Blocky writeup!

Here is another one of my writeups! This time Blocky: https://v3ded.github.io/ctf/htb-blocky.html

V3ded

Tagged:

Comments

  • I will have to play around with jad, I just unzipped the jar files, not nearly as clean. I have seen gobuster a lot lately, any benefits to use that instead of dirbuster or wfuzz?

  • nice write-up ....
    But u can escalate privilege using www-data shell also ...
    I have done both ways successfully.

    Agent22

  • Gl0b0 - any directory bruteforcer that works for you is fine. Personally I never used wfuzz and dirbuster has silly error pop up messages which get annoyoing after some time. Dirb can be used as an alternative but I like gobuster more because as provides threading support. Hope that helps!

    V3ded

  • Thanks for bringing that to my attention Agent22 - I will take a look into it. Once I find how (dunno when) I’ll add it in!

    V3ded

  • I used CVE-2017-6074, which isn't really stable. Show a few other rabbit holes in my video, such as getting a shell through FTP. Which would have worked if the SSH was set to only allow cert based logins.

  • Thanks @ippsec , your video was awesome! Learnt a thing or two as always.

    V3ded

  • Nice writeups guys. I'd definitely recommend jd-gui for decompiling the jar. No need to extract any classes or anything when using it. Also @ippsec got it, https://www.exploit-db.com/exploits/41458/ (4.4.0 kernel doublefree) will work most of the time from what I have heard as a backup esc method. Some people mentioned having to modify it to grab the flag automatically, as it does make the machine very unstable.

    Arrexel

  • @Agent22 How did you do that?
    Uploaded the shell via Wordpress and then used the Creds or any Exploit?

  • @jinxbox check out the second half of ippsec's video

    Arrexel

Sign In to comment.