Hack The Box — Blocky Writeup without Metasploit
Blocky is another easy machine that requires strong enumeration in resolving this box. This machine has Wordpress running, which reveals the key user name upon running Wpscan. This username will be used to login via SSH. Further enumeration on the machine, will reveal a couple of hidden files that contains a password which eventually can be used along with the username obtained via WPscan. This username/password is used to login via SSH and obtain a low privilege shell which can be escalated to Root using Sudo-l.
Enumeration
Began with the Nmap scan
Accessed the Webpage but didn’t reveal anything useful.
Directory scan using dirsearch.
Highlighted areas are the important directories. As soon as i realized that this machine had Wordpress running, i decided to use Wpscan to enumerate the username and the password if possible. Wpscan also scans for Wordpress vulnerabilities if exit.
Wpscan reveals that there was a Wordpress account named Notch. This can be confirmed by typing the username on Wordpress username field on Wordpress Login page.
Wordpress literally says that user account exists in their backend but the password was not the correct one. This is really a misconfiguration that Wordpress needs to fix.
I managed to obtain a username but without a password. Having enumerated further, i came across this directory named plugins which had 2 files.
Both files were .jar files which can be extracted using the unzip command.
Blockycore file reveals a password. So from this point onwards, i had two different paths.
- Use the following credentials to login to MyPhpAdmin console. The directory has been disclosed during the dirsearch scan.
- Use the following password with the username retrieved via from WPscan.
Initial foothold
I went ahead with the second option which luckily worked out.
Privilege Escalation
Ran Sudo-l
It appears that Blocky user can run any commands as Sudo.
Lessons learned
Wordpress should have been updated due to the fact that it is revealing the username in the login page. Wordpress site misconfiguration should have been fixed as it was revealing the usernames during the WPscan process. This was clearly an issue due to a misconfiguration.
The sensitive files should have never been included in directories that are publicly available. The directories should have been concealed and made unavailable to public. The sensitive files should have been encrypted with some sort of encryption method, which makes it difficult to break or crack in case of a compromise.
The users with low privileges should have been given the permission to run Sudo commands. The admin should have conformed to have implemented least privileges principles.
16 boxes are down!
