Scanning
sudo nmap -sC -sV -v -o nmap -T4 10.10.10.37http,ftp,ssh
HTTP
Attempting to access, we are given a domain:
Upon adding to /etc/hosts:
Before we do any more on this port, lets check for low hanging fruit in FTP
FTP
ftp anonymous@10.10.10.37anonymous@10.10.10.37
No anonymous access, back to the webserver
HTTP
Find some directories?
dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -e php,txt,html -f -u http://blocky.htb/Looks like wordpress is running!
WPScan
wpscan --url http://blocky.htb --disable-tls-checks --enumerate p --plugins-detection aggressivePlugins found: Akismet Version: 3.3.2
XML-RPC is enabled.
Wordpress version: version 4.8
Didn’t find anything useful checking these against searchsploit.
back to manual enumeration.
Looking through more of the discovered directories, we find /plugins
This should have stuck out because /plugins is not the default wordpress plugin location.
Lets download this .jar files.
wget http://blocky.htb/plugins/files/griefprevention-1.11.2-3.1.1.298.jarwget http://blocky.htb/plugins/files/BlockyCore.jarTime for secrets hunting 😎
After grepping for some common cred strings, I found nothing. Maybe we need to unpack the jar file?
jar -xf BlockyCore.jarjar -xf griefprevention-1.11.2-3.1.1.298.jarCred hunting again?
Lets check out BlockyCore first
Can we further unpack this class?
Googline for java decompilers, I found this:
It recomends jd-gui to decompile and view the source.
sudo apt install jd-gui
We found some creds!
root:8YsqfCTnvxAUeduzjNSXe22Lets try them on some endpoints first
SSH
wp-login - no luck
phpmyadmin
Worked!
Time for more credential hunting, wordpress database has user
notch:$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/Lets just replace the hash with our own, can hashcat identify the hash?
echo '$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/' > hashhashcat hash
lets generate a hash of this type.