Links

Blocky

Blocky - 10.10.10.37

Target Enumeration:

OS: Linux
IP: 10.10.10.37
User: 59fee0977fb60b8a0bc6e41e751f3cd5
Root: 0a9694a5b4d272c694679f7860f1cd5f

Ports / Services / Software Versions Running

21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos

Vulnerability Exploited:

Password was stored in a .jar file which was valid for ssh and phpmyadmin.

Privilege escalation:

User was in sudoers group

Exploiting the host:

Nmap
Port 80 appears to be running wordpress.
WPScan reveals a username
Start bruteforcing with wpscan
This returned no results.
Dirb found the following pages
/phpmyadmin
/plugins
Under plugins we found blocky.jar file
We downloaded the file and decompiled it with an online tool which gave us some credentials
We found the password was valid for the phpmyadmin login page
root:8YsqfCTnvxAUeduzjNSXe22
We now had access to phpmyadmin
We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.
We then tested the password and username for notch via ssh and were given a shell.
We checked to see what we could do as the user notch and found they were part of the sudoers group.
Issuing sudo su gave us root access.