Based on the OpenSSH and Apache versions, the host is likely running Ubuntu 16.04 Xenial. There’s also something interesting going on with TCP 25565, as it’s reporting closed.
I find this web is WordPress as "proudly powered by WordPress" and it has wiki system as the server. I check this post and found the user account name notch and login page.
From that list, I’ll check out /wiki, /plugins, and /phpmyadmin
visit 10.10.10.37:80/wiki
visit 10.10.10.37:80/phpmyadmin
I find default login admin:admin does not work.
visit 10.10.10.37:80/plugins
I find two .jar files (BlockyCore.jar and griefprevention-1.11.2- 3.1.1.298.jar) and download in my host machine.
A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension.
Shell as notch
Reverse Jars
I use JD-Gui to be decompile the java files.JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
jd-gui:
How to install: sudo apt install jd-gui,
more details link :https://www.kali.org/tools/jd-gui/ Install jd-gu
After installation, I launch the jd-gui with the command"jd-gui". Then I choose to check each jar file. I found the root login details in blockycore.class.
public class BlockyCore {
** public String sqlHost = "localhost";**
** public String sqlUser = "root";**
** public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";**
I try to login phpmyadmin account with root:8YsqfCTnvxAUeduzjNSXe22, and login successfully.
I check wp_users and found the user notch information as followed.
SELECT * FROM `wp_users`
I choose "hash-identifier" to identify the possible hash "BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/". Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords.Find more information link: https://www.kali.org/tools/hash-identifier/
How to install:
apt install hash-identifier
I launch hash-identifier with the following command
hash-identifier
I know the hash is most likely to be an MD5 (WordPress) hash.
Exploitation(SSH -Port 22 )
I use SSH to login root or notch account.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
More details : https://www.ssh.com/ssh/protocol/
I find two user accounts (notch and root) and a password 8YsqfCTnvxAUeduzjNSXe22. I use ssh to login account notch with the command.
sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@10.10.10.37
or
ssh notch@10.10.10.37
User Notch
Ilogin notch with ssh but I get the error information "ssh: connect to host 10.10.10.37 port 22: No route to host". I google this error and find the resolve information link:https://www.tecmint.com/fix-no-route-to-host-ssh-error-in-linux/
I choose to use ufw and then got another error information "zsh: command not found: ufw". I have to install the ufw tool and find the ufw installation information "apt install -y ufw". The details link is https://www.hiroom2.com/2017/07/20/kalilinux-2017-1-ufw-en
Login with tool SSHPASS
sshpass is a utility designed for running ssh using the mode referred to as “keyboard-interactive” password authentication, but in non-interactive mode. ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user. More information link:
I use the command "sudo -l" and "sudo su -" to get root access. The root password is the same as notch.
Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
More information link:https://en.wikipedia.org/wiki/Sudo
I can see that Notch has unlimited privileges and can run any command on the system.Then I root it with "sudo su -".
Thanks for reading . This is my 41th pwned machines in Hack the box. I will try harder to be beyond OSCP. Then I can pass OSCP successfully.