Blocky

3 March 2021

Starting information

  • Machine IP : 10.10.10.37
  • System : Linux

Network enumeration

I start by modifying my /etc/hosts file to avoid writing the IP everytime :

/etc/hosts
10.10.10.37 blocky

Then I look for open ports with nmap and start an OpenVAS scan:

nmap -p- blocky -Pn

PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
80/tcp    open   http
8192/tcp  closed sophos
25565/tcp open   minecraft

Now I can start nmap scripts on the open ports to gather more information:

nmap -p21,22,80,8192,25565 -A -Pn blocky

PORT      STATE  SERVICE   VERSION
21/tcp    open   ftp       ProFTPD 1.3.5a
22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp  closed sophos
25565/tcp open   minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Information gathered

Operating System

Ubuntu

Open ports

PortService
21/tcpftp
22/tcpssh
80/tcphttp
25565/tcpminecraft

Vulnerabilities

Here is the main vulnerability found by OpenVAS:

ServiceDescriptionSeverity
WordPressWordPress User IDs and User Names DisclosureMedium

WordPress platforms use a parameter called author. This parameter accepts integer values and represents the User ID of users in the web site. For example: http://www.example.com/?author=1. The problems found are: 1. User ID values are generated consecutively. 2. When a valid User ID is found, WordPress redirects to a web page with the name of the author.

This exploit is trivial and author=1 leads to /author/notch.

Directories

To gather more info I start a directory enumeration with gobuster:

gobuster dir -u http://10.10.10.37 -w Resources/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt

/wiki (Status: 301)
/wp-content (Status: 301)
/plugins (Status: 301)
/wp-includes (Status: 301)
/javascript (Status: 301)
/wp-admin (Status: 301)
/phpmyadmin (Status: 301)

Wordpress version

I use metasploit to retrieve the Wordpress version:

msf6 auxiliary(scanner/http/wordpress_scanner) > exploit

[*] Trying 10.10.10.37
[+] 10.10.10.37 running Wordpress 4.8

It appears the version is 4.8.

Directory exploration

/phypmyadmin

In the phpmyadmin interface I click on the ? button which leads me to the documentation for this version of the software. There I learn that the version is 4.5.4.1.

I use searchsploit to list vulnerabilities in phpmyadmin and two of them stand out:

searchsploit phpmyadmin

| Exploit title                                                | Path                  |
| ------------------------------------------------------------ | --------------------- |
| phpMyAdmin 4.6.2 - (Authenticated) Remote Code Execution     | php/webapps/40185.py  |
| WordPress Plugin Portable phpMyAdmin - Authentication Bypass | php/webapps/23356.txt |

Since the blog is using wordpress, it my be that phpymyadmin is actually a wordpress plugin. I use the -p option to retrieve the path to the vulnerability documentation:

searchsploit -p 23356

It turns out that the vulnerability might be too old to be used, but very interesting nonetheless:

Navigate to http://host/wp-content/plugins/portable-phpmyadmin/wp-pma-mod and you will be presented with the full portable-phpMyAdmin web interface without the requirement of a session or any credential.

Unfortunately I didn't manage to exploit it (even by using variations of the vulnerable URL) and the other

/wp-includes, /wiki

http://10.10.10.37/wp-includes/ contains a directory listing of php files mostly. Unfortunately I didn't find anything interesting there.

The wiki is under construction.

/wp-admin

This page redirects to /wp-login.php. I tried some obvious combination of user and password but nothing worked.

/plugins

The plugins directory contains two files:

  • BlockyCore.jar
  • griefprevention-1.11.2-3.1.1.298.jar

After decompiling BlockyCore.jar with bytecode-viewer, I access the following class that contains a username and password hardcoded:

package com.myfirstplugin;

public class BlockyCore {
   public String sqlHost = "localhost";
   public String sqlUser = "root";
   public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

}

Everything indicates that I should try it in the PhpMyAdmin interface, and it does work!

PhpMyAdmin

My system is not working that well with python2 so I use pipenv to create a virtual environment where I can run the exploit.

pipenv --python 2.7
pipenv shell

I then install requests which is a required dependency:

pipenv install requests

I retrieve the exploit for the CVE-2016-5734 with searchsploit -m 40185 which copies the exploit in the current directory. Unfortunately the exploit doesn't work, this is because the PHP version is 7.0.18:

Details: Working only at PHP 4.3.0-5.4.6 versions [...]

Other avenues

At this stage I decide to see if the password I found is reusable. And the combination of the user notch with the password found gives me access to the machine.

This also gives me access to the user flag. The user notch is great: he has sudo rights! This gives me access to the root flag.