HTB – Blocky – without Metasploit

here’s a new episode related to the hackthebox machine Blocky.
As always I’m figuring to avoid the use of metasploit in order to better understand the hacking process.

some open ports. I make a full scan with max retries = 1 in order to make a quick scan of the whole machine.
On port 80 there’s a website made by wordpress.
so I always start Nikto for the port 80 and in this case I add a scan with WPscan.


let’s keep them but we’ll try to exploit other vector before.

FTP:
the ftp version is vulnerable but the exploit doesn’t work.


so we decided to move to a web application brute forcing with dirbuster

the plugins directory contains two files. Download them!

jar files can be extracted (https://docs.oracle.com/javase/tutorial/deployment/jar/unpack.html)

this is the content of Blockycore.class
there’s a root and something that seems to be a password… try it on ssh

the password doesn’t work with root user. But on wpscan we discovered the user notch. and it works!

we have the password so we try to check if the user is in the sudoers group

so with a simple “sudo su”