcat --example-hashes | grep -B12 -A2 '\$P\$'

alt

But was not successful in cracking the password.

ssh connection as notch

Now we will use the password from phpmyadmin to the user notch and connect through ssh using the root credentials earlier we found.
alt

user flag

Privilege escalation

Checking sudo permission.

alt

Looks like the user notch can run any command as root user.

Root flag

alt

Basic Nmap scan​

port 80:​

wiki​

phpmyadmin​

plugins​

Open jar file - jadx-gui​

found Creds​

ssh connection as notch​

user flag​

Privilege escalation​

Root flag​