DEV Community

Cover image for Writeup: HackTheBox Blocky - Without Metasploit (OSCP Prep)
Chris
Chris

Posted on

Writeup: HackTheBox Blocky - Without Metasploit (OSCP Prep)

Hello All!

Did another walk-through and this time its Blocky from HackTheBox.

So let's kick this off.

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.37

  1. -sC = Default Scripts
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file

Alt Text

Current Ports Open:

  1. 21 FTP ProFTP 1.3.5a
  2. 22 SSH OpenSSH 7.2p2
  3. 80 HTTP Appache HttpD 2.4.18
  4. 8192 Closed

Now let's try to run Dirb on the system.

Command:

dirb http://10.10.10.37

Alt Text

After a few moments we should get a response from the busting.

Alt Text

There is a lot of information here so let's take 1 step at a time. Going to the first Directory found brings up a Landing Page that if you scroll down to the bottom has a Comment section. Granted there is no option for uploading files to this section but you can run html code that will display.

Command:

test

Alt Text

So this isn't the most interesting thing but if you scroll down you will see a Login button.

I am going to try some quick common passwords on the site:
admin:admin; admin:password; admin:password1234; root:toor; root:root

Alt Text

None of these seems to work so I went over to Google to see if there are any default creds I could use.

But scrolling down the Dirb list the /phpmyadmin/ brings up a new potential avenue for access.

Alt Text

I attempted some common username:password combinations like above but no juice. Going back down the list from Dirb, I came across 2 different files under the /plugins/ location.

Alt Text

Let's go ahead and download these files to our Kali machine.

Command:

mv BlockyCore.jar /home/huey/Documents/HTB/Blocky
mv griefprevention-1.11.2-3.1.1.298.jar /home/huey/Documents/HTB/Blocky

Then head to google and search for Java Decompilers.

Command:

Select Browse then upload your file

Alt Text

Command:

Select Com

Alt Text

Command:

Select myfirstplugin

Alt Text

Now we can read the file. We can see that there is a Root user than a sqlPass of 8YsqfCTnvxAUeduzjNSXe22. Copy that into a new file on your Kali machine for future use.

Alt Text

Another way to do this is the following:

Alt Text

Alt Text

I am going to see if I can use these creds to login.

Alt Text

Success! After some more digging around I see another user named Notch and another User_Pass.

Alt Text

So I messed around here for quite a bit before getting in. But I decided to see if I could use those creds above to login via the SSH server.

Command:

ssh notch@10.10.10.37
8YsqfCTnvxAUeduzjNSXe22

Alt Text

Success! I was able to login and get access!

Now let's run the following to see what we can do.

Command:

sudo -l
welp this is pretty easy
sudo su

Alt Text

Alt Text

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs