@pusheen said:
I think you guys are plain genius. How can you rate this server “easy”? ■■■, it was so hard and so many puzzles
I guess you did it by the “www-data” way :B
In fact, it’s an easy machine, but it’s also a rabbit hole you can easily go down pretty far xDD
haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv sc
its easy when its flat/unaltered. Someone kept changing passwords? had to wait for a quiet moment, then popped it within 2 mins.
People keep changing the password because that’s the only way you could know the correct password for that specific service. Research phPass encryption and think about what you could do with the information and access you have.
@puerkito66 said:
@JChris said:
I don’t know how to say that without spoiling, so I’ll try my best.
- I did enum and found something
- From that something I got the credentials to login into an interface
- Inside that interface there’s a part where I can see the credentials of a very special wp_user of the Blocky site.
The issue is that people keep changing the password…
You have the correct credencials, but you are using them in the wrong way.
Use the “very special” user and the other info you have, but not in the log in page, but in another service the server is running
Holy bananas… Got user and root flag easily ** Spoiler Removed - Arrexel **. It’s strange how people are talking about www-data, priv sca etc, because I didn’t use any of that, ** Spoiler Removed - Arrexel **
@JChris said:
Holy bananas… Got user and root flag easily using that credential on the right service. It’s strange how people are talking about www-data, priv sca etc, because I didn’t use any of that, all I needed was inside a jar of cookies…
That’s the trick with this box, it’s a rabitt hole anybody can easily go down xDD
The key is (almost times) don’t overthink
** Spoiler Removed - Arrexel **
@wyliebsd said:
** Spoiler Removed - Arrexel **
Since blocky is powered by wordpress, you can use wpscan with the --enumerate u option or enumerate manually using the old wordpress trick:
10.10.10.13/?author=1
Thank you very much gameOver 
that makes a lot of sense!!
** Spoiler Removed - Arrexel **
Effectively there are two ways to own this system… If you don’t try one thing, you’ll end up to overthinking and, hopefully, own the system with the harder way.
@rek2 said:
haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv sc
Are you interested yet?
The key on this one is definitely not overthinking. With how much people reset this box and change the password for a particular user, it took me a good 2 hours of spinning my wheels trying to get user & root when the first thing i tried didn’t work (but definitely should have and later did).
@kophjager263 said:
The key on this one is definitely not overthinking. With how much people reset this box and change the password for a particular user, it took me a good 2 hours of spinning my wheels trying to get user & root when the first thing i tried didn’t work (but definitely should have and later did).
** Spoiler Removed - Arrexel **
@Ruster, not necessarily. I overthought this because what i tried initially didn’t work, but that was because it’s a popular box and “things” get changed sometimes. It sounds like you’re absolutely in the right spot, and you likely already have what you need. It’s just a matter of using what you’ve found and enumerated in the right spot.
@kophjager263 said:
@Ruster, not necessarily. I overthought this because what i tried initially didn’t work, but that was because it’s a popular box and “things” get changed sometimes. It sounds like you’re absolutely in the right spot, and you likely already have what you need. It’s just a matter of using what you’ve found and enumerated in the right spot.
** Spoiler Removed - Arrexel **
@Ruster, no problem. Sometimes getting a shell is simpler than it seems 
@kophjager263, thank you for your advice. I’m in and i dont even think priv esc needs only linux command’s know
** Spoiler Removed - Arrexel **
@wyliebsd said:
I’m curious where you all found the username “notch” ? I found the password that worked for that user, and easily obtained root, but not sure where you guys came up with “notch” in the first place?
nmap nse scripts for http-* will also spit the username with easy. nmap is god
@r7f5 said:
Effectively there are two ways to own this system… If you don’t try one thing, you’ll end up to overthinking and, hopefully, own the system with the harder way.@rek2 said:
haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv scAre you interested yet?
hey, I already got this one last week when I wrote this. and the priv was even easier. about to finish Holiday now.