さんぽしの散歩記

【Hack the Box write-up】Blocky

March 15, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です。

nmap

kali@kali:~$ nmap -sC -sV -p-  10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 19:26 EDT
Nmap scan report for 10.10.10.37
Host is up (0.17s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 380.33 seconds

dirbuster を 80 番ポートに

スクリーンショット 2020-03-15 13.46.54.png

スクリーンショット 2020-03-15 13.45.26.png

結構色々出てきました。

見つけたページを散策

/wikiを開いてみると以下のようなページが出てきました。 スクリーンショット 2020-03-15 13.47.54.png plugin がどうたら言っているので /plugins をみてみます。

スクリーンショット 2020-03-15 13.48.02.png このようなページが出てきました。

2 つとも落とします。

kali@kali:~$ wget http://10.10.10.37/plugins/files/BlockyCore.jar
--2020-03-15 00:51:13--  http://10.10.10.37/plugins/files/BlockyCore.jar
Connecting to 10.10.10.37:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 883 [application/java-archive]
Saving to: ‘BlockyCore.jar’

BlockyCore.jar                              100%[==========================================================================================>]     883  --.-KB/s    in 0s

2020-03-15 00:51:14 (59.7 MB/s) - ‘BlockyCore.jar’ saved [883/883]

kali@kali:~$ wget http://10.10.10.37/plugins/files/griefprevention-1.11.2-3.1.1.298.jar
--2020-03-15 00:51:35--  http://10.10.10.37/plugins/files/griefprevention-1.11.2-3.1.1.298.jar
Connecting to 10.10.10.37:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 532928 (520K) [application/java-archive]
Saving to: ‘griefprevention-1.11.2-3.1.1.298.jar’

griefprevention-1.11.2-3.1.1.298.jar        100%[==========================================================================================>] 520.44K   130KB/s    in 4.2s

2020-03-15 00:51:40 (124 KB/s) - ‘griefprevention-1.11.2-3.1.1.298.jar’ saved [532928/532928]

BlockyCore.jar を調べる

今回の machine 名的にこちらが怪しいので BlockyCore.jar を調べます unzip を使って展開してみます

kali@kali:~$ unzip BlockyCore.jar
Archive:  BlockyCore.jar
  inflating: META-INF/MANIFEST.MF
  inflating: com/myfirstplugin/BlockyCore.class

BlockyCore.classなるものが出てきました (META-INF/MANIFEST.MF は中身に情報はほぼない)

jd-gui を使ってデコンパイル

BlockyCore.classの内容を読みたいので以下の記事を参考にデコンパイルしてみます https://ozuma.hatenablog.jp/entry/20130817/1376748772

スクリーンショット 2020-03-15 13.59.23.png

重要そうな情報が出てきました。

package com.myfirstplugin;

public class BlockyCore {
  public String sqlHost = "localhost";
  public String sqlUser = "root";
  public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";



  public void onServerStart() {}



  public void onServerStop() {}



  public void onPlayerJoin() { sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!"); }

  public void sendMessage(String username, String message) {}
}

ssh のパスワードに使い回されてるかチェックしましたがダメでした。

kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.37 (10.10.10.37)' can't be established.
ECDSA key fingerprint is SHA256:lg0igJ5ScjVO6jNwCH/OmEjdeO2+fx+MQhV/ne2i900.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.37' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.

ファイルの探索に戻ります。

/wp-login.phpにアクセスしてみると以下のページが出てきます。 (wp って wordpress の略だったのね…(無知))

スクリーンショット 2020-03-15 14.15.26.png

wpscan を使う

$ wpscan --url 10.10.10.37 --enumerate
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /var/lib/gems/2.5.0/specifications/i18n-0.9.5.gemspec:17.
NOTE: Gem::Specification#rubyforge_project= is deprecated with no replacement. It will be removed on or after 2019-12-01.
Gem::Specification#rubyforge_project= called from /usr/share/rubygems-integration/all/specifications/i18n-0.7.0.gemspec:20.
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.10.37/
[+] Started: Sun Mar 15 01:14:37 2020

Interesting Finding(s):

[+] http://10.10.10.37/
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://10.10.10.37/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.37/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://10.10.10.37/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.37/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
 |  - http://10.10.10.37/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-02-25T00:00:00.000Z
 | Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:13 <===============================================================================================> (325 / 325) 100.00% Time: 00:00:13
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:01:41 <=============================================================================================> (2575 / 2575) 100.00% Time: 00:01:41

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:01 <======================================================================================================> (36 / 36) 100.00% Time: 00:00:01

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:04 <===========================================================================================> (100 / 100) 100.00% Time: 00:00:04

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=================================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Notch
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Sun Mar 15 01:16:56 2020
[+] Requests Done: 3112
[+] Cached Requests: 10
[+] Data Sent: 768.346 KB
[+] Data Received: 987.401 KB
[+] Memory used: 235.758 MB
[+] Elapsed time: 00:02:18

notchという User が見つかりました。

notch で ssh してみる

notch で ssh 接続しようとしてみます。

kali@kali:~$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$

お。ログインできました これで user.txt を取れます

とりま sudo -l

とりあえず sudo -l してみます

notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

ん?? もしかして。。

notch@Blocky:~$ cd /
notch@Blocky:/$ ls
bin  boot  dev  etc  home  initrd.img  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  sys  tmp  usr  var  vmlinuz
notch@Blocky:/$ cd root
-bash: cd: root: Permission denied
notch@Blocky:/$ sudo ls root
root.txt
notch@Blocky:/$ sudo cat root/root.txt

root.txt までそのまま取れてしまいました。

終わりに

easy の中でも難易度の低そうなものだったので、僕でも解けるくらいには簡単でした。 精進します。

このエントリーをはてなブックマークに追加