Welcome back to the final blog in de series "How to hack a box"! In this blog we’ll cover the basics of Privilege Escalation and see it in practice on the Blocky box from Hack The Box.
Let’s first go through our information which we’ve gathered in the previous step "Enumeration". This is what we’ve written down in our previous step:
We have access to user
A Minecraft server is started on every reboot in a screen session under user
notch, which is a Java application
User Notch has used
sudobefore, and might’ve started a MySQL CLI session as
A MySQL server is listening on port 3306 on localhost, which is running as user
There might be some vulnerabilities in the OS or kernel which we can use
We can execute any command as any user with
Places to start
Common places to start
There are a few common entrypoints when trying to do a Privilege Escalation. You can for example think of the following:
File permissions of for example configuration files or scripts
Cron jobs running as root or other exploitable user
System misconfiguration, like too loosely configured
Escaping restricted environments
The path to root
If we look purely theoretical, we have several paths towards root:
Since we know Blocky is a very easy box, the second path is the most probable because it has simply fewer hops to go through.
Looking at our gathered information, and filtering out access to MySQL, we have a few things we can try:
Trying to find more information in the Minecraft server which could lead to additional credentials
Going after the
sudohint and try to escalate our privileges with it
Try available kernel exploits specific for Privilege Escalation
Regarding kernel exploits, for boxes like Blocky I wouldn’t try them immediately. The kernel is fairly up to date (still outdated though), and our other options are way easier to check first. If we wouldn’t get further with our first two options, we could still try to find usable kernel exploits of course.
Trying our options
Now we’re done with analyzing our results, let’s get cracking!
Finding credentials in the Minecraft server
First of all, let’s try to find credentials in the Minecraft server.
notch@Blocky:~$ grep -r password minecraft minecraft/config/sponge/global.conf: # Aliases for SQL connections, in the format jdbc:protocol://[username[:password]@]host/database
grep -r <search text> <path> we can recursively find text in all files in our given path.
In the example above I just searched for
password and there was one hit in a config file.
After taking a look at our hit, we just see an empty object.
Let’s try our other options.
There are a few ways of checking
The easiest way is using
sudo -l, which we saw in the previous blog:
notch@Blocky:~$ sudo -l Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL
We were asked to supply the password of
notch though, but fortunately we already knew that.
Looking at the results above, this basically means jackpot!
The last piece is the most interesting part.
It means we can execute any arbitrary command as any user in any group on the system.
Let’s try this by executing the command
notch@Blocky:~$ sudo whoami root
Neat, it works!
Another way of checking the configuration of
sudo is by checking the
/etc/sudoers file, or any file in
However, most of the time these files will be only readable by root.
If you are able to write to the
/etc/sudoers.d/ directory, you will be able to grant yourself
So how can we use this to gain a
Escalating our privileges
We now know we can execute any command as
To get a shell with colors and all, we can open a new
bash session as
notch@Blocky:~$ sudo bash root@Blocky:~# whoami root
Now we can simply capture the root flag by reading the
To prevent the actual flag being visible I’ll use
wc to show the amount of bytes and to proof I can read the file.
root@Blocky:~# wc -c /root/root.txt 32 /root/root.txt
Congratulations, you’ve now got full
root rights on the box and captured the root flag!
We’ve now gone through all the steps to hack a box. This was just one of the easiest boxes in Hack The Box, so there’s much more to learn. When I first tried this box, I couldn’t get very far. I was stuck because I didn’t think of credential re-use and couldn’t get the Reverse Shell via Wordpress working. After doing quite some boxes, following a lot of write-ups, and trying to learn something from every box, I was able to improve my skills.
Initially my goal was to hack as many boxes as I could, but this approach prevented me learn as much as I could’ve learned. If you think of each box being a lesson for you, you’ll learn a lot more. Try to really understand what services are running, how they work, and how they can be misused.
You now know the basic steps on how to hack a box. To continue this path, I recommend getting a paid subscription (£10 a month) on Hack The Box to get access to the "retired" boxes. You are allowed to publish write-ups for retired boxes, in contrast to the "active" boxes. This allows you to read write-ups or see them on Youtube, which is a great way of getting into the mindset of others and learn from it.