# WriteUp Blocky | HackTheBox ###### tags: `writeup` `hackthebox` `easy` `blocky` :::warning :warning: This writeup contain spoilers about the resolution of a retired machine. ::: ## :globe_with_meridians: Scanning ### ICMP Scanning  After the ICMP request, we can deduce that the box is a Linux machine thanks to the TTL value. | OS | TTL | | ----------------- |:----------------------- | | Linux | 64 | | Mac | 64 | | Windows | 128 | :::info :pushpin: If you are interested in default TTL (Time To Live) packets, you can find more info [here](https://subinsb.com/default-device-ttl-values/). ::: ### Port Scanning ```bash=1 nmap -T5 -Pn -n -sC -sV -o portscan.txt 10.10.10.37 ```  There are three open ports: * Port 21: Default port for File Transmision Protocol. This protocol is insecure, so the data is not encrypted. Service's name is **ProFTPD** and service's version is **1.3.5a**. One FTP insecure feature is the anonymous session posibility, which doesn't need a password. * Port 22: Default port for Secure Shell. Protocol secure and data encrypted. Service's name is **OpenSSH** and service's version is **7.2p2**. * Port 80: Default HTTP port. Service's names are **Apache** and, thanks to **-sC** and **-sV** options, **Wordpress**. Versions are **2.4.18** and **4.8**, respectively. ## ## :mag: Enumeration ### Trying FTP Anonymous session First, we can try to connect to FTP service without passwords. This option is viable because FTP may allow anonymous session.  However, in this machine, this way is closed. ### Wordpress enumeration Thanks to the nmap scan, we know that HTTP server is running WordPress. With the tool named [WPScan](https://github.com/wpscanteam/wpscan), we can enumerate the site.  Full output shows different default paths and information, but nothing important for now, because we have to be logged. ### Fuzzing HTTP service Also, it is recommended that we start a fuzzing enumeration in the web target. We have a lot of options, but I selected the [dirb](https://tools.kali.org/web-applications/dirb) tool and [common.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt) dictionary.  As we can see, we have 7 interesting results. After manually accessing each one, we can find two interesting files in /plugins path. ### Fuzzing /plugins path The path /plugin contain two files. We can do other Fuzzing directories only for this path.  /assets and /files. Nothing interesting. ### Trying without password session in /phpmyadmin Another interesting path is /phpmyadmin. We can try to access with root without password, like FTP.  Unfortunately, this option is not allow. ## ## :lock: Explotation ### Debugging the Java files stored in /plugins. If we are familiarized with general operation of programming languages, more especialized Java, We must know that we have to debbug the class with a special program for read it. So, in Kali Linux, we have a lot of tools for this purpose. However, we can use an online tool too. For this box, I used [this](http://www.javadecompilers.com). Operation is very easy. First, we extract the .jar file. Finally, we only need to upload the .class file to the web.  This code is very interesting. ```javascript=13 public BlockyCore() { this.sqlHost = "localhost"; this.sqlUser = "root"; this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22"; } ``` ### Access with credentials to /phpmyadmin With this username and password, we can login in the PHPMyAdmin service and view the web databases.  This table is very interesting. We have now one new user, **notch**. ### Getting Notch Shell With this new user and password, we can try to get a SSH session. Fortunately, it works. Now, we have the user flag.  ### Getting Root Shell The privilege escalation in this box is very easy. The user notch is part of the group sudo, so with the option -i, we have a root session.  And read the root flag :-).  ## ## :mortar_board: Conclusion I like this machine. It has shown me the importance of never having passwords in plain text in scripts, configuration files or similar. Thanks for reading.