Saturday, February 2, 2019
Blocky
BLOCKY
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Blocky, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Blocky's IP is 10.10.10.37:
- Scanning with Nmap:
- Scanning deeper ports 21,22,80 and 8192:
- Dirbusting the web server:
- Using the browser to explore some of those folders, the main page is Under Construction:
- /wp-login:
- /wp-includes:
- /phpmyadmin:
- /plugins:
3 - EXPLOITATION
- From /plugins let's save the file BlockyCore.jar:
- javadecompilers helps us to open and read the content of BlockyCore.jar:
- Uploading BlockyCore.jar:
- Selecting JDCore as decompiler:
- The decompiling process is successful:
- Reading the results online (we could also download the results to the local machine clicking Save):
- So there is an SQL password available for user root, let's store that password:
- Though the password is for an SQL database, let's try to use it to SSH as root, just in case it works.
- Unfortunately the access is denied:
- However the password works for the phpMyAdmin login portal:
- Once having accessed to phpMyAdmin, at the database wordpress there is a user notch:
- Now, credentials notch:8YsqfCTnvxAUeduzjNSXe22 are sucessful to access with SSH:
4 - READING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Access to folder /root is denied:
- We are lucky because user notch is a full privilege sudoer:
- Getting a root shell:
6 - READING THE 2nd FLAG
- Reading root.txt: