HackTheBox - Blocky

Morten Hansen • January 30, 2022

Blocky

IP 10.10.10.37

NMAP

#nmap
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft &#8211; Under Construction!
8192/tcp closed sophos
````

```bash
#gobuster
/wp-includes          (Status: 301) [Size: 316] [--> http://10.10.10.37/wp-includes/]
/wp-content           (Status: 301) [Size: 315] [--> http://10.10.10.37/wp-content/] 
/plugins              (Status: 301) [Size: 312] [--> http://10.10.10.37/plugins/]    
/wp-admin             (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]   
/javascript           (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/] 
/wiki                 (Status: 301) [Size: 309] [--> http://10.10.10.37/wiki/]       
/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]

We run gobuster and find a folder called /plugin and inside two .jar-files. When extracted with 7z e .jar-file we find the password 8YsqfCTnvxAUeduzjNSXe22

This works with phpmyadmin and user admin. Inside we find database of users inside wordpress and the name notch. We try to ssh notch@10.10.10.37 and password 8YsqfCTnvxAUeduzjNSXe22 and get a shell.

when inside we run sudo -l and se we are a sudo user. We run sudo /bin/bash and get a root-shell.