Blocky

Dec 13, 2020 Java phpmyadmin TJNull's list
Share on:

Blocky

Introduction:

This is one of the OSCP like machine from TJNull’s list and interesting one indeed. The exploitation and Privesc are relatively easier on this machine. When doing this machine, focus on doing good enumeration and pay attention to details. Examine user scripts and programs as they may lead you to easter eggs.

Recon

Lets get started with the routine reconnaissance using nmap -

 1nmap -sS -sV -sC -T4 -oN blocky.nmap.txt 10.10.10.37
 2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-13 09:10 EST
 3Nmap scan report for 10.10.10.37
 4Host is up (0.014s latency).
 5Not shown: 996 filtered ports
 6PORT     STATE  SERVICE VERSION
 721/tcp   open   ftp     ProFTPD 1.3.5a
 822/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
 9| ssh-hostkey: 
10|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
11|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
12|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
1380/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
14|_http-generator: WordPress 4.8
15|_http-server-header: Apache/2.4.18 (Ubuntu)
16|_http-title: BlockyCraft – Under Construction!
178192/tcp closed sophos
18Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
19
20Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
22

As a general practice, run a port scanner as we typically do the first 1000 ports using nmap and it may not detect services running on higher ports as is the case with this machine.

 1------------------------------------------------------------
 2        Threader 3000 - Multi-threaded Port Scanner          
 3                       Version 1.0.6                    
 4                   A project by The Mayor               
 5------------------------------------------------------------
 6Enter your target IP address or URL here: 10.10.10.37
 7------------------------------------------------------------
 8Scanning target 10.10.10.37
 9Time started: 2020-12-13 09:11:23.810701
10------------------------------------------------------------
11Port 80 is open
12Port 22 is open
13Port 21 is open
14Port 25565 is open
15Port scan completed in 0:01:39.327810
16------------------------------------------------------------
17Threader3000 recommends the following Nmap scan:
18************************************************************
19nmap -p80,22,21,25565 -sV -sC -T4 -Pn -oA 10.10.10.37 10.10.10.37
20************************************************************
21Would you like to run Nmap or quit to terminal?
22------------------------------------------------------------
231 = Run suggested Nmap scan
242 = Run another Threader3000 scan
253 = Exit to terminal
26------------------------------------------------------------
27
28
29nmap -p80,22,21,25565 -sV -sC -T4 -Pn  10.10.10.37
30Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
31Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-13 09:32 EST
32Nmap scan report for 10.10.10.37
33Host is up (0.030s latency).
34
35PORT      STATE SERVICE   VERSION
3621/tcp    open  ftp       ProFTPD 1.3.5a
3722/tcp    open  ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
38| ssh-hostkey: 
39|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
40|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
41|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
4280/tcp    open  http      Apache httpd 2.4.18 ((Ubuntu))
43|_http-generator: WordPress 4.8
44|_http-server-header: Apache/2.4.18 (Ubuntu)
45|_http-title: BlockyCraft – Under Construction!
4625565/tcp open  minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
47Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
48
49Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
50Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds
51
52

Notes:

  1. As you can see from the output, we have port 21,22,80 and 23365 open for exploring further.
  2. The server seems to run a wordpress site out of port 80 and a minecraft server version 1.11.2
  3. This is a linux machine likely running Ubuntu.

Enumeration

Open the website on the target machine from your browser and you can see look around. You will notice that we have a user called “notch” on this system. (This also can be verified by trying to reset your password using the username.)

Notch

Fire up directory scanning as well as wpscan to enumerate further. From the directory scans you will notice that -

  1. /plugins directory is hosting some java classes that we can download
  2. /wiki directory says its in progress but leads us nowhere
  3. /phpmyadmin indicates that the host is running phpmyadmin service.

Phpmyadmin

The root password works for phpmyadmin and you can do much more here - 1) check mysql version 2) change passwords for user 3) read posts etc.

Phpmyadmin Login

Mysql Details

I downloaded and decompiled the class to get phpmyadmin root password which was incredible!

 1blocky/data/source-code/com/myfirstplugin$ javap -c BlockyCore
 2Warning: File ./BlockyCore.class does not contain class BlockyCore
 3Compiled from "BlockyCore.java"
 4public class com.myfirstplugin.BlockyCore {
 5  public java.lang.String sqlHost;
 6
 7  public java.lang.String sqlUser;
 8
 9  public java.lang.String sqlPass;
10
11  public com.myfirstplugin.BlockyCore();
12    Code:
13       0: aload_0
14       1: invokespecial #12                 // Method java/lang/Object."<init>":()V
15       4: aload_0
16       5: ldc           #14                 // String localhost
17       7: putfield      #16                 // Field sqlHost:Ljava/lang/String;
18      10: aload_0
19      11: ldc           #18                 // String root
20      13: putfield      #20                 // Field sqlUser:Ljava/lang/String;
21      16: aload_0
22      17: ldc           #22                 // String 8YsXXXXXXXXXXXXXXXXXXe22
23      19: putfield      #24                 // Field sqlPass:Ljava/lang/String;
24      22: return
25
26  public void onServerStart();
27    Code:
28       0: return
29
30  public void onServerStop();
31    Code:
32       0: return
33
34  public void onPlayerJoin();
35    Code:
36       0: aload_0
37       1: ldc           #33                 // String TODO get username
38       3: ldc           #35                 // String Welcome to the BlockyCraft!!!!!!!
39       5: invokevirtual #37                 // Method sendMessage:(Ljava/lang/String;Ljava/lang/String;)V
40       8: return
41
42  public void sendMessage(java.lang.String, java.lang.String);
43    Code:
44       0: return
45}

Tried using this password to logon to the host as root over ssh without luck, but the same password works for notch.

Uploaded linpeas.sh and ran a scan to find some interesting items below -

 1
 2[+] Searching Wordpress wp-config.php files
 3wp-config.php files found:
 4/var/www/html/wp-config.phpdefine('DB_NAME', 'wordpress');
 5define('DB_USER', 'wordpress');
 6define('DB_PASSWORD', 'kWuvW2SYsABmzywYRdoD');
 7define('DB_HOST', 'localhost');
 8
 9
10
11[+] Readable files belonging to root and readable by me but not world readable
12-rw-r----- 1 root www-data 60 Jul  2  2017 /var/lib/phpmyadmin/blowfish_secret.inc.php
13-rw-r----- 1 root www-data 0 Jul  2  2017 /var/lib/phpmyadmin/config.inc.php
14-rw-r----- 1 root www-data 8 Jul  2  2017 /etc/phpmyadmin/htpasswd.setup
15-rw-r----- 1 root www-data 534 Jul  2  2017 /etc/phpmyadmin/config-db.php
16

The scan will also reveal that notch is a member of sudo group and since we already have the password, the privilege escalation is a cakewalk!

1notch@Blocky:/tmp$ sudo su - 
2[sudo] password for notch: 
3Sorry, try again.
4[sudo] password for notch: 
5root@Blocky:~# ls -l
6total 4
7-r-------- 1 root root 32 Jul  2  2017 root.txt
8root@Blocky:~# cat root.txt