Hack The Box — Blocky Walkthrough

Like a lot of people I am starting off my OSCP prep by running through TJnull’s OSCP HTB/Vulnhub VM list and doing each box without Metasploit, third Linux box on the list is Blocky.

This was a pretty easy machine, if you have ever exploited WordPress config then gaining a foothold should be easy enough, there is a twist that might be tricky to catch if you have not been burned by it before.

Recon

I kicked off my recon process using AutoRecon, as always super helpful and saves a lot of time.

There is a small number of ports open when we check out the full TCP scan results:

First I took a look at port 21 running the ProFTPD service, after quickly attempting anonymous and guest logins that both failed, I ran all of the nmap ftp scripts against the host which also did not reveal anything of use:

I had a dig around at some of the ProFTPD 1.3.5 remote exploits but none of them were applicable or just didn't work with the version running on the target.

From here I moved on to taking a look at the web server running on port 80, this looked to be a WordPress site :)

After checking out the site itself there was not much in the html source of the page so I fired up dirsearch and tried to uncover any interesting directories:

Some notable directories are the PhpMyAdmin and Plugins, I made a note of these and then ran WPscan against the site which did not reveal any major plugin vulns but username enumeration did reveal something:

From here I tried to get into the PhpMyAdmin panel using basic root password attempts which all failed, from here jumping to the Plugins directory we found we can see that there are a couple of jar files on there:

We pull them down and fire up jd-gui to take a look at the source code and find what seem to be DB creds:

Exploitation

Using the discovered credentials I am able to gain access to the PhpMyAdmin panel:

After taking a quick look around I jumped to the WordPress database and namely the wp_users table, from here I tried to recover the Notch user accounts password but it was salted & hashed:

I decided to insert my own admin user into the database (using this article, it was rather simple):

note — make sure the user_pass db field is at least set to MD5 or you will not be able to log in:

And then apply the admin perms:

From here I was able to log in with the newly created WordPress administrator account.

I quickly started netcat and grabbed a WordPress reverse shell plugin from here:

From here I zip the plugin and upload it to the WordPress site:

We activate the plugin which should execute the PHP and give us a reverse shell:

Meow:

After taking a look around we can see that there are only pretty much two users on the system, root and notch.. I see the user flag in the notch directory and could not access it.

I had a good look around and ran Linpeas.sh which didn't find much, so from here I decided to try SSH into the box as notch with the password we already had (the twist I was talking about).. Bingo!:

I quickly grab the user flag:

Then taking a look at the capabilities of the notch account getting the root flag is trivial:

Conclusion

This box was fun and pretty easy, in terms of what I took away from this — make sure you utilize information that you already have to move further, password reuse is very very common never rule it out.

If you are here, thank you for reading :) — on to the next one!

Cheers,

Barry