Cybersecurity
Software

Blocky

Enumeration

Let's start out by enumerating the box and finding out what we are dealing with.
1# Nmap 7.92 scan initiated Tue Jan  4 13:30:48 2022 as: nmap -sC -sV -oA nmap/scan -T 4 -v 10.10.10.37
2Nmap scan report for 10.10.10.37
3Host is up (0.019s latency).
4Not shown: 996 filtered tcp ports (no-response)
5PORT     STATE  SERVICE VERSION
621/tcp   open   ftp     ProFTPD 1.3.5a
722/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey: 
9|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
10|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
11|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
1280/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
13|_http-generator: WordPress 4.8
14| http-methods: 
15|_  Supported Methods: GET HEAD POST OPTIONS
16|_http-server-header: Apache/2.4.18 (Ubuntu)
17|_http-title: BlockyCraft – Under Construction!
188192/tcp closed sophos
19Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
20
21Read data files from: /usr/bin/../share/nmap
22Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
23# Nmap done at Tue Jan  4 13:31:02 2022 -- 1 IP address (1 host up) scanned in 13.92 seconds
We see that ftp is open, first thing lets check if anonymous login is allowed, it is unlikely since
nmap
did not pick that up with the script scan but worth trying just incase. I am unsuccessful. Since http is open lets go and visit the website.
The webpage resembles a typical WordPress site. Knowing it's WordPress, I attempt to locate the admin login and test default credentials, but no luck. I then try to enumerate users without success. On the main page, I discover a blog post by the author "notch." Confirming his author status via the URL http://10.10.10.37/?author=1, I return to the admin login, attempting to log in as notch with default credentials, but without success.
The main page features links to download two XML documents, "Entries RSS" and "Comments RSS." Examining these reveals post references as
/?p=<num>
, with the notch post identified as p=5. Attempting to enumerate other post numbers yields only a sample WordPress blog with minimal information. Turning to automated tools, I run wp-scan, identifying several vulnerabilities but noting that notch is the sole user.
While wp-scan runs, I conduct an all-ports scan with nmap, revealing a Minecraft server on port 25565. Given XML-RPC is enabled, I consider a brute force attack. Wpscan suggests various vulnerabilities, mainly XSS-related, but exploiting them is limited without additional users. Exhausting leads, I run gobuster, discovering a phpmyadmin login page. I again try some default credentials with no luck.
Walkthrough hint - /plugins
Unfortunately, I initially mistook the "/plugins" page for WordPress's "wp-content/plugins" and overlooked the Dirbuster result. The "/plugins" page discloses two downloadable .jar files. Following a Google search on decompiling Java files, I discover a program called jd-gui. Upon opening the file in jd-gui, it exposes SQL credentials.
1package com.myfirstplugin;  
2  
3public class BlockyCore {  
4  public String sqlHost = "localhost";  
5   
6  public String sqlUser = "root";  
7   
8  public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";  
9   
10  public void onServerStart() {}  
11   
12  public void onServerStop() {}  
13   
14  public void onPlayerJoin() {  
15    sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");  
16  }  
17   
18  public void sendMessage(String username, String message) {}  
19}

Exploitation

I attempt to log into ssh as notch and try reusing that password and I am successful. I then run
sudo -l
to see what I can do
1notch@Blocky:~$ sudo -l
2[sudo] password for notch: 
3Matching Defaults entries for notch on Blocky:
4    env_reset, mail_badpass,
5    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
6
7User notch may run the following commands on Blocky:
8    (ALL : ALL) ALL
9notch@Blocky:~$

Priv esc

Looks like I have full sudo privileges, because I know notches password priv esc is as easy as
sudo su
and now I am root

Review / Take aways

I should have initiated a Gobuster scan before delving into searching for additional blog posts and researching WordPress vulnerabilities. Recognizing that the "/plugins" page was distinct from "/wp-content/plugins" would have obviated the need to consult the walkthrough for a hint. Upon discovering the .jar files, navigating the box became straightforward. The key lesson is always to enumerate thoroughly and not dismiss a result without investigating it first.