here’s a new episode related to the hackthebox machine Blocky. As always I’m figuring to avoid the use of metasploit in order to better understand the hacking process.
some open ports. I make a full scan with max retries = 1 in order to make a quick scan of the whole machine. On port 80 there’s a website made by wordpress. so I always start Nikto for the port 80 and in this case I add a scan with WPscan.
let’s keep them but we’ll try to exploit other vector before.
FTP: the ftp version is vulnerable but the exploit doesn’t work.
so we decided to move to a web application brute forcing with dirbuster
the plugins directory contains two files. Download them!
jar files can be extracted (https://docs.oracle.com/javase/tutorial/deployment/jar/unpack.html)
this is the content of Blockycore.class there’s a root and something that seems to be a password… try it on ssh
the password doesn’t work with root user. But on wpscan we discovered the user notch. and it works!
we have the password so we try to check if the user is in the sudoers group
let’s start nmapping the machine. There are 2 ports opened: 22 and 80. On the port 80 there’s a simple “hello word” page but checking the page source there’s something interesting:
Adding the nibbleblog directory to our url let us reach a nibbles blog homepage.
The hyperlinks don’t open other pages so what we can do is try to enumerate more web pages with gobuster.
As soon as we started the enumeration we discovered many interesting links. The admin page have a login so we look for some sql injection using sqlmap. While configuring burpsuite to grab the sql request we tried to use some basic password against the login (admin / password, admin / pass, nibbles / nibbles) and we discovered that the login was admin / nibbles. We launched sqlmap the same in order to analize the sql injection.
This is the request we’ll use with sqlmap
# sqlmap -r sql.req --batch --risk 3 --level 5
the problem is that we have some kind of protection (WAF) that blocks our requests.
After few minutes we are again able to access the website but we can’t use automatic tools that can block us. Entering the blog we discovered the software version
googling this version we discovered a vulnerability with the “my image” plugin. From packetstormsecurity.com:
The first upload, from the “my image” plugin was a simple image. After the upload the image appears on the home page and by inspecting it we discovered where the uploaded images are located. so I try to upload a php shell. We found a directory listing where there’s a image.php file…..click on it.. here’s the shell!!!
type some command to obtain a better shell (thank you Ippsec….subscribe his channel for very cool HTB and others high quality writeups!!)
in the home directory is possible to found the user hash
unzip the personal.zip archive and you’ll find the code that works as a protection from bruteforce auth. Nothing particularly interesting for now. Get LinEnum from attacking machine and launch it.
modify the monitor.sh with this command
echo "su" > monitor.sh
and launch the following command:
even if the program returns an error, we are root!
In this writeup we’ll start with Sparta, a tool for automatic enumeration. I usually run Sparta after the first nmap scan, in order to get more information in a very fast manner. Sparta launchs nmap and other tools like Nikto after discovering a port compatible with that particular tool (port 80 or 443 in Nikto case).
as we can see not so much options except smb protocol. The other important thing is that we discovered the target os (Windows XP).
No shares seems to be available on the machine. No anonymous login allowed.
It’s time to get more into enumeration. Nmap has many vuln NSE script that can make easier our enumeration phase. locate the scripts with:
let’s lanch vuln script against our target on port 445.
there are two BIG vulns, the first one related to ms08-67 an old vuln discovered in 2008. Is possible to solve this with metasploit (I don’t want to do this). For those who are studying for the OSCP it nice to avoid the use of metasploit and is not always easy to discover how to solve machines without this tool. The other discovered vulnerability is on SMBv1 server (ms17-010) that is the vuln that allowed the spred of the wannacry ransomware in 2017. let’s try to exploit this