Blocky: Retired 9 Dec 2017
If you are interested in learning more about penetration testing, Hack the Box is a great way to get your feet wet in a legal and well built environment. Head over to hackthebox.eu to get started.
Blocky has been the easiest box for me so far as decent enumeration quickly gave me all the info I needed for both low-priv and root.
My initial NMAP scan showed FTP, SSH, and HTTP/S open. Seeing the FTP version of ProFTPD 1.3.5a initially had me going down a rabbit hole of trying to exploit that service but to no avail.
Shifting focus to the web services, the initial view of the page showed that it was running a recent version of WordPress. Nikto also revealed that PHPMyAdmin is running on this server. Looking at the single post on the site, I was able to enumerate the user
notch. I tried some simple password brute forcing for the
notch user. Initially this worked with a simple password from my wordlist but apparently this was because someone else had changed the password. After a revert I realized that this was not the intended method as the password no longer worked and continued y enumeration.
Moving on to directory brute forcing, I used
wfuzz to see what was available. I did not have success with my normal WFUZZ
megabest lists but I did have luck with the
dib/big.txt list (all found in
/usr/share/wordlists in Kali.
wfuzz -c --follow --hc 404 -z file,/usr/share/wordlists/dirb/big.txt http://10.10.10.37/FUZZ
Navigating to the
plugins directory reveals two JAR files that seem to be related to the Minecraft server;
griefprevention. Since JAR files are essentially just ZIP files, I unzipped the files and then used
grep -RI pass) to search for the work 'pass' in all the folder. Finding a binary file that has the term in it, I used strings to dump the file and found what looks like a password.
Trying this password on the WordPress login with
notch was not successful so I decided to try against PHPMyAdmin and it worked! Poking around PHPMyAdmin I did not find much. I found a hash for a
notch user for PHPMyAdmin but I was not able to quickly crack it so I moved on to trying the JAR file password over SSH with the
notch user and this also worked! I now had low-privilege access.
I immediately ran a Linux enumeration script (fro Arr0way) to see how I might escalate my privileges. Looking through the output, I immediately saw that
notch is part of the
sudo group; I now had my root access. That was fast!
What I Learned
- Always try multiple wordlists from different sources for directory brute forcing as well as password guessing. In this case, my normal lists would have left me looking for another way in.
- Revert the box before beginning. I noticed different behavior at different times when I worked on this box. The forums indicate that Blocky is pretty popular with a couple different ways to gain access so often there is some weirdness to this particular box.
- Don't over think simple problems.