Back to the hacking I go. Between the Masters program and three children all being home-schooled, it’s been a challenge for sure, but I’m back at it and happy to be doing it! This is a fun challenge to do as I work through the Linux boxes over at HackTheBox.
First, we run Autorecon, and we find a few ports, 21, 22, and 80, all open. We also see what’s supposedly a minecraft server on a high port. Looking at the versioning for ports 21 and 22 we don’t see much. There is a File Copy exploit for vsFTPd 1.3.5, but it doesn’t suit us here as there’s nothing on the FTP server. So on to port 80!
Once AutoRecon finished with Gobuster, I popped open those results, and looked for anything out of place. There’s a few pages to look at here.
Of particular curiosity is the /phpmyadmin and the /plugins. Browsing to the plugins directory you’ll find some downloadable Java repository files, or .JAR files. Let’s get into those.
Extracting “BlockyCore.jar” leads you to find the file “BlockyCore.class”, in /com/myfirstplugin folder. Looking up how to open a .CLASS file led me to install jd-gui, and open the file with that. In doing so, you’ll find some awesome credentials to a SQL server database!
However, trying to ssh into this machine with root / 8YsqfCTnvxAUeduzjNSXe22 doesn’t work. There must be more. Thinking about accessing SQL servers, there’s a web interface with phpmyadmin. Let’s check that out!
Sure enough, we can login with those credentials to phpmyadmin.
So looking around here, we see a wordpress database, with a hash of a password. We also see a username, notch, both in the wp_users table.
Maybe notch is a good username for the machine? Sure enough, using the same password we logged into phpmyadmin with and the user ‘notch’ gets us shell access!
First thing I always do is try running ‘sudo -l’, and in this case, we get some great news!
Just run a quick ‘sudo su’ and you are now root!
Thanks to everyone for checking out my blog. Please also check out my video walkthroughs, and remember, users like to re-use passwords!