Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Blocky - 10.10.10.37
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Blocky

Blocky - 10.10.10.37

Target Enumeration:

OS: Linux

IP: 10.10.10.37

User: 59fee0977fb60b8a0bc6e41e751f3cd5

Root: 0a9694a5b4d272c694679f7860f1cd5f

Ports / Services / Software Versions Running

21/tcp open ftp ProFTPD 1.3.5a

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

8192/tcp closed sophos

Vulnerability Exploited:

Password was stored in a .jar file which was valid for ssh and phpmyadmin.

Privilege escalation:

User was in sudoers group

Exploiting the host:

Nmap

Port 80 appears to be running wordpress.

WPScan reveals a username

Start bruteforcing with wpscan

This returned no results.

Dirb found the following pages

/phpmyadmin

/plugins

Under plugins we found blocky.jar file

We downloaded the file and decompiled it with an online tool which gave us some credentials

We found the password was valid for the phpmyadmin login page

root:8YsqfCTnvxAUeduzjNSXe22

We now had access to phpmyadmin

We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.

We then tested the password and username for notch via ssh and were given a shell.

We checked to see what we could do as the user notch and found they were part of the sudoers group.

Issuing sudo su gave us root access.

PreviousHolidayNextShrek

Last updated 6 years ago

http://www.javadecompilers.com