Blocky

Blocky - 10.10.10.37

Target Enumeration:

OS: Linux

IP: 10.10.10.37

User: 59fee0977fb60b8a0bc6e41e751f3cd5

Root: 0a9694a5b4d272c694679f7860f1cd5f

Ports / Services / Software Versions Running

21/tcp open ftp ProFTPD 1.3.5a

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

8192/tcp closed sophos

Vulnerability Exploited:

Password was stored in a .jar file which was valid for ssh and phpmyadmin.

Privilege escalation:

User was in sudoers group

Exploiting the host:

Nmap

Port 80 appears to be running wordpress.

WPScan reveals a username

Start bruteforcing with wpscan

This returned no results.

Dirb found the following pages

/phpmyadmin

/plugins

Under plugins we found blocky.jar file

We downloaded the file and decompiled it with an online tool which gave us some credentials

http://www.javadecompilers.com

We found the password was valid for the phpmyadmin login page

root:8YsqfCTnvxAUeduzjNSXe22

We now had access to phpmyadmin

We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.

We then tested the password and username for notch via ssh and were given a shell.

We checked to see what we could do as the user notch and found they were part of the sudoers group.

Issuing sudo su gave us root access.