Hack The Box — Blocky —without Metasploit (TJNull’s list for OSCP)
This is my 16th write-up for Blocky, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.
nmap 10.129.180.172 --max-retries=2
(Well, I didn’t run all port scan because it takes time, and I have solved the machine earlier so I know there’s no point in running all port scan because I already know what ports are open.)
Let’s run a targeted scan on these open ports.
nmap -sC -sV -T4 -A -p21,22,80 10.129.180.172
We have the versions of OpenSSH and Apache.
Let’s try to navigate to the web server.
The web page redirects to blocky.htb and end up giving error. Let’s add this domain in our /etc/hosts file.
Now let’s refresh the page.
And we have a website running here. If we scroll down to the button we can see that it’s running on wordpress.
Let’s run gobuster against it to reveal the possible directories.
gobuster dir -u http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,cgi,sh,db,jsp,html,log,txt -t 200 -k --no-error
Here, we discovered a /plugins directory. Plugins are a good attack vector in any wordpress, if they are out of date. So, let’s see what plugins do we have in here.
Here, we have 2.jar files. Jar files can be decompiled easily and it might reveal some internal code.
Let’s download both of them first and open them in JD-GUI.
We can see the credentials for SQL user root. We might be able to login to phpmyadmin with these credentials since our gobuster lists that directory as well.
Initial foothold
Let’s navigate to http://blocky.htb/phpmyadmin
From here we can navigate to the wordpress database.
We have a table named wp_users. This is the default table where wordpress keeps records of the users.
Here, we can see a user notch. Now we have a username that’s a valid user for wordpress.
Now there are two ways to solve this box.
- You change the user hash in this table to a new one of your own choice. You can generator a worpress hash from any online service like: https://www.useotools.com/wordpress-password-hash-generator
And you can login to wordpress then upload a php reverse shell, get a reverse shell and then use a kernel exploit to get root. - The second way is to use the same password as MySQL root with the username ‘notch’ and ssh into the machine, then privilege escalate to root.
Let’s try the second method first.
Method 1 Initial foothold
By using the username notch with the root’s password that we got from the jar file. We can SSH into the machine as notch.
Method 1 Privilege Escalation
Let’s see what commands we can run as sudo with user notch.
And we can run all commands.
We can simply
sudo suTo get a root shell.
And we got root!
Method 2 Initial Foothold
Let’s create a worpress hash for password ‘password’ from https://www.useotools.com/wordpress-password-hash-generator
We can copy the SQL Query and paste it into the SQL tab in our phpmyadmin.
Replacing the user_login with our user “Notch” and execute the query.
The SQL executed successfully.
Let’s navigate to http://blocky.htb/wp-admin and login with username Notch and password password.
(This box seems to be slow. It’s taking a while to login)
Let’s go to appearance and then editor.
And then go to 404 Template to modify it and make it a php shell.
Replace the IP and port and save the file by clicking update.
Let’s start a listener on that port.
And now navigate to
http://blocky.htb/wp-content/themes/twentyseventeen/404.php
And we got a shell as www-data.
Let’s check the kernel version and linux distribution.
uname -a
cat /etc/issue
So the kernel version is 4.4.0 and it’s Ubuntu 16.04.2.
Let’s search for exploits.
searchsploit linux 4.4.0
We have this DCCP Double Free Privilege Escalation exploit. Let’s compile it and transfer it to our target machine.
Transfer it to /tmp folder on the target.
Let’s make it executable and run it.
chmod +x dccp
./dccpAnd we will get root this way!
If you get the error that says, ‘GLIBC_2.34’ not found. This is actually a problem with compatibility between linux libraries. To resolve this, see the following link and follow the instructions:
