Blocky Write up
Welcome to my Blocky Write-up
Recon
Nmap
$ sudo nmap -sSVC -A -oA nmap/blocky 10.10.10.37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Nmap scan report for blocky.htb (10.10.10.37)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d62b99b4d5e753ce2bfcb5d79d79fba2 (RSA)
| 256 5d7f389570c9beac67a01e86e7978403 (ECDSA)
|_ 256 09d5c204951a90ef87562597df837067 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: BlockyCraft – Under Construction!
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 4.8
8192/tcp closed sophos
$ nmap -p- -Pn -A -T4 10.10.10.37
1
2
3
4
5
6
7
8
9
10
11
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d62b99b4d5e753ce2bfcb5d79d79fba2 (RSA)
| 256 5d7f389570c9beac67a01e86e7978403 (ECDSA)
|_ 256 09d5c204951a90ef87562597df837067 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: BlockyCraft – Under Construction!
|_http-generator: WordPress 4.8
8192/tcp closed sophos
$ nmap -sV --script http-wordpress-enum --script-args limit=25 10.10.10.37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-wordpress-enum:
| Search limited to top 100 themes/plugins
| plugins
| akismet 3.3.2
| themes
| twentyfifteen 1.8
| twentysixteen 1.3
_ twentyseventeen 1.3
8192/tcp closed sophos
Directory Bruteforce
$ ffuf -w /usr/share/wordlists/dirb/big.txt -u http://blocky.htb/FUZZ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev ________________________________________________
:: Method : GET
:: URL : http://blocky.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________
[Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 128ms]
* FUZZ: .htaccess
[Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 3268ms]
* FUZZ: .htpasswd
[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 118ms]
* FUZZ: javascript
[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 125ms]
* FUZZ: phpmyadmin
[Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 483ms]
* FUZZ: plugins
[Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 1446ms]
* FUZZ: server-status
[Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 464ms]
* FUZZ: wiki
[Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 164ms]
* FUZZ: wp-admin
[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 165ms]
* FUZZ: wp-content
[Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 130ms]
* FUZZ: wp-includes
Wpscan
We know that the webapp is running wordpress , let’s run wpscan to enumerate it.
$ wpscan --url http://blocky.htb -e ap,t,tt,u | tee scans/wpscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://blocky.htb/ [10.10.10.37]
[+] Started: Wed May 3 08:22:19 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://blocky.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://blocky.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://blocky.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://blocky.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://blocky.htb/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://blocky.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://blocky.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
Checking Known Locations -: |================================================================================================================|
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://blocky.htb/wp-content/themes/twentyfifteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.4
| Style URL: http://blocky.htb/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://blocky.htb/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8'
[+] twentyseventeen
| Location: http://blocky.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://blocky.htb/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://blocky.htb/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3'
[+] twentysixteen
| Location: http://blocky.htb/wp-content/themes/twentysixteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://blocky.htb/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://blocky.htb/wp-content/themes/twentysixteen/style.css
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://blocky.htb/wp-content/themes/twentysixteen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://blocky.htb/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3'
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations -: |================================================================================================================|
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs -: |================================================================================================================|
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed May 3 08:24:51 2023
[+] Requests Done: 3013
[+] Cached Requests: 45
[+] Data Sent: 819.361 KB
[+] Data Received: 747.856 KB
[+] Memory used: 278.543 MB
[+] Elapsed time: 00:02:32
We found 2 usernames : notch,Notch
FTP
I found an exploit for ProFTPD 1.3.5a on exploit db.
https://www.exploit-db.com/exploits/49908
I tried running it but it failed.
Nothing here
PORT 80
Let’s visit the website.
http://blocky.htb/
.png)
http://blocky.htb/wp-content
.png)
Nothing interesting here just a blank page.
http://blocky.htb/wiki
.png)
http://blocky.htb/javascript
.png)
http://blocky.htb/wp-content/uploads
.png)
This is interesting, let’s keep it in mind we might need to use it later.
http://blocky.htb/wp-content/phpmyadmin
.png)
http://blocky.htb/wp-admin
.png)
This is a wordpress’s login page.
Initial Foothold
http://blocky.htb/wp-admin/plugins
.png)
Let’s downloaded the files and run jadx-gui.
.png)
$ jadx-gui
.png)
Openfile>BlockyCore.jar
I opened both files and kept searching for valuable information.
.png)
public class BlockyCore { public String sqlHost = “localhost”; public String sqlUser = “root”; public String sqlPass = “8YsqfCTnvxAUeduzjNSXe22”; </span>
These credentials might come handy.
I tried ssh into root using 8YsqfCTnvxAUeduzjNSXe22 but it didn’t work.
I tried logging in : http://blocky.htb/wp-admins using the creds but failed.
Then, I tried logging into http://blocky.htb/phpmyadmin and it worked.
phpmyadmin (rabbithole)
http://blocky.htb/wp-content/phpmyadmin
.png)
Creds:
root:8YsqfCTnvxAUeduzjNSXe22
.png)
.png)
Creds found
Notch:$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/
I tried cracking the password using john and hashcat but failed. It seems like a rabbit hole. Let’s look for another attack vector.
SSH
We know that there is a user named notch ,so let’s try to connect as notch with the password we found earlier using ssh.
$ ssh notch@10.10.10.37
Password : 8YsqfCTnvxAUeduzjNSXe22
.png)
Privilege Escalation
notch@Blocky:~$ sudo -l
.png)
notch@Blocky:~$ sudo su
.png)
This post is licensed under CC BY 4.0 by the author.