Security Blog, Rants, Raves, Write-ups, and Code
Blocky
| Name: | Blocky 
|
|---|---|
| Release Date: | 21 Jul 2017 |
| Retire Date: | 09 Dec 2017 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
echthros  23 days, 20 hours, 30 mins, 10 seconds |
 |
echthros 23 days, 20 hours, 30 mins, 24 seconds |
| Creator: | Arrexel  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -oA ./blocky 10.10.10.37
$ nmap -sC -sV -oA ./blocky 10.10.10.37
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 10:47 EDT
Nmap scan report for 10.10.10.37
Host is up (0.17s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.66 seconds
FTP, SSH, HTTP, and an unknown "Sophos" port. Let's start by navigating to HTTP while Dirbuster does its thing. We see the HTTP site is a Wordpress site. WPScan doesn't show anything useful. Neither does Dirbuster. There are a slew of Wordpress plugins. There's no way that this site has no pluging. Let's change Dirbuster over to FUZZ the directories and see what we get.
Ok, now we can see a plugins folder. I knew there had to be one and the usual wp-content/plugins was empty. Inside plugins folder we find 2 jar files.
Download BlockyCore and extract it. Inside the /com/myfirstplugin is BlockyCore.class. Using http://www.javadecompilers.com/ we can decompile it into the below code.
//
// Decompiled by Procyon v0.5.36
//
package com.myfirstplugin;
public class BlockyCore
{
public String sqlHost;
public String sqlUser;
public String sqlPass;
public BlockyCore() {
this.sqlHost = "localhost";
this.sqlUser = "root";
this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
}
public void onServerStart() {
}
public void onServerStop() {
}
public void onPlayerJoin() {
this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
}
public void sendMessage(final String username, final String message) {
}
}
Interesting. SQL root password. While looking around, I noticed that the index.php page did not have the "By XXX" like most blogs. I was able to find it http://10.10.10.37/index.php/2017/07/02/welcome-to-blockycraft/
We now know the user is notch and that he is the "root" SQL user (because after all it's his site). Let's see if he reused passwords.
That worked again! I love it when admins reuse passwords. So, we move LinEnum.sh over to the target and run it with -t (result in the CTB file). First thing that jumps out? notch is in the sudoers group! Easy escalation
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.