Hello friends!! Today we are going to solve another CTF
challenge “Blocky ” which is available
online for those who want to increase their skill penetration testing and black
box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to
your experience level, they have collection of vulnerable labs as challenges
from beginners to Expert level. We are going to start a new series of hack the
box beginning with Blocky craft which is designed for beginners.
Since these labs are online available therefore they have
static IP and IP of blocky is 10.10.10.37
so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.37
From given below image, you
can observe we found port 21, 22, 80 are open in victim’s network.
Knowing port 80 is open in victim’s network I preferred
to explore his IP in browser but didn’t get any remarkable clue on its welcome
page for next step.
Next we use dirb tool of kali to
enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files
and etc which you can confirm from below image.
dirb http://10.10.10.37 /
After browsing so many
directories I found plugin/files a bit interested by execute following URL in
browser.
http://10.10.10.37/plugin/files.
From given below image you can
observe that it has shown two jar file. Let’s download blockycore.jar file and
then move for its compilation.
Using online compliers I had complied blockycore.jar file and found something very interesting
in it. It contains login credential sqluser
and sqlpass as highlighted in below
image.
Then I explore http://10.10.10.37/phpmyadmin
and login into phpmyadmin server using above credential root: 8YsqfCTnvxAUeduzjNSXe22
Then opened the wordpress database for stealing username
from here and I found a user login: Notch with user Id 1.
Now I try to access victim’s system PTs shell through SSH
since port 22 is open as per nmap result and I had also found a user name
therefore I open a new terminal in kali executed following command to
connecting with target network through ssh service.
ssh notch@10.10.1037
For password I try above
password found in jar file and got successful login into victims shell.
id
From id result I came to know Notch is first user of system.
By executing sudo -l
command it tell us that user Notch has full privileged in this machine.
Then I moved for root
access using previous same password and again I get root access successfully.
sudo su
Then inside its home directory I found user.txt file and used cat command for
reading this file.
ls
cat user.txt
Gracefully!! We
found 1st flag of this Lab in user.txt.
Then I moved into root
directory where I found root.txt and again use cat command for reading this
file.
cd root
ls
cat root.txt
Great!!! We
completed this challenge by capturing 2nd flag in root.txt file.
0 comments:
Post a Comment