Posted on

HTB : Blocky

https://app.hackthebox.com/machines/Blocky

Review

  • Directory enumeration leads to a folder that contains valid credentials
  • phpadmin page lists users available
  • Password is reusable

Enumeration

Run nmap scan to find for open ports.

Unable to login via FTP anonymously.

Run a gobuster scan

There is a phpadmin page.

Wpscan shows no results.

The plugins directory have 2 files inside.

Use a java decompiler like jdi-gui to open up the file.

Found some mysql credentials.

The 2nd file has a whole bunch of functions, let’s put this aside for now.

Let’s login with the credentials via the phpmyadmin page.

Access gained.

In the wordpress section page there is a credential found.

Foothold

SSH login via the user notch and the password found in the jar file.

First flag is found

Privilege escalation

Check sudo -l

We are able to sudo everything.

Change to root user and get the final flag.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s