# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.37Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-10 20:04 EDT
Nmap scan report for 10.10.10.37
Host is up (0.078s latency).PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
- FTP (21/TCP) — I checked for anonymous login or if the ProFTPD 1.3.5a had any known vulnerability, but no profits.
- HTTP (80/TCP) — A Wordpress website.
User Enumeration (Wordpress)
Just for a quick tip that for Wordpress, there is some simple way to enumerate users. One can use
http://10.10.10.37/index.php?author=<Number> this to find users. Using this technique, I was able to find the
Web Directory Enumeration (Gobuster)
As usual, I ran a quick
gobuster to see if I could discover more of the interesting files/folders on the web server.
# gobuster dir -u http://10.10.10.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
/wp-login.php— Exposed Wordpress login
I downloaded those 2 files and started to inspect them with JD-GUI (Java Decompiler).
Using the JD-GUI, I decompiled
BlockyCore.jar file and found hard-coded credentials for the SQL string.
root : 8YsqfCTnvxAUeduzjNSXe22
Since the Blocky box did not expose any SQL services, I thought possibility of the password reuse. And the password was valid for the
notch user that we enumerated from the Wordpress site.
notch@Blocky:~$ cat user.txt
notch → root (sudo)
The privilege escalation was super simple. The
notch user had excessive
sudo privilege that I could just do
sudo su to escalate to
root@Blocky:/home/notch# cat /root/root.txt
Considering this was an older box, it was super easy one. It might be good to get a feel of how to use JD-GUI for OSWE prep. In this Blocky box, it was pretty easy to spot the jewel that we were looking for, but in actual OSWE course, it does go a lot more in depth. It will be used more for source code review. Thanks for reading! :)