1. Executive Summary
There is an outdated Wordpress version used in the Blocky which is version 4.8 that allows attacker to enumerate users and apparently no restriction on user permission which gives an open door for the attacker to gain root access and take over the system.
2. Description
2.1 Enumeration
Enumerate the given address (10.10.10.37) using nmap command in below.
nmap -sV -sC -A -p- -v -oA blocky 10.10.10.37
According to the scan result, the machine has three open ports which is port 21 (FTP), port 22 (SSH), and port 80 (HTTP).
Port 80 brought me to this BlockyCraft home page. It said that the website is under development which also means that it's also vulnerable to some exposure.
I decided to perform directory scanning on port 80 using the following command below.
gobuster dir -u http://10.10.10.37 -w /root/Documents/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 — timeout 100s -k — no-error
I forgot to screenshot the result but here are the copy directories I found during the scanning process.
/wiki (Status: 301) [Size: 309] [ → http://10.10.10.37/wiki/]
/wp-content (Status: 301) [Size: 315] [ → http://10.10.10.37/wp-content/]
/plugins (Status: 301) [Size: 312] [ → http://10.10.10.37/plugins/]
/wp-includes (Status: 301) [Size: 316] [ → http://10.10.10.37/wp-includes/]
/javascript (Status: 301) [Size: 315] [ → http://10.10.10.37/javascript/]
/wp-admin (Status: 301) [Size: 313] [ → http://10.10.10.37/wp-admin/]
/phpmyadmin (Status: 301) [Size: 315] [ → http://10.10.10.37/phpmyadmin/]
I checked all the directories, and obviously /phpmyadmin and /wp-admin caught my attention to look deeper.
On /phpmyadmin, I tried to use default authentication which is “root” for the username and blank for the password. But it does not take me everywhere so I decided to focus on /wp-admin.
While for /wp-admin, it automatically brought me to /wp-login.php. For this one case, I also tried to use default authentication using “admin” as username, “password” for their admin password. As expected the default authentication does not let me in.
Seeing the stuck situation I am in, I decided to use wpscan to enumerate user, since they apparently did not use the default one. Using the command below, I start my wpscan.
wpscan — url http://10.10.159.220 — enumerate u
Found two username notch and Notch. Now that we have the username, our next task is to look for the password. So I decided to look back to our directory scan result.
There is one directory that I almost missed, it is /plugins. The page has very strange title and inside the page, there are two other strange things, BlockyCore.jar and griefprevention-1.11.2–3.1.1.298.jar.
2.2 Exploitation
I opened the BlockyCore.jar using jd-gui and discover sql username “root” and password “8YsqfCTnvxAUeduzjNSXe22". I am trying to use it for ssh root but it doesn’t allow me.
However, I remember that we have another possible username which is “notch” and “Notch”. So I tried both of these usernames and matched them with the SQL password “8YsqfCTnvxAUeduzjNSXe22”. The “notch” one is valid.
Once I logged in, the user flag is welcomed me.
Checking the notch permission using sudo-l and discovered a fact that notch is permited to run all root action. So I decided to change user to root using sudo su.
Using find command below, I look for the root flag.
find / -name root.txt -print 2>/dev/null
