Blocky - 10.10.10.37
Ports / Services / Software versions running
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8192/tcp closed sophos
Password was stored in a .jar file which was valid for ssh and phpmyadmin.
User was in sudoers group
Exploiting the host:
Port 80 appears to be running wordpress.
WPScan reveals a username
Start bruteforcing with wpscan
This returned no results.
Dirb found the following pages
Under plugins we found blocky.jar file
We downloaded the file and decompiled it with an online tool which gave us some credentials
We found the password was valid for the phpmyadmin login page
We now had access to phpmyadmin
We created a new user and uploaded a shell to the 404.php page but found we could not escalate privileges as the www-data user.
We then tested the password and username for notch via ssh and were given a shell.
We checked to see what we could do as the user notch and found they were part of the sudoers group.
Issuing sudo su gave us root access.