Blocky machine on the hackthebox has retired which means writeups are allowed now. It was the linux VM which can be considered as the beginner level box. Getting the user flag was “Easy” and unlike the other HTB machines, privilege escalation was just a “Piece of cake”.

Note: In order to keep all my CTF write ups crisp and concise, I only mention the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. For this challenge, IP address of my machine was 10.10.14.50 and blocky was 10.10.10.37

Reconnaissance

I started with nmap to check for all open ports (-p-), version of services running (-sV) and perform script scans using default set of scripts (-sC)

nmap -sC -sV -p- 10.10.10.37 1 nmap - sC - sV - p - 10.10.10.37

1 2 3 4 5 6 7 8 9 10 11 12 13 21 / tcp open ftp ProFTPD 1.3.5a 22 / tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 ( Ubuntu Linux ; protocol 2.0 ) | ssh - hostkey : | 2048 d6 : 2b : 99 : b4 : d5 : e7 : 53 : ce : 2b : fc : b5 : d7 : 9d : 79 : fb : a2 ( RSA ) | _ 256 5d : 7f : 38 : 95 : 70 : c9 : be : ac : 67 : a0 : 1e : 86 : e7 : 97 : 84 : 03 ( ECDSA ) 80 / tcp open http Apache httpd 2.4.18 ( ( Ubuntu ) ) | _http - generator : WordPress Download Manager 2.9.59 | _http - server - header : Apache / 2.4.18 ( Ubuntu ) | _http - title : BlockyCraft – Under Construction ! 8192 / tcp closed sophos 25565 / tcp open minecraft Minecraft 1.11.2 ( Protocol : 127 , Message : A Minecraft Server , Users : 0 / 20 ) Service Info : OSs : Unix , Linux ; CPE : cpe : / o : linux : linux _ kernel

Finding the port 80 open and wordpress running on it, I started wpscan in the background to test for any vulnerable plugins and enumerate the users. In the mean time I manually navigated the web application.

wpscan -u http://10.10.10.37 --enumerate u 1 wpscan - u http : / / 10.10.10.37 -- enumerate u

The wpscan result didn’t gave any exciting result, but identified one of the wordpress user “notch” which later was found to be useful.

1 2 3 4 5 6 7 8 9 [ + ] Enumerating usernames . . . [ + ] Identified the following 1 user / s : + -- -- + -- -- -- - + -- -- -- -- - + | Id | Login | Name | + -- -- + -- -- -- - + -- -- -- -- - + | 1 | notch | Notch – | + -- -- + -- -- -- - + -- -- -- -- - +

Running dirb against the web application found out some hidden directories

dirb http://10.10.10.37 1 dirb http : / / 10.10.10.37

1 2 3 4 5 6 7 -- -- Scanning URL : http : //10.10.10.37/ ---- + http : //10.10.10.37/index.php (CODE:301|SIZE:0) == > DIRECTORY : http : //10.10.10.37/javascript/ == > DIRECTORY : http : //10.10.10.37/phpmyadmin/ == > DIRECTORY : http : //10.10.10.37/plugins/

Exploitation

I navigated to all the directories. The plugins directory was found to be interesting. There were two jar files, one of which was “Blocky.jar“. I downloaded it and used an online java decompiler to check its source code. Below is the screenshot of decompiled result

There was a hardcoded password into the jar file. Since the SSH port was open, I tried to login using the user notch (found earlier using wpscan) and the password obtained from jar and it worked !!! 😀

This gave the shell on the system and the user flag.







Privilege Escalation

The box didn’t had any security in place. The privilege escalation was indeed the “Piece of Cake”. I checked for commands which the user can run as sudo

sudo -l 1 sudo - l

The user can run any sudo command on the system which means the user is already root. I just ran sudo cat /root/root.txt to read the root flag.

Final note

Unlike the other HTB machines, Blocky was very easy both in terms of getting user flag as well as root flag. Proper enumeration of all the hidden web directory was the key takeaway from this machine.

I hope this write-up was helpful. Share this if you found it useful. If you have any questions or suggestions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂