Open in app

Sign in

Write

Sign in

BLOCKY

Burak Dirlik
3 min readJun 26, 2024

--

Blocky is an easy rated and retired HTB machine. Target ip is 10.129.228.61

Firstly we should add ip and hostname of this machine to the /etc/hosts file.

Lets start with nmap scan and we find 4 ports.


21/tcp	        open		ftp
22/tcp 	        open		ssh
80/tcp		open		http
8192/tcp	closed		sophos

Site seems using wordpress because there is /wp-includes directory and blocky.htb is like below at the browser. There is nothing we can use, let’s look at the source code.

Again, we see that there are directory names related to WordPress.

/wp-login.php directory exists, I tried common credentials but couldn’t login.

Directory fuzzing

dirsearch -u http://blocky.htb -t 40 -x 400,403,404,500,520 --random-agent --full-url -w /usr/share/wordlists/directory-list-2.3-medium.txt

/plugins endpoint contains some jar files which contain some credentials.

When we opened the BlockyCore.jar file with the decompiler, we obtained the username and password. We noted these.

public class BlockyCore
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

The /phpmyadmin directory was also a directory we found by fuzzing.

We see that we can log in with the following user information that we obtained in the previous step.

"root"
"8YsqfCTnvxAUeduzjNSXe22"

We also obtain a username and password in the wp_users field in the database, let’s note these as well.

To gain remote access on the server, there are options such as ssh or injecting commands from the input fields. Let’s try ssh first, we try the credentials we have, but we cannot gain access. When we change one of the username and the password of the other, we see that we can log in via ssh. Credentials and ip & hostname informations that we obtained untill now:

http://blocky.htb  10.129.228.61
root    8YsqfCTnvxAUeduzjNSXe22
notch   notch@blockcraftfake.com    $P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/

As we can see, we could not log in with the usernames and passwords that belong to each other, but when we tried various combinations, we see that we could log in with the following information.

ssh notch@10.129.228.61

Password: 8YsqfCTnvxAUeduzjNSXe22

When we run the sudo -l command, we understand that we can make privilege escalation with sudo su and we got root flag.

--

--

Burak Dirlik

Written by Burak Dirlik

11 Followers

Computer Engineer & Penetration Tester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams