Blocky writeup HTB

Blocky

An easy machine for beginners involving hidden clear-text credentials in plugin files, password reuse and WordPress

Discovery

The ftp server reveals nothing interesting, let’s move on to the web server.

Web server

Typing the IP address into the browser, we encounter a problem :

It looks like we can’t reach it. We’ll have match the target IP address we have with the subdomain name (blocky.htb) in order to connect to the server. We can do this by modifying our /etc/hosts file (used to map IP address to subdomains) and adding an entry like so :

Reloading the page after our modification allows us to finally access the server :

Cool, a Minecraft themed website (Minecraft is actually running on a port and the website is probably promoting it). There are a few ways to proceed here : checking the source code, looking at the technologies running behind the server (it’s running wordpress) or even looking for more subdomains with brute force with a tool like gobuster (reveals nothing). I’ll run gobuster instead to bruteforce existing directories, and we get a few results :

The /phpmyadmin and the /wp-admin pages are seperate login pages (wp-admin is the admin login for wordpress and phpmyadmin is the login for a database management tool). Looking at the other pages, we find something interesting in /plugins :

Oh. These aren’t wordpress plugins as I had hoped. These look like Minecraft plugins. I was going to search other pages until I realized I was able to download these to take a closer look at them. This is definitely weird, so I’ll make sure to thoroughly search through these. Here are some of the contents from the jar files (we can unzip jar files with the unzip command) :

After searching these for way too long, I find what looks like clear-text credentials in /com/myfirstplugin/BlockyCore.class :

With these, we can log into the phpmyadmin login page :

PHPMYADMIN

Like I briefly mentioned earlier, phpmyadmin is a database management tool. We are now able to navigate and to extract information from all the databases present on the left with a nice user-friendly interface. The wordpress database obviously looks very juicy, so let’s check it out :

We have a user and his hashed password! This means we could try to brute-force his password with a tool like john the ripper or hashcat. When stored, passwords are often (100% should rather) encrypted in a one way algorithm to protect them from cases exactly like this one. Theoretically, if a password is strong enough, it would be impossible to crack when hashed (I guess it also depends on the hashing algorithm). Otherwise, we would be able to use a brute-force tool that uses a wordlist to hash every entry with the same algorithm used for the password, then comparing the results to see if the hashed password and the hashed entry are identical. I don’t know why I’m telling you this, because brute-forcing the hash is not the solution here.

After a while of trying to crack the hash, I decided to see if the password for the phpmyadmin login page was reused anywhere. Since we know the notch user exists because of the database, we could try to log in into ssh as notch with that password :

Hours of my time wasted.......

Privilege escalation

There isn’t much to say about this privilege escalation: the user notch can run any commands he wants as any user he wants. We can just spawn a shell as root with sudo or literally do anything we want :