[HTB] Blocky — Writeup (OSWE-Prep)

Blocky is an easy difficulty Linux box. Good learning path for:

Initial Recon

Nmap

# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.37Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-10 20:04 EDT
Nmap scan report for 10.10.10.37
Host is up (0.078s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

User Enumeration (Wordpress)

Just for a quick tip that for Wordpress, there is some simple way to enumerate users. One can use http://10.10.10.37/index.php?author=<Number> this to find users. Using this technique, I was able to find the notch user.

http://10.10.10.37/index.php?author=1-- Redirect -->http://10.10.10.37/index.php/author/notch/

Web Directory Enumeration (Gobuster)

As usual, I ran a quick gobuster to see if I could discover more of the interesting files/folders on the web server.

# gobuster dir -u http://10.10.10.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

I downloaded those 2 files and started to inspect them with JD-GUI (Java Decompiler).

Initial Foothold

Decompling .Jar

Using the JD-GUI, I decompiled BlockyCore.jar file and found hard-coded credentials for the SQL string.

root : 8YsqfCTnvxAUeduzjNSXe22

Password Reuse

Since the Blocky box did not expose any SQL services, I thought possibility of the password reuse. And the password was valid for the notch user that we enumerated from the Wordpress site.

user.txt

notch@Blocky:~$ cat user.txt 
59fee09...REDACTED...51f3cd5

Privilege Escalation

notch → root (sudo)

The privilege escalation was super simple. The notch user had excessive sudo privilege that I could just do sudo su to escalate to root.

root.txt

root@Blocky:/home/notch# cat /root/root.txt
0a9694a...REDACTED...1cd5f

Conclusion

Considering this was an older box, it was super easy one. It might be good to get a feel of how to use JD-GUI for OSWE prep. In this Blocky box, it was pretty easy to spot the jewel that we were looking for, but in actual OSWE course, it does go a lot more in depth. It will be used more for source code review. Thanks for reading! :)

Thanks to TJ_NULL for providing the list for the OSWE-like VMs

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store