Hello friends!! Today we are going to solve another CTF challenge “Blocky ” which is available online for those who want to increase their skill penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.
Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.37 so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.37
From given below image, you can observe we found port 21, 22, 80 are open in victim’s network.
Knowing port 80 is open in victim’s network I preferred to explore his IP in browser but didn’t get any remarkable clue on its welcome page for next step.
Next we use dirb tool of kali to enumerate the directories and found some important directories such as /phpmyadmin, /wp-admin, /plugin/files and etc which you can confirm from below image.
dirb http://10.10.10.37 /
After browsing so many directories I found plugin/files a bit interested by execute following URL in browser.
From given below image you can observe that it has shown two jar file. Let’s download blockycore.jar file and then move for its compilation.
Using online compliers I had complied blockycore.jar file and found something very interesting in it. It contains login credential sqluser and sqlpass as highlighted in below image.
Then I explore http://10.10.10.37/phpmyadmin and login into phpmyadmin server using above credential root: 8YsqfCTnvxAUeduzjNSXe22
Then opened the wordpress database for stealing username from here and I found a user login: Notch with user Id 1.
Now I try to access victim’s system PTs shell through SSH since port 22 is open as per nmap result and I had also found a user name therefore I open a new terminal in kali executed following command to connecting with target network through ssh service.
For password I try above password found in jar file and got successful login into victims shell.
From id result I came to know Notch is first user of system.
By executing sudo -l command it tell us that user Notch has full privileged in this machine.
Then I moved for root access using previous same password and again I get root access successfully.
Then inside its home directory I found user.txt file and used cat command for reading this file.
Gracefully!! We found 1st flag of this Lab in user.txt
Then I moved into root directory where I found root.txt and again use cat command for reading this file.
Great!!! We completed this challenge by capturing 2nd flag in root.txt file.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here