Again, we start with nmap -sC -sV -oA ./blocky 10.10.10.37
FTP, SSH, HTTP, and an unknown "Sophos" port. Let's start by navigating to HTTP while Dirbuster does its thing. We see the HTTP site is a Wordpress site. WPScan doesn't show anything useful. Neither does Dirbuster. There are a slew of Wordpress plugins. There's no way that this site has no pluging. Let's change Dirbuster over to FUZZ the directories and see what we get.
Ok, now we can see a plugins folder. I knew there had to be one and the usual wp-content/plugins was empty. Inside plugins folder we find 2 jar files.
Download BlockyCore and extract it. Inside the /com/myfirstplugin is BlockyCore.class. Using http://www.javadecompilers.com/ we can decompile it into the below code.
Interesting. SQL root password. While looking around, I noticed that the index.php page did not have the "By XXX" like most blogs. I was able to find it http://10.10.10.37/index.php/2017/07/02/welcome-to-blockycraft/
We now know the user is notch and that he is the "root" SQL user (because after all it's his site). Let's see if he reused passwords.
That worked again! I love it when admins reuse passwords. So, we move LinEnum.sh over to the target and run it with -t (result in the CTB file). First thing that jumps out? notch is in the sudoers group! Easy escalation