Lets start with an Nmap scan:
We can see from this output that we have 5 ports open.
Also within the Nmap scan is version numbers for each service identified, we can enumerate these using Google (however nothing valid came back).
Lets first try to explore the web page running on Port 80:
Here we can see that we are displayed with a web page called BlockyCraft and if we scroll to the bottom, it shows us that it is made using Wordpress.
With every WordPress site I find, I use wpscan to enumerate them:
This enumerated the user 'notch', and so we can now run a brute force attack using wpscan to see if we can discover the password:
(We can leave this running in the background)
While that is running, lets use gobuster to perform some directory busting:
Output:
Upon visiting all of these, the plugins directory seems very interesting, as it is hosting two .jar files:
Lets download these onto our system.
Lets unzip BlockyCore.jar first and see what is available for us to look at.
Doing this gives us the file BlockyCore.class in the '/com/myfirstplugin' directory.
We can open this using software on our system or by using an online Java Decompiler e.g. http://www.javadecompilers.com/
Looking at the code, there is a Username and Password we can grab:
Now we can try and use these credentials to log into other services.
(I first tried phpmyadmin, which worked. However I could only gain a shell as www-data after completing the following steps:
Change the wordpress password, and then log into wp-admin
In appearance/Editor, update the 404.php page with a php reverse shell
Visit the webpage, while setting up a listener
This got me a shell as www-data)
Lets try the password to log in as 'notch' via SSH.
SUCCESS!!
We can now grab the user flag from /home/notch/user.txt
(Cancel the wpscan brute force, wasn't needed)
Privilege Escalation:
Now, we can transfer over and run linpeas or LinEnum, or we can hope for a quick win and try sudo -l first.
This clearly tells us we can run all commands using sudo.
Now lets test this and run sudo su root to hopefully change user to root.
BOOM! We got root, easiest Privilege Escalation ever, we love quick and easy wins!
Now grab that root flag from /root!
Congratulations, you have pwned this box!
Kommentare