Blocky machine on the hackthebox has retired which means writeups are allowed now. It was the linux VM which can be considered as the beginner level box. Getting the user flag was “Easy” and unlike the other HTB machines, privilege escalation was just a “Piece of cake”.

Note: In order to keep all my CTF write ups crisp and concise, I only mention the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. For this challenge, IP address of my machine was 10.10.14.50 and blocky was 10.10.10.37

Reconnaissance

I started with nmap to check for all open ports (-p-), version of services running (-sV) and perform script scans using default set of scripts (-sC)

Finding the port 80 open and wordpress running on it, I started wpscan in the background to test for any vulnerable plugins and enumerate the users. In the mean time I manually navigated the web application.

The wpscan result didn’t gave any exciting result, but identified one of the wordpress user “notch” which later was found to be useful.

Running dirb against the web application found out some hidden directories

Exploitation

I navigated to all the directories. The plugins directory was found to be interesting. There were two jar files, one of which was  “Blocky.jar“. I downloaded it and used an online java decompiler to check its source code. Below is the screenshot of decompiled result

There was a hardcoded password into the jar file. Since the SSH port was open, I tried to login using the user notch (found earlier using wpscan) and the password obtained from jar and it worked !!! 😀
This gave the shell on the system and the user flag.



Privilege Escalation

The box didn’t had any security in place. The privilege escalation was indeed the “Piece of Cake”. I checked for commands which the user can run as sudo

The user can run any sudo command on the system which means the user is already root. I just ran sudo cat /root/root.txt to read the root flag.

Final note

Unlike the other HTB machines, Blocky was very easy both in terms of getting user flag as well as root flag. Proper enumeration of all the hidden web directory was the key takeaway from this machine.

I hope this write-up was helpful. Share this if you found it useful. If you have any questions or suggestions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂

Author: Piyush Saurabh

Author is a cyber security enthusiast, application and network penetration tester. His area of interest includes reverse engineering, application, network and hardware security.

Author is a cyber security enthusiast, application and network penetration tester. His area of interest includes reverse engineering, application, network and hardware security.

Leave a Reply

Your email address will not be published. Required fields are marked *