Blocky Writeup10 September 2022 #CTF #HTB #box #easy #linux
$ sudo nmap -sC -sV -oN enum/intial.nmap 10.10.10.37 [...] 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 |_http-title: Did not follow redirect to http://blocky.htb |_http-server-header: Apache/2.4.18 (Ubuntu) [...]
Let's start with HTTP since we don't have anonymous access to FTP.
nmap scan shows that we are redirected when trying to access the web page so the first thing to do is to add 'blocky.htb' to our
Now we can view the page:
Okay, looks like a Minecraft blog with very strong Wordpress vibes.
Clicking on the post we see it was made by Notch:
We'll keep this in our notes (:
What are we waiting for
gobustering this site?:
This confirms that is is indeed a Wordpress site.
There are some non-standard directories for a Wordpress instance like
There is also a phpmyadmin instance. Good to know.
Remember the post from 'Notch' on the blog? It talked about some plugin. So to
/plugins we go:
We'll download these files and use
jd-gui to view them:
You can even open the .jar file, it will unzip it for you.
And we seem to have credentials for a database! There is a phpmyadmin instance so all the stars are aligned right? Log in with root:8YsqfCTnvxAUeduzjNSXe22
There are all the classic Wordpress tables, nothing out of the ordinary.
At this point we can either try to crack Notch's hash (definitely not what I did) or just try the password we already have on other services like ssh:
$ ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Fri Jul 8 07:16:08 2022 from 10.10.14.29 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. notch@Blocky:~$ ls minecraft user.txt
But why would you do that when you can spend 15 minutes running hashcat to crack absolutely nothing (:
The first thing to do for Linux privesc is checking
notch@Blocky:~$ sudo -l [sudo] password for notch: Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL
It asks for notch's password but we have it.
Damn. We can run anything as root. Nice chill privesc.
- Look for unusual directories in known web apps
- Reuse passwords on every service