Jump to content

Title: Hack The Box —— Blocky

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Hack The Box —— Blocky

20190906143059.png-water_print

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.37

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-06 10:37 CST

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.5a

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 d6:2b:99:b4:d5:e73:5:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)

| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)

|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-generator: WordPress 4.8

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: BlockyCraft #8211; Under Construction!

8192/tcp closed sophos

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Ports 21, 22, and 80 are open.

Trying to search for a vulnerability in ProFTPD version 1.3.5a, find an unauthorized file copy vulnerability, and use msf test, but cannot be exploited.

Accessing Port 80 is a simple WordPress site that is scanned using the wpscan tool:

1

wpscan --enumerate t --enumerate p --enumerate u --url=http://10.10.10.37/

Get the following information:

username

notch

theme

twentyseventeen

Plugin

akismet - v3.3.2

No related vulnerabilities were found.

目录爆破

Using the dirbuster tool, you get the following results:

20190906144201.png-water_print

A plugins directory was found. Since the normal wp plugin directory is stored under wp-content/plugins, accessed

This directory gives two jar packages:

20190906144339.png-water_print

Download the jar package locally, decompile, and get the password of the database username:

20190906144431.png-water_print

Try to log in to phpmyadmin with this password and find that the login is successful:

20190906144525.png-water_print

漏洞利用

On the existing basis, try to use sql statements to read files, first check the scope of the readable directory:

1

show GLOBAL VARIABLES like '%secure_file_priv'

20190906144733.png-water_print

But the directory is restricted and turned to other ideas.

Thinking that the password might be reused, I used my notch account and mysql password to log in to ssh.

You can log in if you find it.

20190906145108.png-water_print

Check user.txt to get the first flag.

I tried to increase the permissions, but after trying many methods, I suddenly thought of using the same password to cut to the root user again, and found that I successfully cut to the root.

Check root.txt to get the second flag.

20190906145332.png-water_print

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.