Recon
Nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# basic scan
nmap -sC -sV -p- -T5 10.10.10.40
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
We found multiple ports open. On port 80, we are facing a wordpress site.
Directories listing
With gobuster
we list website directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
gobuster -u http://blocky.htb -w ~/CTF/TOOLS/wordlist/gobuster-wordlist.txt -t 10
=====================================================
2022/07/24 22:34:48 Starting gobuster
=====================================================
/wp-content (Status: 301)
/wp-includes (Status: 301)
/index.php (Status: 301)
/wp-admin (Status: 301)
/license.txt (Status: 200)
/wp-cron.php (Status: 200)
/wp-load.php (Status: 200)
/wp-links-opml.php (Status: 200)
/wp-blog-header.php (Status: 200)
/wp-login.php (Status: 200)
/wp-mail.php (Status: 403)
/wp-trackback.php (Status: 200)
/.htaccess (Status: 403)
/wp-config.php (Status: 200)
/wp-signup.php (Status: 302)
/wp-activate.php (Status: 302)
/plugins (Status: 301)
/javascript (Status: 301)
/wiki (Status: 301)
/phpmyadmin (Status: 301)
/.htpasswd (Status: 403)
/.htpasswds (Status: 403)
=====================================================
|
We found multiple interesting links:
/phpmyadmin
: a phpmyadmin login page;
/wp-login.php
: another login page;
/plugins
: a plugins directory containing 2 jars.
I manage first to try to decompile jars using jd-gui
.
On the first jar I found a class containing credentials:
1
2
3
4
5
6
7
8
|
public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
// ...
}
|
Exploit
I try first to connect on the http://blocky.htb/wp-login.php
login page with those creds. I was unable to connect.
Then, I manage to login with those credential on the phpmyadmin service. It works!
In the wordpress database, we can found user Notch
and his password hash $P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/
. I try to bruteforce the password but in vain…
After some time (lost lol), I tried to connect to the server with SSH. First with root:8YsqfCTnvxAUeduzjNSXe22
creds, unsuccessfully. Then, with notch:8YsqfCTnvxAUeduzjNSXe22
creds. It works !
We first list commands that can be run in sudo with the user:
1
2
3
4
5
6
7
|
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
|
uhh, the user can run all commands with root rights, we can simply sudo cat
the root flag.
1
2
|
notch@Blocky:~$ sudo cat /root/root.txt
40913aeae***********************
|