Hack The Box

HackTheBox “Blocky” Walkthrough

Blocky, an easy-level Linux OS machine on HackTheBox, it definitely needed some patience while enumeration. Can you believe there were these sneaky Java Jar files hidden away in the /plugins path? Well, luckily, I…

Blocky, an easy-level Linux OS machine on HackTheBox, it definitely needed some patience while enumeration. Can you believe there were these sneaky Java Jar files hidden away in the /plugins path? Well, luckily, I stumbled upon them and got my hands on some credentials that a user on the box had reused. Thanks to those, I managed to snag SSH access and dive deeper into the fun!

But the real excitement kicked in when I discovered that the user had been granted some cool sudo powers. With the right password, they could run any command as root! So, I didn’t waste a second and made the most of it by using “sudo su.” And voilà, I got root privileges!

HackTheBox “Blocky” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Blocky” Walkthrough, figure 2

While visiting the target on port 80, we needed to add target’s IP and the domain to /etc/hosts.

HackTheBox “Blocky” Walkthrough, figure 3

Nothing interesting, so, the subsequent action involves executing a Feroxbuster scan to identify concealed files or directories:

└─$ sudo feroxbuster -u http://blocky.htb -d 2 -C 404,403,405,500 ___  ___  __   __     __      __         __   ___|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___by Ben "epi" Risher 🤓                 ver: 2.10.0───────────────────────────┬────────────────────── 🎯  Target Url            │ http://blocky.htb 🚀  Threads               │ 50 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 💢  Status Code Filters   │ [404, 403, 405, 500] 💥  Timeout (secs)        │ 7 🦡  User-Agent            │ feroxbuster/2.10.0 💉  Config File           │ /etc/feroxbuster/ferox-config.toml 🔎  Extract Links         │ true 🏁  HTTP methods          │ [GET] 🔃  Recursion Depth       │ 2───────────────────────────┴────────────────────── 🏁  Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter301      GET        9l       28w      313c http://blocky.htb/wp-content => http://blocky.htb/wp-content/301      GET        9l       28w      311c http://blocky.htb/wp-admin => http://blocky.htb/wp-admin/200      GET      209l      846w     5836c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/jquery.scrollTo.js200      GET      225l      400w     3646c http://blocky.htb/wp-content/themes/twentyseventeen/assets/css/ie8.css200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-widget.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/nav-menu.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-curl.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-matchesmapregex.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/deprecated.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-customize-manager.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-meta-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-embed.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-proxy.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/taxonomy.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class.wp-dependencies.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/option.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/ms-load.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/kses.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-feed-cache-transient.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-network.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-post.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/ms-blogs.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-cookie.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-pop3.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-ajax-response.php301      GET        9l       28w      310c http://blocky.htb/plugins => http://blocky.htb/plugins/200      GET        0l        0w        0c http://blocky.htb/wp-includes/default-constants.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-editor.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-locale-switcher.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/shortcodes.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/user.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/author-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/plugin.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-user.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/media-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-network-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-term.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/load.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/compat.php301      GET        9l       28w      313c http://blocky.htb/javascript => http://blocky.htb/javascript/200      GET        0l        0w        0c http://blocky.htb/wp-includes/ms-deprecated.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-theme.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/wp-db.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/atomlib.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-comment-query.php200      GET       43l       43w     1045c http://blocky.htb/wp-includes/wlwmanifest.xml301      GET        9l       28w      307c http://blocky.htb/wiki => http://blocky.htb/wiki/301      GET        9l       28w      313c http://blocky.htb/phpmyadmin => http://blocky.htb/phpmyadmin/301      GET        9l       28w      314c http://blocky.htb/wp-includes => http://blocky.htb/wp-includes/200      GET      326l     1144w    10330c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/html5.js200      GET      249l      928w     7682c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/global.js200      GET       31l       90w      683c http://blocky.htb/wp-content/themes/twentyseventeen/assets/js/skip-link-focus-fix.js200      GET        2l      281w    10056c http://blocky.htb/wp-includes/js/jquery/jquery-migrate.min.js301      GET        0l        0w        0c http://blocky.htb/index.php/ => http://blocky.htb/200      GET        6l     1435w    97184c http://blocky.htb/wp-includes/js/jquery/jquery.js200      GET     4282l     8552w    82584c http://blocky.htb/wp-content/themes/twentyseventeen/style.css200      GET        1l        9w     1398c http://blocky.htb/wp-includes/js/wp-embed.min.js200      GET        0l        0w        0c http://blocky.htb/wp-includes/query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/date.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/http.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/rewrite.php200      GET       70l      199w     2397c http://blocky.htb/wp-login.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/post-thumbnail-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/link-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/functions.wp-styles.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-site-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-dependency.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/post-formats.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/pluggable-deprecated.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/bookmark.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/post-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-roles.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-widget-factory.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-role.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-site.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-rewrite.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/capabilities.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/category-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-taxonomy.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/pluggable.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-comment.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/bookmark-template.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-user-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-customize-nav-menus.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-error.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-list-util.php200      GET        1l     2522w    52657c http://blocky.htb/index.php/wp-json200      GET      313l     3592w    52227c http://blocky.htb/200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-hook.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-walker.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-tax-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/functions.wp-scripts.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-requests.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-admin-bar.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/cache.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/embed.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/canonical.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-response.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/ms-default-constants.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-phpmailer.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/formatting.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-post-type.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/revision.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-encoding.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-session-tokens.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/admin-bar.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/cron.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-phpass.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-customize-widgets.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-metadata-lazyloader.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-oembed-controller.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/category.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-json.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/comment.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-oembed.php200      GET        1l        4w       29c http://blocky.htb/wp-includes/ms-files.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-http-streams.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/ms-functions.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/feed.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/rest-api.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/theme.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-smtp.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/widgets.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/version.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-term-query.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/l10n.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/class-wp-locale.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/post.php200      GET        0l        0w        0c http://blocky.htb/wp-includes/meta.php301      GET        9l       28w      321c http://blocky.htb/wp-content/plugins => http://blocky.htb/wp-content/plugins/301      GET        9l       28w      315c http://blocky.htb/wp-admin/css => http://blocky.htb/wp-admin/css/301      GET        9l       28w      323c http://blocky.htb/phpmyadmin/templates => http://blocky.htb/phpmyadmin/templates/301      GET        9l       28w      316c http://blocky.htb/phpmyadmin/js => http://blocky.htb/phpmyadmin/js/301      GET        9l       28w      320c http://blocky.htb/phpmyadmin/themes => http://blocky.htb/phpmyadmin/themes/301      GET        9l       28w      316c http://blocky.htb/plugins/files => http://blocky.htb/plugins/files/301      GET        9l       28w      317c http://blocky.htb/phpmyadmin/doc => http://blocky.htb/phpmyadmin/doc/301      GET        9l       28w      317c http://blocky.htb/plugins/assets => http://blocky.htb/plugins/assets/301      GET        9l       28w      317c http://blocky.htb/phpmyadmin/sql => http://blocky.htb/phpmyadmin/sql/401      GET       14l       54w      457c http://blocky.htb/phpmyadmin/setup301      GET        9l       28w      320c http://blocky.htb/phpmyadmin/locale => http://blocky.htb/phpmyadmin/locale/301      GET        9l       28w      320c http://blocky.htb/wp-content/themes => http://blocky.htb/wp-content/themes/200      GET        0l        0w        0c http://blocky.htb/wp-includes/comment-template.php301      GET        9l       28w      320c http://blocky.htb/wp-admin/includes => http://blocky.htb/wp-admin/includes/301      GET        9l       28w      314c http://blocky.htb/wp-admin/js => http://blocky.htb/wp-admin/js/301      GET        9l       28w      318c http://blocky.htb/wp-admin/images => http://blocky.htb/wp-admin/images/301      GET        9l       28w      320c http://blocky.htb/javascript/jquery => http://blocky.htb/javascript/jquery/301      GET        9l       28w      319c http://blocky.htb/wp-admin/network => http://blocky.htb/wp-admin/network/301      GET        9l       28w      317c http://blocky.htb/wp-admin/maint => http://blocky.htb/wp-admin/maint/[####################] - 2m    210280/210280  0s      found:151     errors:141227 [####################] - 2m     30000/30000   332/s   http://blocky.htb/ [####################] - 2m     30000/30000   333/s   http://blocky.htb/wp-content/ [####################] - 2m     30000/30000   308/s   http://blocky.htb/wp-admin/ [####################] - 13s    30000/30000   2254/s  http://blocky.htb/wp-includes/ => Directory listing[####################] - 2m     30000/30000   312/s   http://blocky.htb/plugins/ [####################] - 89s    30000/30000   336/s   http://blocky.htb/javascript/ [####################] - 2m     30000/30000   317/s   http://blocky.htb/wiki/ [####################] - 2m     30000/30000   319/s   http://blocky.htb/phpmyadmin/

While exploring numerous directories, I stumbled upon a particular plugin/files.

HackTheBox “Blocky” Walkthrough, figure 4

To proceed, we need to download the BlockyCore.jar file for decompilation. We can achieve this by using an online decompiler. Once we perform the decompilation, we will obtain the results below.

// // Decompiled by Procyon v0.5.36// package com.myfirstplugin;public class BlockyCore{    public String sqlHost;    public String sqlUser;    public String sqlPass;        public BlockyCore() {        this.sqlHost = "localhost";        this.sqlUser = "root";        this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";    }        public void onServerStart() {    }        public void onServerStop() {    }        public void onPlayerJoin() {        this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");    }        public void sendMessage(final String username, final String message) {    }}

The results include login credentials for an SQL user (sqluser) and corresponding password (sqlpass).

 sqlUser = "root"; sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

Among the results yielded by Feroxbuster is “/phpmyadmin.”

HackTheBox “Blocky” Walkthrough, figure 5

We will use the credentials found in the jar file.

HackTheBox “Blocky” Walkthrough, figure 6

After having a look around, we find an entry inside wordpress/wp_users tab.

HackTheBox “Blocky” Walkthrough, figure 7

We find the following user id.

SELECT * FROM `wp_users`notch$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/

Exploitation:

Since we have port 22 SSH is open, let’s try using the username notch and the password found in the jar file.

HackTheBox “Blocky” Walkthrough, figure 8

Privilege Escalation:

When attempting to list the privileges for the “notch” user using sudo -l, a password prompt is triggered. Subsequently, it worked by providing the password retrieved from the jar file once more.

HackTheBox “Blocky” Walkthrough, figure 9

And we are allowed to perform all, so, let’s switch to root.

HackTheBox “Blocky” Walkthrough, figure 10

Cheers.