DEV Community

Cover image for Writeup: HackTheBox Blocky - Without Metasploit (OSCP Prep)
Chris 'Huey' S
Chris 'Huey' S

Posted on

Writeup: HackTheBox Blocky - Without Metasploit (OSCP Prep)

Hello All!

Did another walk-through and this time its Blocky from HackTheBox.

So let's kick this off.

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.37

  1. -sC = Default Scripts
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file

Alt Text

Current Ports Open:

  1. 21 FTP ProFTP 1.3.5a
  2. 22 SSH OpenSSH 7.2p2
  3. 80 HTTP Appache HttpD 2.4.18
  4. 8192 Closed

Now let's try to run Dirb on the system.

Command:

dirb http://10.10.10.37

Alt Text

After a few moments we should get a response from the busting.

Alt Text

There is a lot of information here so let's take 1 step at a time. Going to the first Directory found brings up a Landing Page that if you scroll down to the bottom has a Comment section. Granted there is no option for uploading files to this section but you can run html code that will display.

Command:

test

Alt Text

So this isn't the most interesting thing but if you scroll down you will see a Login button.

I am going to try some quick common passwords on the site:
admin:admin; admin:password; admin:password1234; root:toor; root:root

Alt Text

None of these seems to work so I went over to Google to see if there are any default creds I could use.

But scrolling down the Dirb list the /phpmyadmin/ brings up a new potential avenue for access.

Alt Text

I attempted some common username:password combinations like above but no juice. Going back down the list from Dirb, I came across 2 different files under the /plugins/ location.

Alt Text

Let's go ahead and download these files to our Kali machine.

Command:

mv BlockyCore.jar /home/huey/Documents/HTB/Blocky
mv griefprevention-1.11.2-3.1.1.298.jar /home/huey/Documents/HTB/Blocky

Then head to google and search for Java Decompilers.

Command:

Select Browse then upload your file

Alt Text

Command:

Select Com

Alt Text

Command:

Select myfirstplugin

Alt Text

Now we can read the file. We can see that there is a Root user than a sqlPass of 8YsqfCTnvxAUeduzjNSXe22. Copy that into a new file on your Kali machine for future use.

Alt Text

Another way to do this is the following:

Alt Text

Alt Text

I am going to see if I can use these creds to login.

Alt Text

Success! After some more digging around I see another user named Notch and another User_Pass.

Alt Text

So I messed around here for quite a bit before getting in. But I decided to see if I could use those creds above to login via the SSH server.

Command:

ssh notch@10.10.10.37
8YsqfCTnvxAUeduzjNSXe22

Alt Text

Success! I was able to login and get access!

Now let's run the following to see what we can do.

Command:

sudo -l
welp this is pretty easy
sudo su

Alt Text

Alt Text

Discussion (0)