Did another walk-through and this time its Blocky from HackTheBox.
So let's kick this off.
nmap -sC -sV -T4 -oN nmap.txt 10.10.10.37
- -sC = Default Scripts
- -sV = Probe open ports to determine service/Versions info
- -T4 = Set timing for faster output (0-5)
- -oN = Output to save it to a file
- 21 FTP ProFTP 1.3.5a
- 22 SSH OpenSSH 7.2p2
- 80 HTTP Appache HttpD 2.4.18
- 8192 Closed
Now let's try to run Dirb on the system.
After a few moments we should get a response from the busting.
There is a lot of information here so let's take 1 step at a time. Going to the first Directory found brings up a Landing Page that if you scroll down to the bottom has a Comment section. Granted there is no option for uploading files to this section but you can run html code that will display.
So this isn't the most interesting thing but if you scroll down you will see a Login button.
I am going to try some quick common passwords on the site:
admin:admin; admin:password; admin:password1234; root:toor; root:root
None of these seems to work so I went over to Google to see if there are any default creds I could use.
But scrolling down the Dirb list the /phpmyadmin/ brings up a new potential avenue for access.
I attempted some common username:password combinations like above but no juice. Going back down the list from Dirb, I came across 2 different files under the /plugins/ location.
Let's go ahead and download these files to our Kali machine.
mv BlockyCore.jar /home/huey/Documents/HTB/Blocky
mv griefprevention-1.11.2-126.96.36.1998.jar /home/huey/Documents/HTB/Blocky
Then head to google and search for Java Decompilers.
Select Browse then upload your file
Now we can read the file. We can see that there is a Root user than a sqlPass of 8YsqfCTnvxAUeduzjNSXe22. Copy that into a new file on your Kali machine for future use.
Another way to do this is the following:
I am going to see if I can use these creds to login.
Success! After some more digging around I see another user named Notch and another User_Pass.
So I messed around here for quite a bit before getting in. But I decided to see if I could use those creds above to login via the SSH server.
Success! I was able to login and get access!
Now let's run the following to see what we can do.
welp this is pretty easy