Blocky

Personal Rating: Easy

The only thing that made me take rather long for this box was that I used the wrong wordlists at first or did not have the best intiution I suppose, so I did not find the relevant webdir at first.

Port Enumeration

sudo nmap -sV -p- <IP>

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open   http      Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://blocky.htb
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)

ftp anonymous login is not working.

I got the domain blocky.htb, so I put in in my hosts file.

Port 80 shows a Wordpress page about a Minecraft Server.

OpenSSH 7.2p2 Username Enumeration:

URL: https://www.exploit-db.com/exploits/40136

Path: /usr/share/exploit-db/exploits/linux/remote/40136.py

Apache RCE?

ProFTPD RCE?

If these also apply to 1.3.5a, this might give me RCE as well

Wordpress Enumeration

There were two rss files that indicate Wrdpress 4.8 being used

WPScan:

• user found: notch

• wp version: 4.8

• wp-content/uploads listable

• xml-rpc enabled

• external wp-cron enabled

• theme: twentyseventeen 1.3

WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md

This found something interesting:

feroxbuster -u http://blocky.htb/ -r -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt

Exposed Credentials in jar file

I downloaded the jar file. Using decompiler.com, I could find this:

The given password worked for ssh and ftp with the user notch that we found using wpscan earlier.

Privilege Escalation

The privilege escalation was very easy and self-explanatory: