Blocky was another standard box with a few potential rabbit holes to fall down. There was also a 2nd potential method of gaining information through phpmyadmin which i didnt investigate.
PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 8192/tcp closed sophos
Full port scan
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 8192/tcp closed sophos 25565/tcp open minecraft
Web server directory bruteforce
Directories mention ‘wp-content’ and ‘wp-includes’ which are wordpress directories so theres a solid chance we will be interacting with wordpress.
Since we know wordpress is running, we can enumerate the site with wpscan. Wpscan manages to pull the username ‘notch’ from the rss feed.
Going back to recon through the ‘plugins’ directory we get access to a ‘cute file browser’ with 2 files:
- Blockycore.jar - griefprevention.jar
We can use online decompilers to decompile the java into somewhat readable code. From the blockycore file we get credentials that are hardcoded.
Logging in to ssh with user ‘notch’ and that password gives us our foothold and user flag.
A sudo check reveals instantly what our method of gaining root privs will be.
notch@Blocky:~$ sudo -l [sudo] password for notch: <ssh_pw> Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL
‘sudo su’ gives us root.