Blocky

Blocky - 10.10.10.37

OS: Linux

IP: 10.10.10.37

User: 59fee0977fb60b8a0bc6e41e751f3cd5

Root: 0a9694a5b4d272c694679f7860f1cd5f

21/tcp open ftp ProFTPD 1.3.5a

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

8192/tcp closed sophos

Password was stored in a .jar file which was valid for ssh and phpmyadmin.

User was in sudoers group

Nmap

Port 80 appears to be running wordpress.

WPScan reveals a username

Start bruteforcing with wpscan

This returned no results.

Dirb found the following pages

/phpmyadmin

/plugins

Under plugins we found blocky.jar file

We downloaded the file and decompiled it with an online tool which gave us some credentials

We found the password was valid for the phpmyadmin login page

root:8YsqfCTnvxAUeduzjNSXe22

We now had access to phpmyadmin

We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.

We then tested the password and username for notch via ssh and were given a shell.

We checked to see what we could do as the user notch and found they were part of the sudoers group.

Issuing sudo su gave us root access.

Last updated 5 years ago