[HackTheBox] Blocky

Blocky Card

Blocky teaches us not to reuse our credentials everywhere. It begins with a simple enumeration. Then we have to decompile some jars. Finally, it ends with the simplest and easiest Linux enumeration. Still fun!

Summary

  • Get the username from the WordPress post.
  • Enumerate plugins directory.
  • Decompile jars to find find the password.
  • Use found username and password to log in to the ssh.
  • sudo -l -> sudo su

Recon

Port Scan

nmap -n -sV -p- -T 5 -Pn 10.10.10.37

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)

HTTP

http://10.10.10.37 is a WordPress website.

There is only one post on the website, but it gives us admin's username which we'll need later.

Simple enumeration reveals two interesting directories; wiki and plugins.

ffuf -u http://10.10.10.37/FUZZ -w /usr/share/dirb/wordlists/common.txt

index.php               [Status: 301, Size: 0, Words: 1, Lines: 1]
javascript              [Status: 301, Size: 315, Words: 20, Lines: 10]
phpmyadmin              [Status: 301, Size: 315, Words: 20, Lines: 10]
plugins                 [Status: 301, Size: 312, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 299, Words: 22, Lines: 12]
wiki                    [Status: 301, Size: 309, Words: 20, Lines: 10]
wp-admin                [Status: 301, Size: 313, Words: 20, Lines: 10]
wp-content              [Status: 301, Size: 315, Words: 20, Lines: 10]
wp-includes             [Status: 301, Size: 316, Words: 20, Lines: 10]

wiki doesn't contain anything interesting, but plugins does! It contains two .jar files.

Blocky Plugins

User

I have decompiled both of them using jd-gui and found some credentials in BlockyCore.jar.

Blocky Creds

After a bit of trial and error, I found out that I can log in to SSH using the password I found in the jar file. Remember the username from the WordPress post?

Blocky SSH

Privilage Escalation

Blocky Sudo

Wait... really? We have permission to sudo everything. sudo su and we have a root!