blocky

Let’s get started!

Level: easy

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -O -oA blocky 10.10.10.37

As we can see they are 4 ports open and running in the machine.

PORT     STATE  SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

On the above Nmap scan, we can clearly know that the webserver is running WordPress 4.8 version.

Let’s enumerate the webserver located at 10.10.10.37

URL: http://10.10.10.37

site is under construction and there will be some configuration files that will be revealed in the further enumeration.

Let’s use dirbuster tool to bruteforce web site folders.

As we can see there are some files in the server are not restricted.

I downloaded the jar file and decompiled the file with the help of online decompiler

In the plain text, we can see that the credentials for phpMyAdmin.

// 
// Decompiled by Procyon v0.5.36
// 

package com.myfirstplugin;

public class BlockyCore
{
    public String sqlHost;
    public String sqlUser;
    public String sqlPass;
    
    public BlockyCore() {
        this.sqlHost = "localhost";
        this.sqlUser = "root";
        this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
    }
    
    public void onServerStart() {
    }
    
    public void onServerStop() {
    }
    
    public void onPlayerJoin() {
        this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
    }
    
    public void sendMessage(final String username, final String message) {
    }
}

Once we log in into phpMyAdmin I started looking through the SQL database tables and the wordpress users were stored in the wp_users table.

I changed the password to exp1o1t9r for the user Notch

And using the new credentials I logged into the wordpress dashboard.

Then I uploaded my php reverse shell [PENTEST-MONKEY]

Changes the 404.php code to our reverse shell code and update it.

After updating the code the PHP must be run in order to get a reverse shell.

We got a shell and pwned the user flag:)

Privilege Escalation

I tried every possible way to elevate privileges but it didn’t work as expected.

So i grabbed that password from the jar file and tried logging in through ssh with the same password and it worked!

Now for the hardest part Privilege Escalation. I spent a long time enumerating the system but got nothing … How about we try the same password we got for phpMyAdmin for the SSH service as root

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

2 COMMENTS

    • Thank you so much …more content will be updated from now onwards and more changes will be made for better user experience!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here