Blocky HTB Walkthrough

Below is the nmap output of the IP: 10.10.10.37

Let’s visit the webpage on port 80 as the name itself is blocky.

In the website they mention something about the plugin and the wiki, and they give a hint of not to check in the other places.

Now we can run gobuster to check if any directories matches plugins and servers.

I checked server-status and its forbidden.

After that checked plugins, two jar files are present in the folder.

Downloaded the first one and unzipped, it looks like java assembled class files, so disassembled and found there is a password for root user as below:

Used the creds in phpmyadmin page:

After logging to phpmyadmin, opened wordpress wp_users to see which users are present in the system.

It shows there is notch user present in the system. We have observed that ssh is enabled on the system.

so tried ssh into the system with notch user id and password found in the disassembled file and it worked :-p

user flag is present right there, after that ran sudo -l to see notch permissions, it shows that notch can run all the commands, so ran sudo su to elevate privileges to super user.

And that’s it we got the root flag and root privileges!

--

--

--

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A must-know technology for any full-stack developer ; MongoDB

Azure Database Security — Data Engineer Road #3

Best Dev Tools for a Beginner Software Developer

Testing the Waters of AWS EC2 C5D Instances

Leaving Apple and Google: /e/ is the symbol for “my data is MY data”

SETUP Private Ethereum Network (POA) On Degital Ocean using Puppeth.

How to send and receive messages between AWS Lambda and Amazon SQS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
dl padmavathi

dl padmavathi

I go by Padma. I am a security enthusiast. This blog contains security related and some general stuff. E-mail:pduggire@gmu.edu

More from Medium

CTF Walkthrough | TryHackMe | GoldenEye 👁

Tryhackme: Plotted-TMS walkthrough

Network Services (Telnet) — Tryhackme

TryHackMe — Network Services Room Write-up