Blocky Hackthebox

Synopsis

Blocky is fairly simple overall, and was based on a real-world machine. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system. On top of this, it exposes a massive potential attack vector: Minecraft. Tens of thousands of servers exist that are publicly accessible, with the vast majority being set up and configured by young and inexperienced system administrators.

Enumeration

seperti biasa, kita gunakan rustscan untuk mempercepat proses port scanning

┌─[sg-dedivip-1]─[10.10.14.42]─[cyberdesu@htb-3n1k67l6rr]─[~]
└──╼ [★]$ rustscan -a 10.129.244.236
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/cyberdesu/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.244.236:22
Open 10.129.244.236:21
Open 10.129.244.236:80
Open 10.129.244.236:25565
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 04:16 CST
Initiating Ping Scan at 04:16
Scanning 10.129.244.236 [4 ports]
Completed Ping Scan at 04:16, 0.02s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning blocky.htb (10.129.244.236) [4 ports]
Discovered open port 22/tcp on 10.129.244.236
Discovered open port 21/tcp on 10.129.244.236
Discovered open port 80/tcp on 10.129.244.236
Discovered open port 25565/tcp on 10.129.244.236
Completed SYN Stealth Scan at 04:16, 0.01s elapsed (4 total ports)
Nmap scan report for blocky.htb (10.129.244.236)
Host is up, received echo-reply ttl 63 (0.0025s latency).
Scanned at 2024-12-08 04:16:44 CST for 0s

PORT      STATE SERVICE   REASON
21/tcp    open  ftp       syn-ack ttl 63
22/tcp    open  ssh       syn-ack ttl 63
80/tcp    open  http      syn-ack ttl 63
25565/tcp open  minecraft syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
           Raw packets sent: 8 (328B) | Rcvd: 5 (204B)

hasil dari portscanning tersebut, menunjukan terdapat 4 port yang open yaitu port ftp, ssh, http dan minecraft.

kita coba akses port ftp dengan menggunakan credential anonymous/anonymous

image 21 Cyberdesu

dan ternyata hasilnya gagal, yang artinya kita tidak bisa mengeksploitasi ftp dengan credentials anonymous.

selanjutnya kita coba cari informasi mengenai website yang berjalan di port 80.

image 22 Cyberdesu

informasi yang bisa kita dapatkan yaitu, website tersebut dibuat menggunakan CMS dari wordpress yang bisa kita coba explore lebih jauh seperti mencari plugin yg outdated atau melakukan fuzzing untuk mencari file tersembunyi

┌─[sg-dedivip-1]─[10.10.14.42]─[cyberdesu@htb-3n1k67l6rr]─[~]
└──╼ [★]$ wpscan --api-token IYhQgyuuKQsXw4ZpVlkiNBtU0PqeEhxmMDf6VRm7YUc --url http://blocky.htb/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://blocky.htb/ [10.129.244.236]
[+] Started: Sun Dec  8 05:36:35 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blocky.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
 |  - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
 |
 | [!] 87 vulnerabilities identified:
 |

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <======================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Sun Dec  8 05:36:41 2024
[+] Requests Done: 191
[+] Cached Requests: 5
[+] Data Sent: 45.372 KB
[+] Data Received: 22.097 MB
[+] Memory used: 247.059 MB
[+] Elapsed time: 00:00:06

ok jadi singkat nya dari hasil scanning terdapat 87 vulnerability yang terdeteksi tetapi dari semua vulnerability tersebut, mayoritas untuk mendapatkan minimal akses admin panel maupun RCE itu harus authenticated, dan sisanya itu cuman bug client side seperti xss, open redirect, dll.

langkah selanjutnya saya akan mencoba melakukan fuzzing directory menggunakan feroxbuster, dengan tujuan mencari file atau direktori tersembunyi

┌─[sg-dedivip-1]─[10.10.14.42]─[cyberdesu@htb-3n1k67l6rr]─[~]
└──╼ [★]$ feroxbuster --url http://blocky.htb
                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://blocky.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────

dari hasil scanning tersebut, saya menemukan beberapa direktori yang cukup mencurigakan seperti:

  • http://blocky.htb/wp-content/uploads/
  • http://blocky.htb/plugins/
  • http://blocky.htb/phpmyadmin/
image 23 Cyberdesu
http://blocky.htb/wp-content/uploads/

di url http://blocky.htb/wp-content/uploads/ hanya menampilkan gambar saja, dan tidak ada file yang terlihat penting, jadi kita lanjut akses url selanjut

image 24 Cyberdesu
http://blocky.htb/plugins/files

ternyata pada url http://blocky.htb/plugins/files terdapat 2 file yang bisa kita download lalu kita bongkar menggunakan jadx untuk melihat isi dari file tersebut

Exploitation

image 25 Cyberdesu

ketika kita buka BlockyCore.jar, terdapat sebuah credential dari sql yaitu dengan user root dan password 8YsqfCTnvxAUeduzjNSXe22

selanjutnya saya berhasil login dengan menggunakan credential tersebut di phpmyadmin. dan saya menemukan user yang terdaftar di wordpress yaitu notch

image 26 Cyberdesu

sebenarnya kita mengubah password wordpress notch tersebut untuk masuk ke admin panel nya, tetapi saya mau mencoba teknik password reuse attack / password spraying attack untuk mengakses admin panel nya dan mengakses ssh service nya.

image 27 Cyberdesu

ketika saya menggunakan password 8YsqfCTnvxAUeduzjNSXe22 dengan Username Notch di login panel wordpress, hasilnya ternyata gagal.

selanjutnya kita coba credential ini digunakan untuk login ke service ftp terlebih dahulu dengan user root dan user notch dengan password nya sama yaitu 8YsqfCTnvxAUeduzjNSXe22

image 28 Cyberdesu

seperti yang dilihat pada gambar sebelumnya, credential tersebut tidak bisa kita gunakan di service ssh nya. berarti service terakhir yang bisa kita coba yaitu ssh.

image 29 Cyberdesu

Setelah kita mencoba login melalui SSH menggunakan kredensial tersebut, hasilnya menunjukkan bahwa kita berhasil login. Dari sini, dapat disimpulkan bahwa kita bisa mendapatkan akses terminal melalui login SSH atau dengan menanamkan reverse shell terlebih dahulu di admin panel WordPress, setelah sebelumnya mengubah password admin melalui phpMyAdmin.

Privileges Escalation

seperti biasa, kita coba jalankan perintah sudo -l untuk melihat apakah user notch ini memiliki akses sudo atau command yang di izinkan sebagai root.

image 30 Cyberdesu

“Jika kita melihat output yang menunjukkan (ALL:ALL) ALL), artinya pengguna notch dapat menggunakan perintah sudo untuk menjalankan perintah apa pun sebagai pengguna atau grup mana saja, termasuk user root.”

jadi kita tinggal gunakan perintah sudo su untuk login sebagai root agar mendapatkan flag root nya

image 31 Cyberdesu

By suredsi ulpada

pecinta Anime yang suka mempelajari Networking,Offensive Security dan system administration

Leave a Reply

Your email address will not be published. Required fields are marked *