Close
Writeup – HTB – Blocky

Writeup – HTB – Blocky

Back to the hacking I go. Between the Masters program and three children all being home-schooled, it’s been a challenge for sure, but I’m back at it and happy to be doing it! This is a fun challenge to do as I work through the Linux boxes over at HackTheBox.

Initial full nmap from AutoRecon

First, we run Autorecon, and we find a few ports, 21, 22, and 80, all open. We also see what’s supposedly a minecraft server on a high port. Looking at the versioning for ports 21 and 22 we don’t see much. There is a File Copy exploit for vsFTPd 1.3.5, but it doesn’t suit us here as there’s nothing on the FTP server. So on to port 80!

Once AutoRecon finished with Gobuster, I popped open those results, and looked for anything out of place. There’s a few pages to look at here.

Snippet from gobuster

Of particular curiosity is the /phpmyadmin and the /plugins. Browsing to the plugins directory you’ll find some downloadable Java repository files, or .JAR files. Let’s get into those.

Extracting “BlockyCore.jar” leads you to find the file “BlockyCore.class”, in /com/myfirstplugin folder. Looking up how to open a .CLASS file led me to install jd-gui, and open the file with that. In doing so, you’ll find some awesome credentials to a SQL server database!

Remember what we learned from Beep? Users hate unique passwords.

However, trying to ssh into this machine with root / 8YsqfCTnvxAUeduzjNSXe22 doesn’t work. There must be more. Thinking about accessing SQL servers, there’s a web interface with phpmyadmin. Let’s check that out!

Sure enough, we can login with those credentials to phpmyadmin.

We’re in!

So looking around here, we see a wordpress database, with a hash of a password. We also see a username, notch, both in the wp_users table.

Maybe notch is a good username for the machine? Sure enough, using the same password we logged into phpmyadmin with and the user ‘notch’ gets us shell access!

We’re in!

First thing I always do is try running ‘sudo -l’, and in this case, we get some great news!

We can do -anything-!

Just run a quick ‘sudo su’ and you are now root!

I AM ROOT!

Thanks to everyone for checking out my blog. Please also check out my video walkthroughs, and remember, users like to re-use passwords!