Saturday, February 2, 2019

Blocky


BLOCKY

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Blocky, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

Blocky's IP is 10.10.10.37:




- Scanning with Nmap:




- Scanning deeper ports 21,22,80 and 8192:




- Dirbusting the web server:




- Using the browser to explore some of those folders, the main page is Under Construction:





- /wp-login:




/wp-includes:





/phpmyadmin:






/plugins:






3 - EXPLOITATION

- From /plugins let's save the file BlockyCore.jar:




javadecompilers helps us to open and read the content of BlockyCore.jar:





- Uploading BlockyCore.jar:





- Selecting JDCore as decompiler:




- The decompiling process is successful:





- Reading the results online (we could also download the results to the local machine clicking Save):





- So there is an SQL password available for user root, let's store that password:




- Though the password is for an SQL database, let's try to use it to SSH as root, just in case it works.

- Unfortunately the access is denied:



- However the password works for the phpMyAdmin login portal:





- Once having accessed to phpMyAdminat the database wordpress there is a user notch:





- Now, credentials notch:8YsqfCTnvxAUeduzjNSXe22 are sucessful to access with SSH:





4 - READING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Access to folder /root is denied:



- We are lucky because user notch is a full privilege sudoer:





- Getting a root shell:





6 - READING THE 2nd FLAG

- Reading root.txt: