Blocky

Name: Blocky
Release Date: 21 Jul 2017
Retire Date: 09 Dec 2017
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
echthros 23 days, 20 hours, 30 mins, 10 seconds
echthros 23 days, 20 hours, 30 mins, 24 seconds
Creator: Arrexel
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./blocky 10.10.10.37

 
$  nmap -sC -sV -oA ./blocky 10.10.10.37
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 10:47 EDT
  Nmap scan report for 10.10.10.37
  Host is up (0.17s latency).
  Not shown: 996 filtered ports
  PORT     STATE  SERVICE VERSION
  21/tcp   open   ftp     ProFTPD 1.3.5a
  22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
  |   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
  |_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
  80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-generator: WordPress 4.8
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  |_http-title: BlockyCraft – Under Construction!
  8192/tcp closed sophos
  Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 67.66 seconds
 

FTP, SSH, HTTP, and an unknown "Sophos" port.  Let's start by navigating to HTTP while Dirbuster does its thing. We see the HTTP site is a Wordpress site.  WPScan doesn't show anything useful.  Neither does Dirbuster.  There are a slew of Wordpress plugins. There's no way that this site has no pluging.  Let's change Dirbuster over to FUZZ the directories and see what we get.

Ok, now we can see a plugins folder.  I knew there had to be one and the usual wp-content/plugins was empty. Inside plugins folder we find 2 jar files.

Download BlockyCore and extract it.  Inside the /com/myfirstplugin is BlockyCore.class. Using http://www.javadecompilers.com/ we can decompile it into the below code.

 
 // 
// Decompiled by Procyon v0.5.36
// 

package com.myfirstplugin;

public class BlockyCore
{
    public String sqlHost;
    public String sqlUser;
    public String sqlPass;
    
    public BlockyCore() {
        this.sqlHost = "localhost";
        this.sqlUser = "root";
        this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
    }
    
    public void onServerStart() {
    }
    
    public void onServerStop() {
    }
    
    public void onPlayerJoin() {
        this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
    }
    
    public void sendMessage(final String username, final String message) {
    }
}
 

Interesting.  SQL root password. While looking around, I noticed that the index.php page did not have the "By XXX" like most blogs.  I was able to find it http://10.10.10.37/index.php/2017/07/02/welcome-to-blockycraft/


We now know the user is notch and that he is the "root" SQL user (because after all it's his site).  Let's see if he reused passwords.

That worked again!  I love it when admins reuse passwords.  So, we move LinEnum.sh over to the target and run it with -t (result in the CTB file).  First thing that jumps out?  notch is in the sudoers group!  Easy escalation